Microsoft’s official Group Policy blog
Have you ever wished for a tool to help you identify Group Policy configuration problems…even those that, at first glance, might not seem to be related to Group Policy? How about a tool that can warn you if your Group Policy configuration might pose a security risk?
The Group Policy Diagnostic Best Practice Analyzer (GPDBPA) can provide information to help you respond to situations such as:
· Policy settings are not being applied as expected.
· A feature is not functioning as expected (for example, a mapped drive is not visible on client computers).
· A computer has:
o Stopped responding during logon or startup.
o Restarted during logon or startup.
o Experienced delays during logon or startup.
· Policy settings may be configured in a way that poses a security risk.
· Necessary services may not be running.
· You may be connecting over a slow link.
· Loopback mode may be in effect unintentionally.
Using the GPDBPA, you can scan the Group Policy configuration on either a client computer (managed node) or a domain controller, and view a report of potential issues. Additionally, you can schedule a scan to run at a future time, or schedule scans to run on a recurring basis.
You can download the GPDBPA at
· Q: Is there a version of the GPDBPA that runs on Vista?A: Not yet. No ETA for it at this time.
· Q: Will there be localized versions of the GPDBPA?A: Currently, there are no plans to localize it.
Technical Writer, Group Policy
About your FAQ: Will there be localized versions of the GPDBPA?
For me who run a localized version on my own laptop it would be great to be able to run the tool straight from my computer instead of needing to install it somewhere else. But unfortanetely it's not even possible to install the english version which I think you should be able too since I think more than me runs localized versions Windows on their own computers...
Would it be possible to change so that you can run the english version of it even if you run a localized version (for me Swedish)?
Because the GPDBPA is not part of the Windows operating system release cycle, it has not been fully tested for non-English operating environments. For that reason, the installer will install it only if the language for the operating environment is English.
However, you can run the GPDBPA on a non-English computer at your own risk. With regard to Group Policy, the GPDBPA performs only read operations, so it is unlikely to pose a threat. If you wish to run the GPDBPA on a non-English computer, you should initially do so in a lab to verify the impact.
To load the GPDBPA onto a non-English computer, first install the GPDBPA on a computer or virtual machine for which the language is English. You can copy the %ProgramFiles%\GPDBPA\ folder to a non-English computer so that you can use the GPDBPA in a non-English environment at your own risk.
Linda Moore, Technical Writer
On a brand new test domain, I get errors from the GPDBPA tool that a user 'Does not have Read or Apply Group Policy permissions on the Default Domain Policy.'
Per default configurations, Authenticated Users is in the GPO, and is set to Read and Apply Group Policy.
This error also exists in our production environment, and we're experiencing unpredictable results with our GPOs.
If you have a localized Windows XP, you can run GBPA with the following steps:
1) extract files from the KB EXE file ( WindowsXP-KB940122-x86-ENU.exe ). Use WinRAR or WinZIP to extract files from EXE.
2) In the directory with extracted files, create a subfolder named "EN"
3 Move all .XML files in the "EN" folder.
Now you can run gbpa.exe