Solved

GPO Troubles

Posted on 2002-06-25
21
486 Views
Last Modified: 2010-04-13
Greetings All,

I have my organization pretty well split apart in diffferent OU within AD.

Users
-System Accounts
-Power Users
-Standard Users
-Restricted Users

etc etc etc

I had a consultant creat my GPO and roll it out. Well, long story short, it is garabage and I would like to know how to get back to square 1.

Is there a way to delete all gpo's and start a new?
0
Comment
Question by:atmear
  • 10
  • 8
  • 3
21 Comments
 
LVL 7

Expert Comment

by:jmiller47
ID: 7108508
Yes, quite frankly, just click on the GPO and click on the delete button.

I'm not sure if you need more than that...

Are you unsure of where to do this from?
0
 

Author Comment

by:atmear
ID: 7108555
I know where... just wondered if there were any effects to just deleting the whole thing without one being present there after.
0
 

Author Comment

by:atmear
ID: 7108586
I went ahead and deleted them all... Should I run any commands to flush out the settings?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7108593
no - you don't need to. Did you copy over the working profile first to the Default user?
0
 

Author Comment

by:atmear
ID: 7108598
I did not really have a working profile...(GPO)

Matter of fact, I think the default one was the one causing all the problems. So now, every GPO is gone.

0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7108601
Sorry, I posted that in the wrong thread! disregard that last comment!

But in regards to your question about flushing anything out, no. you dont need to. If you have deleted a GPO and it is still applied to a workstation or server, either reboot that workstation or use the following command:

SECEDIT /REFRESHPOLICY

That should do it for you.
0
 

Author Comment

by:atmear
ID: 7108606
use that command on the server or ws?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7108631
Sorry, from the workstation and only if you feel that a Group Policy Object is still being enforced after being deleted.

0
 

Expert Comment

by:Egyptchamp
ID: 7108769
I think atmear need more solid planning for the OU structure, and also before just deleting the OU structure, some steps should have been taken appropriately...

here's my recommendation

- go through the OU structure already existing
- move any user accounts, groups, computer accounts to one of the built-in containers like the one called (users)
- simply delete the OU/OUs you don't need anymore after that
- start PLANNING for the new OU structure and design that on paper before you implement it
- some would recommend an OU structure based on organisational structure by departments, by ranking, by usage ...etc

another recommendation in case you didn't attend Microsoft Active Directory course, or have a practical experience with Group Policy, I'd recommend you the following website for more details on Group Policy implementation and considerations...

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/deploy/ccmdepl/ccmch04.asp

Best Regards,
The Egyptchamp
MCP+I, MCSE, MCSA, MCT
0
 

Author Comment

by:atmear
ID: 7108935
I did not create this GPO nor do I actually know what it consisted of. I do know it was causing problems... and it needed to be pulled ASAP. Thank You for taking the time to list the link.

FYI-this is a small enviroment, so we are capable of on the fly changes.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 7

Expert Comment

by:jmiller47
ID: 7109850
Actaully, I completely forgot about this, but since I like the idea of Group Policy, but hate the way MS chooses to manage it, you can use FAZAAM to manage everything.

FAZAAM is what Microsoft actually recommends to use when managing Group Policy. Using this program, you can back up your GPOs, restore them, see result sets of Policies, drill down into what each policy does, etc. You can see for yourself what the program does from its product pages... This should do everything you need to do and make things a bit easier to change and then restore things if they go awry.

I highly recommend it for anyone using Active Directory.

http://www.fullarmor.com/solutions/group/
0
 

Author Comment

by:atmear
ID: 7113563
I am checking that software out now.... Does anyone eles know of any other software to manage GPO's?
0
 

Author Comment

by:atmear
ID: 7115224
I deleted all my GPO's off all my users and machines, but the GPO's still seem to be in place.

Should I run any commands on the server to wipe those settings that were in place?
0
 

Expert Comment

by:Egyptchamp
ID: 7118188
atmear ... can u please tell me what is the result that you see at your users or computers and you think it's coming from a Group Policy?

and yes, there're quick free tools and techniques to check if a group policy is in place or not, but first of all, try to tell me what is it that you think is coming from a Group Policy?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7118210
I would imagine that you are going to recommend GPRESULT, but dont forget about RSOP. That works incredibly well for tracking down things of this nature.

But I agree to look at why you think they are still propogating first...
0
 

Author Comment

by:atmear
ID: 7119490
accounts locking out after 4 wrong tries, still shows pre-log on warnings, removes user names in login areas (sometimes)... etc
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7119606
This link will tell you how to use GPResult. Run it and it will tell you what Group policies are getting used on a workstation for a user.

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/using_gpresult.asp

This link will show you where you can download GPResult.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

As far as RSOP (Resultant Set Of Policy), I guess it is only available on Windows XP. I was under the impression it was available for Windows 2000 also, but I cannot find it anywhere. If anyone knows, please post here!
0
 

Expert Comment

by:Egyptchamp
ID: 7120529
jmiller, thanks for your efforts, and yes RSOP is only available under Windows .NET and Windows XP and not W2K

but maybe you got confused with RSOP that comes with FAZAM

Anyway, lets focus back to atmear situation...

atmear...
I don't think you need advanced utils like FAZAM or get yourself into the resource kit utilities for your situation, although I would recommend these tools in a bigger problem troubleshooting.

let me tell you, if you have already destroyed your OU structure with whatever GPOs these OUs had, and you still find the effect of a GPO applied on your users/computers, then most probably you still have a GPO applied either at the Domain level or the Site level.

and now concentrate in what I'm going to tell...

Go to Active Directory Users & Computers
Double Click your Domain Name,
then Right Click it,
Go to Properties,
Check under the Group Policy tab ...
try to locate any GPO linked at the Domain level,
most probably the GPO called "Default Domain Policy", is there
Edit this GPO, and try to find if this is the GPO that is still applying the policies unto your users...

Second Probability

Go to Active Directory Sites & Services
Double Click the default-first-site-name, if this is the only site created in your directory, else, try to find whatever sites are created there
Double Click the site,
Right Click, go to Properties
Look under the Group Policy tab
try to locate any GPO that is linked at the Site level...

if you find any!! then Edit this GPO and try to find if this is the one applying the policied unto your users.

Still, using a utility like GPresult.exe from a client computer while logged in with a user account who experience the policies would give you an indication of what GPO is being applied....

Though, in my opinion, and no other opinion should be different. since you've deleted the OUs with their GPOs, and there're policies that r still being applied, then (as I explained above); you must have a GPO linked at the Domain or a Site level

if the above didnt get your hands on the truth!! then email me right away, and I've more techniques to work around your case.

Best Of Luck

The Egyptchamp
MCP+I, MCSA, MCSE, MCT
egyptchamp@yahoo.com
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 50 total points
ID: 7121171
GPResult should tell you exactly what policies are being applied on a per user and comuter basis. I suggest using this to tell you precisely what is being applied and what is not.

It will also tell you if possibly a group policy is being propogated from the local Group policy on the PC.

It will tell you exactly where any group policies are being applied from.

You might also want to try the command:
SECEDIT /REFRESHPOLICY
to make sure that you are using the most current policies from the Domain Controller. It is unlikely that this is your problem, but it's another thing to try.

BTW - Unfortunately, there are a few policy settings that if you delete the policy, the settings still exist on the local machine. You can then find the specific policy setting and then instead of it being not configured, you can change it to the oppposite of what it was, such as disabled if it was enabled.

I hope this helps.


0
 

Author Comment

by:atmear
ID: 7275208
I had to leave this problem for awhile, but I am begining to work on it again...
0
 

Author Comment

by:atmear
ID: 7335982
This is not the exact answer to my question, but you can figure out the answer by reading all of jmiller37's posts... Thanks Man!!
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now