Sunday, September 02, 2007

Group Policy Diagnostic Best Practice Analyzer

Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.

Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition

Read more here:
Microsoft KB 940122 article: "How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data"

Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment's Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:

• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving

The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment's domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.

There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment's domain controllers.

1 Comment:

Rick Hanson said...

Sweet tool. I belive it will be a good contribution to the Scriptlogic's Active Administrator tool I use to manage and backup Active Directory and Group Policy settings in my domain. By the way, one of the things that keep me enthusiastic over Active Administrator tool is its functionality to perform a detailed and configurable Active Directory reporting. First off the feature I like is the AD changes notifications. This allows me keep myself tuned to the last changes made to Active Directory. That's the strong part of the tool - it stores reports in SQL database. No reason to discuss how useful SQL is to collect and quicly retrieve data from there, it's a well-known fact. But the best thing I love there is a GPO repository. I store all the collection of the policy objects I ever had. The nice peculiarity there is that it's possible to keep tracks of changes and view changes reports by comparing the active GPO stored in Active Directory and the previous version stored in the repository bank. That's pretty much like with Volume Shadow Copy (VSC) service in Windows Vista only that I don't know if it's possible to create reports based on VSC provider results for all the files or volumes covered by the service. By the way, if you know how to do that, I would be glad to learn from you.

As for the user privileges you have to have to get the GPO report, I believe, local administrative rights are okay. Correct? Yet another penny in flavour of paradigm of restricting user privileges and leaving them with needed level of access right only.