[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Missing Group Policy settings

Posted on 2007-07-20
24
Medium Priority
?
343 Views
Last Modified: 2012-08-13


I have the following problem with group policy:

On a Windows 2003 domaincontroller I have the following group policy:

Default Domain Controller Policy, with the following settings:

Permit Acces to the control panel , Enabled
Hide all items on desktop, Enabled

Administrator Policy with the following settings:

Permit Acces to the control panel , Disabled
Delete the run item from the control panel, Disabled

So the adminstrators has access to the control panel, and the users don't

If I use the Group Policy Management tool from Microsoft, for simulating the GPO's is receive the following results:

For the user on a XP machine:

I see the GPO Default Domain Policy is Apllied, and the Administrator policy is denied, so this is OK.
When I look at the settings, I see the settings for desktop and control panel are enabled, so there not visible, this seems to be OK.

But now the administrator on a XP machine.

I see now both domain and admin policies are enabled.
When I go to the settings results, I see the following.

permit acces to control panel, disabled , winning GPO Admin policy.

This is OK, but now here is the problem, I don't see the other policy of the desktop items, wheiter it is disabled or enabled, it just doesn't show up!

Please help




0
Comment
Question by:jbatavier
  • 12
  • 5
  • 3
  • +3
23 Comments
 
LVL 31

Expert Comment

by:merowinger
ID: 19530102
Look at the securityx settings of the GPO and look if the Administrators are listed in the security page
0
 

Author Comment

by:jbatavier
ID: 19530168
at the administrator policy the following security settings has been set:

administrator has read access (from security filtering)
domain admin has edit, delete modify settings

at the domain default policy the following is set:
Authenticated user has read accses
domain admin has edit, delete modify settings
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19530390
If this isn't a typo:

Default Domain Controller Policy, with the following settings:

..then you won't see that Desktop setting as it's only applying to the DCs.  You want this in the Default Domain Policy or a policy linked to the domain - not the Default Domain Controller Policy.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jbatavier
ID: 19530428
Yes you're right, it's a typo.

It has to be the default domain policy
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19530452
It sounds like you're looking at the RSoP output for the first example and the actual policy settings for the second. Could you clarify?

0
 

Author Comment

by:jbatavier
ID: 19530518
In both examples, I look at the results from the Group Policy Modeling Wizard
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19530678
On the summary tab, under the User Configuration, check if any GPOs were denied. If the Default Domain Policy is listed it should tell you why it was denied.
0
 

Author Comment

by:jbatavier
ID: 19530744
No Policy is denied
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19530816
Is it listed in the applied GPOs section?

Can you run the Wizard again to check one more time?
0
 

Author Comment

by:jbatavier
ID: 19530864
Yes, I've runned it several times.

I do see it at the Applied GPO section, but I only see one 1 setting.
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19530945
Other than checking the GPO to make sure you've configured what you expect to be there, I don't know what to tell you.

Sorry.
0
 

Author Comment

by:jbatavier
ID: 19531278
On the XP machine the expected policy applies, as the settings do function.

But in the Group Policy manager, the settings are different as I simulate the Policy.
So I can't trust the Group Policy Manager
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 19531408
So is everything in place and you just want to check if it's functioning the way you expect? Have you tried running the Results wizard?
0
 

Author Comment

by:jbatavier
ID: 19531454
yes, same result.
0
 

Author Comment

by:jbatavier
ID: 19531471
I've read also some articles about a corrupt policy. So I did the DCGPOFIX to fix the default domain policy.

Also without a positive result...
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19531611
Did you run gpupdate /force on the admin machine?
0
 

Author Comment

by:jbatavier
ID: 19542455
yes, I did
0
 

Author Comment

by:jbatavier
ID: 19553862
and i've tested it on several machines, on xp and 2003
0
 

Author Comment

by:jbatavier
ID: 19555615
I've did some research today on the sysvol folder in winnt.
Under policies folder I find my policies, and also the default domain policy.

But, in the folder of the default domain policy there is no ADM folder!
In all the other folders the ADM folder is present.
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19555733
Take a look at the File Replication Service event logs on your DC's.  Are you seeing 13508's and 13509's?  Do you see 13516 anywhere?  If you are not seeing the 13516 anywhere, then restart the File Replication Service.  13516 is the event that states that file replication is complete and sysvol is now shared, which is the last step required for a domain controller to become a domain controller.  

508/9's are indicitative of a communication/connectivity issue.  If file replication is not happenning, that might be your problem.  

If you see a journal wrap error in one of the event logs, then there is an easy fix.  Open the registry editor on the problem dc and go to HKLM - System - CurrentControlSet - Services - NtFrs - Parameters - Backup\Restore - Process at Startup - Burflags.  Change the value in Burflags to D2 and restart the file replication service.  You will see that the value changes back to 0x0.  Once replication is complete you should see the 13516.  

BTW, this registry change forces a non-authorative restore of sysvol.  If you were to set Burflags to D4, this will force an authoratative restore of sysvol.
0
 

Author Comment

by:jbatavier
ID: 19555921
I don't see any File Replication error's.
I do see the 13516, so the Replication process is going fin (i think)

0
 
LVL 13

Expert Comment

by:ocon827679
ID: 19556443
Restart the file replication service on the problem child and see if everything comes back OK.  If not, do the non-authoratative restore of sysvol, Burflags= D2, procedure listed above.  If it comes back OK, I'm stumped!  
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21888874
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question