Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Phantom GPO preventing software installation

Posted on 2008-10-06
9
Medium Priority
?
482 Views
Last Modified: 2011-10-19
I am working on a 2003 Windows domain. Multiple domain controllers. Replication is working fine as verified by dcdiag, replmon, etc.

A little background...A few months ago, our domain controller hosting all FSMO roles (server1) died. A new server has replaced it (server2). FSMO roles were seized by a third DC (server3). Metadata and DNS were cleaned up to remove all references to this server (server1) from Active Directory. AD is running fine, no replication issues, AD errors, etc.

The problem...Apparently there was an old GPO to deploy Java to PC's. I have been maintaining this network for a few years and was not aware of this GPO, so it must have been set up and then deleted at some point a few years back.

Last week I was tasked with deploying Java to our network. I was using a specific OU to test (HQ). I noticed that this Java GPO was not being applied as expected so I ran the GP Modeling wizard (on all domain controllers to verify consistency). The results indicated that the GPO should be applied based on the user/computer settings I was using. I logged on as the same user and the same PC that I used in GP modeling. When I ran gpresult from this PC, the GPO was not listed. So I ran gpresult /v to get more detailed info. Sure enough, there was an unnamed GPO listed (it says GPO: N/A) under the 'Software Installations' portion that referred to an old version of Java...The package was to deployed from a share located on the dead server (server1).

I need to know how to get rid of this phantom GPO. Will implementing a 'wait for network' GPO force the affected PC's to 'erase' old policies? I have determined that the phantom GPO applies to computer settings. Also, if someone could let me know if this could prevent the new Java package from appearing in the gpresult command from the affected PC (but using modeling wizard, it says the new GPO should apply). Lots of details here....let me know if you need anything clarified. Thanks for any help.
0
Comment
Question by:FIFBA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 19

Expert Comment

by:MrLonandB
ID: 22654276
Might suggest running the attached script. Change extension to .wsf
FindOrphanedGPOsInSYSVOL.txt
0
 
LVL 56

Expert Comment

by:McKnife
ID: 22654313
What I don't understand is, why would the ghost stop the new policy from applying? The new policy may not care for any policy (ghost or not ;) no matter if another older version of java (jre?) was being deployed. Please make sure by using a computer in a test gpo that blocks inheritance that your new gpo applies and installs first.
0
 

Author Comment

by:FIFBA
ID: 22654440
I was thinking the same thing...doesn't make sense that the old java would prevent the new one. Good idea about the block inheritance in a test OU. I'll try to test this soon...

MrLonandB...do I need to run this on a domain controller? If so, can you provide a link to the source as I will need approval to run a .wsf.

Thanks to both...
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:FIFBA
ID: 22654808
OK, I created a test OU, recreated the java policy, blocked inheritance on the OU. I created a test user in the OU (user policy). I have forced replication between all DC's and gpupdate /force on the test PC. The GPO is enabled and enforced. I have rebooted the test PC a few times now...no mention of the test policy when I run a gpresult. I am receiving no errors on any domain controller...
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22654875
run mpsreports for DC from Microsoft on the local DC to the test client... post the results as an attatchment. It will send domain information but no security sensitive info. (another words no need to clean unless you just really want to...)
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 22654929
This sw installation will have to be a computer setting, no user setting. Why did you write ...(user policy)...., you want to deploy the software, so assign it to computers. No user object involved here.
0
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 1000 total points
ID: 22654964
I don't even think we're at that point... He doesn't even see the policy which should at least show up as emtpy or blocked... Where the sw installs from doesn't matter and yes it will install just fine as a user package... it'll just uninstall each time the user logs off.
0
 

Author Comment

by:FIFBA
ID: 22655563
I take your point about the user installation, McKnife...I need to get this out ASAP and don't have a clean and easy way to reboot all PC's in the enterprise which would be required to push out computer settings quickly (am i correct?)...so I thought I would push it out as a user setting. Anyway, lscapa, I will try to run mpsreports. Just fyi, I had another policy that I needed to push out today and it worked fine...
0
 

Author Comment

by:FIFBA
ID: 22656663
I've decided to run as a computer policy, which is installing fine in testing. I will just need to find a way to reboot all PCs. Some parts of this still don't make sense since I should at least see the user policy when running gpresult. Anyway, time to move on. Thanks for the help...
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question