GPO Explorer – GPO Test Details

Some of the Features and Tests listed here are only available in NetTools v1.31.4 and above

The Test feature in GPO Explorer provides similar functionality as provided by the retired Microsoft GPOTool.exe utility.  This post provides the details of the tests that are completed and how the results are compared to the other selected DCs.

The test feature appears in two locations in GPO Explorer, one as a tab on the individual policy details and other at the domain level to test multiple GPOs at once.  While how the results are display are different between the two test types, the same testing is completed for both instances.

The Domain option looks like this and provides a very similar output to the retired GPOTool.exe

GPO Testing Results

The individual test looks like this:

GPO Testing Results - Individual

DC Selection

By default the tests are performed against all the DCs in the domain, however, it's possible to define which DCs you want to include in the test.  The Domain level test, as shown above, provides a list of DCs that have been discovered, you can limit which DCs will be included in the test by selecting as required DCs.  This selection is then used for both the Domain and Individual tests.

Test Details

The testing is completed in two phases, first the details are collected from each of selected DCs and then in phase two the captured details are compared across all the selected DCs.  The first selected DC in the server list is used as the source and all the other DCs are compared against this DC, you can change this by using the context menu to moving another DC to the top of the list, and this will be used as the source DC.

During the Collection phase the following details are captured and tests performed:

  • Display Name of the Policy
  • Sysvol Path
  • Functionality Version
  • GPO Flags
  • GPO Version Number (User and Machine)
  • WMI Filter assigned
  • GPO Machine Extensions
  • GPO User Extensions
  • When Created
  • When Last Changed
  • AD Permissions
  • Number of sub AD objects under the GPO for both User and Machines settings
  • Check the Sysvol path is accessible
  • Capture the security permissions of the root of the policy folder
  • Check that the trustees assigned Apply Group Policy right in the AD have access to the following location in Sysvol path:
    • Root of the policy folder
    • GPT.ini
    • User folder
    • Machines folder
  • Capture the GPO version details from GPT.ini file (User and Machine)
  • Capture the file count, total file size, and directory count for these sub directories:
    • Machine
    • User

Once the details have been captured from all the selected DCs phase two will then compare each of these values to confirm the details are the same across all the DCs.  If there are any differences it will report an error or the traffic lights indicators for the test will be Red.   The Compare phase, in addition to comparing the details captured in phase one it will also complete the following tests:

  • Compare the AD DACL ACE Count
  • Compare the Sysvol DACL ACE Count
  • Confirm the ACE in the Sysvol DACL are in the same order
  • Compare the AD Security Descriptor
  • Compare the Sysvol Security Descriptor
  • Check for duplicate ACEs
  • Check the order of the permisions

The Individual test option displays the results as pass\fail and doesn't provide much in the way of  detail on the reason for the failure.  However the Domain level test does provide details of the information captured and failure details, when the Display Policy Details option is selected before running the test.

If any of the AD replication tests fail you can select the individual GPO and use the Context Menu option to run a Check AD Replication test on the GPO AD object, this will automatically populate the Attribute Replication test for you.

Check AD Permissions

Debug Option

The GPO test also provide additional debug information in the Domain level test, which is helpful if you are are trying to diagnose ACL issues as reported by the GPMC Status report.  This debug option is not enabled by default and can only be enabled by manually editing the NetTools.ini file.

  1. Open the NetTools.ini file
  2. Search for [SavedOptions]
  3. Add GPODebug=true after the heading