Solved

Phantom GPO preventing software installation

Posted on 2008-10-06
9
477 Views
Last Modified: 2011-10-19
I am working on a 2003 Windows domain. Multiple domain controllers. Replication is working fine as verified by dcdiag, replmon, etc.

A little background...A few months ago, our domain controller hosting all FSMO roles (server1) died. A new server has replaced it (server2). FSMO roles were seized by a third DC (server3). Metadata and DNS were cleaned up to remove all references to this server (server1) from Active Directory. AD is running fine, no replication issues, AD errors, etc.

The problem...Apparently there was an old GPO to deploy Java to PC's. I have been maintaining this network for a few years and was not aware of this GPO, so it must have been set up and then deleted at some point a few years back.

Last week I was tasked with deploying Java to our network. I was using a specific OU to test (HQ). I noticed that this Java GPO was not being applied as expected so I ran the GP Modeling wizard (on all domain controllers to verify consistency). The results indicated that the GPO should be applied based on the user/computer settings I was using. I logged on as the same user and the same PC that I used in GP modeling. When I ran gpresult from this PC, the GPO was not listed. So I ran gpresult /v to get more detailed info. Sure enough, there was an unnamed GPO listed (it says GPO: N/A) under the 'Software Installations' portion that referred to an old version of Java...The package was to deployed from a share located on the dead server (server1).

I need to know how to get rid of this phantom GPO. Will implementing a 'wait for network' GPO force the affected PC's to 'erase' old policies? I have determined that the phantom GPO applies to computer settings. Also, if someone could let me know if this could prevent the new Java package from appearing in the gpresult command from the affected PC (but using modeling wizard, it says the new GPO should apply). Lots of details here....let me know if you need anything clarified. Thanks for any help.
0
Comment
Question by:FIFBA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 19

Expert Comment

by:MrLonandB
ID: 22654276
Might suggest running the attached script. Change extension to .wsf
FindOrphanedGPOsInSYSVOL.txt
0
 
LVL 55

Expert Comment

by:McKnife
ID: 22654313
What I don't understand is, why would the ghost stop the new policy from applying? The new policy may not care for any policy (ghost or not ;) no matter if another older version of java (jre?) was being deployed. Please make sure by using a computer in a test gpo that blocks inheritance that your new gpo applies and installs first.
0
 

Author Comment

by:FIFBA
ID: 22654440
I was thinking the same thing...doesn't make sense that the old java would prevent the new one. Good idea about the block inheritance in a test OU. I'll try to test this soon...

MrLonandB...do I need to run this on a domain controller? If so, can you provide a link to the source as I will need approval to run a .wsf.

Thanks to both...
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:FIFBA
ID: 22654808
OK, I created a test OU, recreated the java policy, blocked inheritance on the OU. I created a test user in the OU (user policy). I have forced replication between all DC's and gpupdate /force on the test PC. The GPO is enabled and enforced. I have rebooted the test PC a few times now...no mention of the test policy when I run a gpresult. I am receiving no errors on any domain controller...
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22654875
run mpsreports for DC from Microsoft on the local DC to the test client... post the results as an attatchment. It will send domain information but no security sensitive info. (another words no need to clean unless you just really want to...)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 22654929
This sw installation will have to be a computer setting, no user setting. Why did you write ...(user policy)...., you want to deploy the software, so assign it to computers. No user object involved here.
0
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 250 total points
ID: 22654964
I don't even think we're at that point... He doesn't even see the policy which should at least show up as emtpy or blocked... Where the sw installs from doesn't matter and yes it will install just fine as a user package... it'll just uninstall each time the user logs off.
0
 

Author Comment

by:FIFBA
ID: 22655563
I take your point about the user installation, McKnife...I need to get this out ASAP and don't have a clean and easy way to reboot all PC's in the enterprise which would be required to push out computer settings quickly (am i correct?)...so I thought I would push it out as a user setting. Anyway, lscapa, I will try to run mpsreports. Just fyi, I had another policy that I needed to push out today and it worked fine...
0
 

Author Comment

by:FIFBA
ID: 22656663
I've decided to run as a computer policy, which is installing fine in testing. I will just need to find a way to reboot all PCs. Some parts of this still don't make sense since I should at least see the user policy when running gpresult. Anyway, time to move on. Thanks for the help...
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question