Group Policy tools


GPOTool is an older command-line tool that seems to still work fine on Windows 2008.  It’s purpose is to verify whether the GPT and GPC are synchronized throughout your Active Directory environment.  You can run the tool without any switches and it will check every GPO on every DC, which can quickly become a very cumbersome and lengthy process in a large enterprise environment.  Or, if you are only interested in a specific GPO, you can list it by name or GUID and GPOTool will return only the results you care about.  Also, if you are only interested in testing the policies as they appear on a particular Domain Controller, you can do that as well.

Here is an example of how you would use GPOTool in each case:

In this first screenshot, you can see that we’ve run GPOTool without any switches and it has returned a list of the policies it found, given us their name and GUID, and told us whether the policy was okay or not (if you ever get any other result than Policy OK, this points to GPT and GPC being out of sync).  If you use the /verbose switch, you will get a great deal more information about each policy, as I’ve shown below:

As you can see, if you really want to understand what’s happening under the hood, you’ll probably want to use the /verbose switch.  You can see quite a bit of additional information for each GPO, including:

  • GPO Name
  • Version of the GPO in Active Directory (GPC version)
  • Version of the GPO in SYSVOL (GPT version)
  • Whether user and/or machine side policies are configured

Of course, if you only care about a single GPO, you can run GPOTool with the /gpo switch and this will be your result:

As usual, you can set the /verbose switch and get additional information about this single GPO if you so desire.

Finally, if you only want to target a specific DC, just add the /dc switch and specify the fully-qualified name of the Domain Controller you want.  Below, I’ve combined all of the switches to get verbose details of a single GPO as it looks on one DC:

GPOTool is helpful to you in your troubleshooting, but don’t immediately jump to conclusions if it reports as inconsistent.  Because of the differences between FRS and AD replication, there may be some lag before you will see both the GPT and GPC replicated to each of your DCs.  If you test this and the inconsistency persists, however, you likely have an issue with either AD or FRS replication that needs to be investigated.


As I mentioned above, there will almost certainly be times when you need to make a change to a GPO and have it update immediately.  With GPUpdate, you can force the background refresh on a client to kick in immediately (note: you cannot force the foreground process through GPUpdate).  GPUpdate runs only on the local client since it’s telling the client to pull updates immediately and to do this, we need to be on the client that initiates the request.

GPUpdate is a command-line tool and it has a number of parameters that are of interest to us:

  • /Target: {Computer|User} – this switch allows your client to request only the machine or user-side settings from its GPOs.  If this switch is not used, both user and computer settings are updated
  • /Force – this switch causes your client to re-apply all of the policies assigned to it, though it only assigns policies that have been changed (it won’t cause the client to re-apply every setting if some of them have not been changed since the last update)
  • /Logoff – using this switch, you can force a logoff which will allow policies that process in the foreground to be processed
  • /Boot – this switch causes your client to reboot after the policies are applied (again, to allow for processing of policies that only apply after a reboot)

Here is an example of what this might look like in your environment:

As you can see, the interface doesn’t tell you much.  In this screenshot, I have asked my client to pull the computer-side settings for its GPOs and I’ve selected /force to ensure that the policies are refreshed.  This caused background processing to start immediately and we can see that it finished successfully.  If I had configured a particular setting on a GPO, I could run a tool like the Resultant Set of Policies (RSOP) to find out if that setting had taken effect.  If you’re doing troubleshooting and need to know whether policies are applying, this is probably the easiest way to verify policy updates are working.

AD: Enabling and Using the Recycle Bin in 2008 R2 Active Directory

import-module activedirectory

Set-ADForestMode -Identity -ForestMode Windows2008R2Forest

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mi,DC=com’ -Scope ForestOrConfigurationSet -Target ‘’

To retrieve a User where the login name is test excluded :

Get-ADObject -ldapFilter:”(sAMAccountName=test)” –IncludeDeletedObjects | Restore-ADObject

user name is ‘test’

To retrieve an Organizational Unit excluded named ” Directors:

Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Diretores)” –IncludeDeletedObjects | Restore-ADObject

To retrieve excluded Group:

Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Group)” –IncludeDeletedObjects | Restore-ADObject

To restore an excluded computer to perform:

Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Computer)” –IncludeDeletedObjects | Restore-ADObject

Windows Server 2003: Clear the Journal Wrap Error in File Replication Service

File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR

Are you getting this error in your File Replication Service?

The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR.
Replica root path is : “c:\windows\sysvol\domain”
Replica root volume is : \\.\C:
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume “\\.\C:” has been formatted.
[2] The NTFS USN journal on volume “\\.\C:” has been deleted.
[3] The NTFS USN journal on volume “\\.\C:” has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on \\.\C:.
Setting the “Enable Journal Wrap Automatic Restore” registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.

This is caused when the Sysvol gets currupted and is simple to fix. I will walk you through the steps.

First off before we do anything lets backup by taking a Shadow Copy of the C: Drive. To do this we will open MyComputer and select the C:Drive, right click it and select properties. Now find the ShadowCopy Tab, highlight the C: Drive and click the “Create Now” button to create a backup point on the drive. You do not need to “Enable” ShadowCopy to take a 1 time snapshot.

Now that we have a backup point to go to if all hell breaks loose we can safely move on to the next step. Open up  REGEDIT and navigate to the RegKey ->


System\CurrentControlSet\Services\NtFrs\Parameters and create a new REG_DWORD key called Enable Journal Wrap Automatic Restore and place a 1 as the hex value.


Now launch a Command window(DOS) and run the following commands:



This will then cause the following to appear in your File Replication Service Event Log:

The File Replication Service is deleting this computer from the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” as an attempt to recover from the error state,
Error status = FrsErrorSuccess
At the next poll, which will occur in 5 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

This will be followed by the following Event Log:

File Replication Service is scanning the data in the system volume. Computer MyDomainServer cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

This will be followed by the following Event Log:

The File Replication Service moved the preexisting files in c:\windows\sysvol\domain to c:\windows\sysvol\domain\NtFrs_PreExisting___See_EventLog.

Now we need to wait a bit and allow the replication to complete. This has taken anywhere from 5 minutes to 20 minutes for me based on server and what is being replicated. You will know it is complete when you get the Event Log:

The File Replication Service is no longer preventing the computer MyDomainController from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

Once you get this log your replication is complete and the Journal Wrap issues are fixed. We now need to go back to REGEDIT and change the entry we placed in there from a 1 to a 0.

You are all done.

May this help someone out there..

More information :

Error when enabling Active Directory Recycle Bin

While attempting to access the Active Directory Recycle Bin, I received the following error:

Enable-ADOptionalFeature: The specified method is not supported.

At line:1 char:25

+Enable-ADOptionalFeature <<<<  -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestorConfigurationSet –Target ‘’

  +CategoryInfo          : NotSpecified: (CN=Recycle Bin ..=contoso,DC=com:ADOptionalFeature) [Enable-ADOptionalFeature], ADException

  + FullyQualifiedErrorID : The specified method is not supported,Microsoft.ActiveDirectory.Manegment.Commands.EnableADOptionalFeature

This is caused by either your domain or forest functional level not being set to WIndows2008R2Domain or Windows2008R2Forest or higher.


To determine your current levels, type the following commands in PowerShell.

Import-Module ActiveDirectory



To set the domain mode, type:

Set-ADDomainMode –Identity (Get-ADDomain) –DomainMode Windows2008R2DomainTo set the forest mode, type:

Set-ADForestMode –Identity (Get-ADDomain) –ForestMode Windows2008R2Forest

Once the PowerShell console is running in Active Directory context, enable the Recycle Bin feature with the following syntax, all on a single line and followed by the Enter key:

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features, CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=MI,DC=COM’ -Scope ForestOrConfigurationSet -Target ‘’

%d bloggers like this: