Solved

Group Policy Problem - Default Domain Policy

Posted on 2006-11-30
4
375 Views
Last Modified: 2012-08-13
I made a change to a policy within our default domain policy. Whats strange is some computers get the update and some dont. Even though when I run a gpresult they are pulling from the same DC. When I do a gpresult, I do see two default domain policies being applied. Is that normal?  Can a group policy become corrupt?

I only have two DC in this site...

Windows 2003 Server and XP clients
0
Comment
Question by:bonadio171
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Accepted Solution

by:
d50041 earned 200 total points
ID: 18046646
run gpotool.exe /dc:dcname

and review the results.

generally don't use the default domain policy or default domain server policy, make your own GPO's.

In the gpo mmc run the wizward againt a computer that is not getting the gpo.

Yes it is normal to have several GPO's listed, yes a group policy can become corrupt, its a file.
0
 
LVL 6

Assisted Solution

by:trippleO7
trippleO7 earned 200 total points
ID: 18047465
Sure policies can become corrupt, especially when making changes through the SYSVOL dir instead of using Group Policy Management Console (GPMC).

I'm unsure if you're aware, but there are two default policies created during an AD install.  Defaut Domain Policy and Default Domain CONTROLLER Policy.  The controller policy is automatically applied to the "Domain Controllers" OU and your DC's are automatically added to that.  If you are seeing two default domain policies being applied, is there a chance that you have applied both of the default policies to your computers on accident?  That could render adverse affects....

Another thing that could be happening is Policy Inheritance.  When you create an OU under your Domain name, and create a new policy to that OU, it will inherit the default domain policy as well by default, unless you explicitly told that OU to block policy inheritance.

If you haven't done so alread, I suggest downloading GPMC from MS via http://www.microsoft.com/downloads/details.aspx?familyid=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

This will give you a clear picture of what's going on as it's displayed better than the built in GP editor in 2000/2003.

Verify this info then let me know if that looks OK.  I'll go from there.  We just need to start with some basics first.

Thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question