What is included in the GPO (Group Policy Object) Health Check Report? (NETIQKB40038)

  • 7740038
  • 02-Feb-2007
  • 18-Jun-2008


What is included in the GPO (Group Policy Object) Health Check Report?

What types of health checks are provided in the GPO Health Check Report?

NetIQ Group Policy Administrator 5.0

NetIQ Group Policy Administrator 4.x

The GPO (Group Policy Object) Health Check Report provides the following types of health checks:  

  • GPO Structural Integrity Check
  • Revision Number
  • Security Filter Check
  • Security Consistency Check
  • GPO Machine and User Extension Checks
  • GPO Settings that Tattoo
  • User Rights Assignment
  • Empty DACLs on Services / Files / Registry
  • Unresolvable SID References
  • Always Install with Elevated Privileges Flag Is Set

The following is a list of each check that is contained in the report, including what is being checked: 

  • Displayname check:  Ensures the display name of the GPO and GUID are correct. (i.e. Display name is not blank).
  • GPO Revision Consistency Check:  Ensures the revision number of the GPO portion held in Active Directory is the same as the revision number held in Sysvol.
  • GPO File Consistency check:  Verifies that there is a machine and user hierarchy in the Sysvol portion of the GPO at C:\WINNT\Sysvol\Sysvol\domain_name\Policies\{GUID}; it also verifies that there is a GPT.ini file.
  • GPO AD Data Integrity check:  Goes to the Active Directory System | Policies | GUID Container and verifies the GPO has the machine and user hierarchy.
  • GPO Security Targeting:  Indicates whether the User or Machine portion of the GPO are disabled.
  • Security Inheritance Flag check:  Ensures inheritance is OFF on the System container in Active Directory. If inheritance is ON, then permissions from the System container could carry over to the Policies container, giving other users rights to GPO.
  • File Security Integrity Check, Registry Security Integrity Check, Services Security Integrity Check:  A GPO can set the File, Registry or Services security. These checks look at the sections of the GPO dealing with File, Registry and Services security and verify whether there are any SIDs that cannot be resolved to friendly names (i.e. looking for unresolved SIDs or Empty DACLs).
  • Log on Locally Policy Integrity Check:  Checks the Logon Locally policy.

The GPO Health Check Report makes a general sweep of the GPO and looks at the domain controller (DC) the Explorer node is binding to.

Additional Information

Formerly known as NETIQKB40038