jbatavier
asked on
Missing Group Policy settings
I have the following problem with group policy:
On a Windows 2003 domaincontroller I have the following group policy:
Default Domain Controller Policy, with the following settings:
Permit Acces to the control panel , Enabled
Hide all items on desktop, Enabled
Administrator Policy with the following settings:
Permit Acces to the control panel , Disabled
Delete the run item from the control panel, Disabled
So the adminstrators has access to the control panel, and the users don't
If I use the Group Policy Management tool from Microsoft, for simulating the GPO's is receive the following results:
For the user on a XP machine:
I see the GPO Default Domain Policy is Apllied, and the Administrator policy is denied, so this is OK.
When I look at the settings, I see the settings for desktop and control panel are enabled, so there not visible, this seems to be OK.
But now the administrator on a XP machine.
I see now both domain and admin policies are enabled.
When I go to the settings results, I see the following.
permit acces to control panel, disabled , winning GPO Admin policy.
This is OK, but now here is the problem, I don't see the other policy of the desktop items, wheiter it is disabled or enabled, it just doesn't show up!
Please help
merowinger
Look at the securityx settings of the GPO and look if the Administrators are listed in the security page
ASKER
at the administrator policy the following security settings has been set:
administrator has read access (from security filtering)
domain admin has edit, delete modify settings
at the domain default policy the following is set:
Authenticated user has read accses
domain admin has edit, delete modify settings
administrator has read access (from security filtering)
domain admin has edit, delete modify settings
at the domain default policy the following is set:
Authenticated user has read accses
domain admin has edit, delete modify settings
If this isn't a typo:
Default Domain Controller Policy, with the following settings:
..then you won't see that Desktop setting as it's only applying to the DCs. You want this in the Default Domain Policy or a policy linked to the domain - not the Default Domain Controller Policy.
Default Domain Controller Policy, with the following settings:
..then you won't see that Desktop setting as it's only applying to the DCs. You want this in the Default Domain Policy or a policy linked to the domain - not the Default Domain Controller Policy.
ASKER
Yes you're right, it's a typo.
It has to be the default domain policy
It has to be the default domain policy
It sounds like you're looking at the RSoP output for the first example and the actual policy settings for the second. Could you clarify?
ASKER
In both examples, I look at the results from the Group Policy Modeling Wizard
On the summary tab, under the User Configuration, check if any GPOs were denied. If the Default Domain Policy is listed it should tell you why it was denied.
ASKER
No Policy is denied
Is it listed in the applied GPOs section?
Can you run the Wizard again to check one more time?
Can you run the Wizard again to check one more time?
ASKER
Yes, I've runned it several times.
I do see it at the Applied GPO section, but I only see one 1 setting.
I do see it at the Applied GPO section, but I only see one 1 setting.
Other than checking the GPO to make sure you've configured what you expect to be there, I don't know what to tell you.
Sorry.
Sorry.
ASKER
On the XP machine the expected policy applies, as the settings do function.
But in the Group Policy manager, the settings are different as I simulate the Policy.
So I can't trust the Group Policy Manager
But in the Group Policy manager, the settings are different as I simulate the Policy.
So I can't trust the Group Policy Manager
So is everything in place and you just want to check if it's functioning the way you expect? Have you tried running the Results wizard?
ASKER
yes, same result.
ASKER
I've read also some articles about a corrupt policy. So I did the DCGPOFIX to fix the default domain policy.
Also without a positive result...
Also without a positive result...
Did you run gpupdate /force on the admin machine?
ASKER
yes, I did
ASKER
and i've tested it on several machines, on xp and 2003
ASKER
I've did some research today on the sysvol folder in winnt.
Under policies folder I find my policies, and also the default domain policy.
But, in the folder of the default domain policy there is no ADM folder!
In all the other folders the ADM folder is present.
Under policies folder I find my policies, and also the default domain policy.
But, in the folder of the default domain policy there is no ADM folder!
In all the other folders the ADM folder is present.
Take a look at the File Replication Service event logs on your DC's. Are you seeing 13508's and 13509's? Do you see 13516 anywhere? If you are not seeing the 13516 anywhere, then restart the File Replication Service. 13516 is the event that states that file replication is complete and sysvol is now shared, which is the last step required for a domain controller to become a domain controller.
508/9's are indicitative of a communication/connectivity
If you see a journal wrap error in one of the event logs, then there is an easy fix. Open the registry editor on the problem dc and go to HKLM - System - CurrentControlSet - Services - NtFrs - Parameters - Backup\Restore - Process at Startup - Burflags. Change the value in Burflags to D2 and restart the file replication service. You will see that the value changes back to 0x0. Once replication is complete you should see the 13516.
BTW, this registry change forces a non-authorative restore of sysvol. If you were to set Burflags to D4, this will force an authoratative restore of sysvol.
508/9's are indicitative of a communication/connectivity
If you see a journal wrap error in one of the event logs, then there is an easy fix. Open the registry editor on the problem dc and go to HKLM - System - CurrentControlSet - Services - NtFrs - Parameters - Backup\Restore - Process at Startup - Burflags. Change the value in Burflags to D2 and restart the file replication service. You will see that the value changes back to 0x0. Once replication is complete you should see the 13516.
BTW, this registry change forces a non-authorative restore of sysvol. If you were to set Burflags to D4, this will force an authoratative restore of sysvol.
ASKER
I don't see any File Replication error's.
I do see the 13516, so the Replication process is going fin (i think)
I do see the 13516, so the Replication process is going fin (i think)
Restart the file replication service on the problem child and see if everything comes back OK. If not, do the non-authoratative restore of sysvol, Burflags= D2, procedure listed above. If it comes back OK, I'm stumped!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.