Group Policy Objects and Gpotool.EXE

by Nirmal Sharma [Published on 15 Dec. 2010 / Last Updated on 31 Oct. 2009]

This article explains how you can use Gpotool.exe to check the sync problem with Group Policy Objects.

Group Policy has two parts; GPC and GPT. GPC is called Group Policy Container and GPT is called Group Policy Template. The first one is stored in Active Directory and later is stored in SYSVOL share.

The GPC is stored at the following path in the Active Directory:

DomainName.Com\System\Policies\{FGR32-2F244.....}

The GPT is stored at:

SYSVOL\DomainName.Com\SYSVOL\Policies\{FGR32-2F244.....}

GPC and GPT must sync with each other. The GPC is replicated by the Active Directory replication and replicated to all the domain controllers of that domain. GPT is replicated by the File Replication Service or DFS-R and replicated to all the domain controllers of that domain.

A Group Policy may not apply to client computers if both GPC and GPT do not sync. GPC stores its version number in an attribute called VersionNumber which is matched with the Version Number stored in the GPT.INI for GPT. As an example, GPC version number is 23 whereas GPT version number is 24. Both versions are not matching and this is called Version Mismatch. You can check if all the Group Policy Objects in your organization has synced properly using the Gpotool.exe. The Gpotool.exe returns OK for each Group Policy it checks as shown below:

  • C:\>Gpotool.exe
  •    Validating DCs...
  •    Available DCs:
  •    DC1.DomainName.Com
  •    DC2.DomainName.Com
  •    Searching for policies...
  •    Found 2 policies
  •    =============================================
  •    Policy {GUID}
  •    OK
  •    =============================================
  •    Policy {GUID}
  •    Version Mismatch: DS Version (23), SYSVOL Version (24)
  •    =============================================

Featured Links