How To Test GPOs now GPOTool.exe is no longer available

Some of the feature shown are only available in NetTools v1.31.6 beta and above

Previously included in the Windows 2003 Resource Kit there was simple tool called GPOTool.exe, which checked the status of the GPOs in a domain, this would check the consistency of the details between the AD and Sysvol and highlight a number of common problems.  As Windows 2003 Resource kit is no longer available for download from Microsoft, and this functionality hasn't been incorporated into any of the existing tools, there is no easy way to confirm the status of the GPOs in a domain.

Under the GPO Explorer in NetTools there is a test option that performs a similar suite of tests that were performed by GPOTool.exe.  There are two methods to test the status of the GPOs, either at the individually GPO level or at the domain level to test all GPOs.

The test covers the following items:

  • AD Replication
  • Sysvol Replication
  • Mismatching of AD and Sysvol versions
  • Compare object counts for both AD and Sysvol
  • Sysvol gpt.ini exists
  • Trustees that have apply GPO rights have permissions in Sysvol

Test an Individual GPO

When selecting a GPO in the GPO Explorer an tab called Testing is shown with the details of the policy, which allows you to test the selected GPO.  By default, the test will be run against all Domain Controllers in the domain, however, you are able to select which domain controllers will be be included in the test.  This allows you to deselect domain controllers that might be at the end of a slow link or are offline temporarily.   The server selection is on the test all GPO screen, see below.

GPO Testing Results - Individual

Test All or multiple GPOs at once

This option is found by select the root of the domain in the left hand pane, the Testing tab displays the domain controllers and GPOs in the domain.  The lists can be used to select which servers and GPOs will be included in the test .  The test provides to those who have used GPOTool.exe before, with a touch nostalgia, as the output is pretty must the same as GPOTool.exe.

GPO Testing Results

If an issue is found with the policies, the details of the policies on all domain controllers is displayed, or if Display Policy Details options is selected.

Failed Results

The Testing option is intended to check that the policies are replicated correctly between the domain controllers in the domain.  If the domain has a single domain controller or only a single domain controller is selected, then the test will only complete the data capture phase against the selected DC, and will display the results of the data capture and provide a warning that only one domain controllers has been selected.

GPO Test - Single DC Results

See GPO Explorer - GPO Test Details for more details on the test that are performed.