Executive Summary:

GPExpert Troubleshooting Pak 1.0 can simplify your Group Policy troubleshooting and includes four components: Health Reporter, Log Analyzer, Group Policy Spy, and Status Monitor.


GPExpert Troubleshooting Pak 1.0
PROS: Provides useful information for Group Policy troubleshooting; lets users request a Group Policy refresh at will; easy to install and use
CONS: The basic feature set lacks x64 support, centralized logging, and remote registry monitoring.
RATING: 3.5 diamonds
PRICE: $5 per managed computer (minimum 200 computers)
RECOMMENDATION: I recommend using GPExpert if you rely heavily on Group Policy administrative templates for application configuration because it can reduce the time spent troubleshooting Group Policy problems.
CONTACT: SDM Software ? www.sdmsoftware.com ? 415-670-9302

SDM Software’s GPExpert Troubleshooting Pak 1.0 is a useful set of Group Policy problem-solving tools. When you use Group Policy to implement user, system, and application settings, and you’re not getting the results you’d expect, GPExpert can simplify your troubleshooting and give you access to useful information you’d otherwise have to work much harder to get.

GPExpert Troubleshooting Pak 1.0 includes four components. The Health Reporter analyzes the current state of Group Policy on the local system and informs you of any problems. Log Analyzer extracts, presents, and interprets information from various Group Policy logs and links to related troubleshooting articles. Group Policy Spy monitors application access to Group Policy-related registry information and lets you know which administrative templates are referenced and the applications that use them. The Status Monitor reports Group Policy refresh activity to the local application event log and lets users request a Group Policy refresh.

Health Reporter and Log Monitor will connect to and work with remote systems; however, Group Policy Spy works only with the local system. Although the first three utilities are intended for use by systems administrators, Status Monitor is intended for use on end-user workstations, perhaps under the direction of Help desk staff. GPExpert is supported for use with 32-bit versions of Windows Vista, Windows Server 2003, and Windows XP.

GPExpert requires the Microsoft Group Policy Management Console (GPMC) and .NET Framework 2.0 or later to be installed on the target system. During installation, if you don’t have the .NET Framework 2.0 already installed, GPExpert will report an error when you first start Health Monitor and prompt you to download and install it. As of this writing, a version of GPMC that operates with x64 OS versions is available only with Vista. Because of GPExpert’s dependence on GPMC, GPExpert won’t install on x64 versions of Windows 2003 and XP, and in my tests it wouldn’t connect to remotely diagnose x64 OSs either. Although Status Monitor doesn’t require GPMC on monitored systems, it isn’t certified to work with x64-based systems. Also, because GPExpert lacks the necessary instrumentation, it won’t install on or connect to any version of Windows 2000. This lack of Win2K support will be a significant limitation for some organizations—you’ll have to use newer systems to troubleshoot Group Policy problems.

I installed GPExpert on several XP systems and on two Windows 2003 systems, one a member server and the other a domain controller (DC). After GPMC and .NET Framework 2.0 were installed, GPExpert installation was a quick and easy wizard-driven process.

Health Reporter works with local and remote Vista, Windows 2003, and XP systems. It looks for symptoms of Group Policy health for the logged-on user and computer. Health Reporter reports basic configuration information, a list of the processed Group Policy Objects (GPOs), and a list of the processed client-side extensions. You can also request a Resultant Set of Policies (RSoP) report, which shows GPOs that are in use on the target system, and the object that's the source of each setting applied by Group Policy. GPExpert lets you specify alternate authentication credentials, facilitating connection to remote systems when your logon credentials aren’t sufficient, although a GPMC limitation causes logon (or Run As) credentials to always be used for RSoP reports.

Log Analyzer presents information in a readily accessible tabbed format. After you connect to a target system, the left pane lists active and denied GPOs, WMI filters, and an overall status for several key Group Policy subsystems: infrastructure, registry, security, and EFS Data Recovery. The right pane has a tabbed interface. The Settings tab, which Web Figure 1 shows, displays key current settings from standard policies and administrative templates, the winning GPO in each area, and the name of the administrative templates invoked. The Diagnostic Tests tab hosts several tests, including tests for the currency of GPO replication and slow links. Seven additional tabs will, at the click of an icon, read and summarize the contents of Group Policy–related log files on the target system. The Group Policy Events tab extracts events from the application event log, and in the case of a few event types, provides basic information about the event and links to relevant Microsoft Knowledge Base articles. The userenv.log and Security trace log are two of the six logs displayed. Another option lets you set Group Policy-related logging levels (e.g., normal, verbose).

Unlike Health Reporter and Log Analyzer, Group Policy Spy lacks the ability to monitor systems remotely. Running on the local system, Group Policy Spy monitors system and application activity against four registry hives, logs a line for each registry access that includes the template path, if known; the process, registry path, and value name; and the value found. Group Policy Spy lets you save and reload logged events for later analysis. To restrict the scope of logged events, Group Policy Spy lets you select which of the four hives it will report on and lets you suppress the display of no value found entries.

Status Monitor installs a system tray icon that lets the local user know the health of Group Policy processing and enables the user to request a Group Policy refresh. GPExpert includes administrative templates in both ADM and ADMX/ADML versions, which enables you to configure Status Monitor via Group Policy. You can enable or disable each of the four menu items available from the Status Monitor’s system tray icon, displaying the systems’ status, refreshing Group Policy for the system, configuring Status Monitor, and exiting Status Monitor. Status Monitor will also write the results of each Group Policy refresh to the application event log—an option that you can also enable or disable via Group Policy using the Administrative Template. Although Status Monitor doesn’t provide central logging, you can find this functionality in third-party event log management applications.

I tested each of GPExpert’s tools with XP systems. Each tool provides easy access to information that will help you resolve Group Policy–related problems. However, the tools offer only a basic feature set—typical of first-version products. In Health Reporter, a drop-down list of recently accessed computers would be handy and eliminate the need to enter or browse for computers you‘ve previously visited, and its absence reflects this product’s youth. X64 support, remote registry monitoring in Group Policy Spy, and centralized logging of Group Policy processing results are some other key features that would enhance GPExpert’s overall utility. However, GPExpert is easy to install and use, and the information it provides can be extremely helpful. The minimum license requirement of 200 might be more than some organizations need, but at $5 per license it isn’t expensive. If you heavily rely on Group Policy, you should download the free nine-day trial and check it out