Solved

Phantom GPO preventing software installation

Posted on 2008-10-06
9
471 Views
Last Modified: 2011-10-19
I am working on a 2003 Windows domain. Multiple domain controllers. Replication is working fine as verified by dcdiag, replmon, etc.

A little background...A few months ago, our domain controller hosting all FSMO roles (server1) died. A new server has replaced it (server2). FSMO roles were seized by a third DC (server3). Metadata and DNS were cleaned up to remove all references to this server (server1) from Active Directory. AD is running fine, no replication issues, AD errors, etc.

The problem...Apparently there was an old GPO to deploy Java to PC's. I have been maintaining this network for a few years and was not aware of this GPO, so it must have been set up and then deleted at some point a few years back.

Last week I was tasked with deploying Java to our network. I was using a specific OU to test (HQ). I noticed that this Java GPO was not being applied as expected so I ran the GP Modeling wizard (on all domain controllers to verify consistency). The results indicated that the GPO should be applied based on the user/computer settings I was using. I logged on as the same user and the same PC that I used in GP modeling. When I ran gpresult from this PC, the GPO was not listed. So I ran gpresult /v to get more detailed info. Sure enough, there was an unnamed GPO listed (it says GPO: N/A) under the 'Software Installations' portion that referred to an old version of Java...The package was to deployed from a share located on the dead server (server1).

I need to know how to get rid of this phantom GPO. Will implementing a 'wait for network' GPO force the affected PC's to 'erase' old policies? I have determined that the phantom GPO applies to computer settings. Also, if someone could let me know if this could prevent the new Java package from appearing in the gpresult command from the affected PC (but using modeling wizard, it says the new GPO should apply). Lots of details here....let me know if you need anything clarified. Thanks for any help.
0
Comment
Question by:FIFBA
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 19

Expert Comment

by:MrLonandB
ID: 22654276
Might suggest running the attached script. Change extension to .wsf
FindOrphanedGPOsInSYSVOL.txt
0
 
LVL 53

Expert Comment

by:McKnife
ID: 22654313
What I don't understand is, why would the ghost stop the new policy from applying? The new policy may not care for any policy (ghost or not ;) no matter if another older version of java (jre?) was being deployed. Please make sure by using a computer in a test gpo that blocks inheritance that your new gpo applies and installs first.
0
 

Author Comment

by:FIFBA
ID: 22654440
I was thinking the same thing...doesn't make sense that the old java would prevent the new one. Good idea about the block inheritance in a test OU. I'll try to test this soon...

MrLonandB...do I need to run this on a domain controller? If so, can you provide a link to the source as I will need approval to run a .wsf.

Thanks to both...
0
 

Author Comment

by:FIFBA
ID: 22654808
OK, I created a test OU, recreated the java policy, blocked inheritance on the OU. I created a test user in the OU (user policy). I have forced replication between all DC's and gpupdate /force on the test PC. The GPO is enabled and enforced. I have rebooted the test PC a few times now...no mention of the test policy when I run a gpresult. I am receiving no errors on any domain controller...
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22654875
run mpsreports for DC from Microsoft on the local DC to the test client... post the results as an attatchment. It will send domain information but no security sensitive info. (another words no need to clean unless you just really want to...)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 22654929
This sw installation will have to be a computer setting, no user setting. Why did you write ...(user policy)...., you want to deploy the software, so assign it to computers. No user object involved here.
0
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 250 total points
ID: 22654964
I don't even think we're at that point... He doesn't even see the policy which should at least show up as emtpy or blocked... Where the sw installs from doesn't matter and yes it will install just fine as a user package... it'll just uninstall each time the user logs off.
0
 

Author Comment

by:FIFBA
ID: 22655563
I take your point about the user installation, McKnife...I need to get this out ASAP and don't have a clean and easy way to reboot all PC's in the enterprise which would be required to push out computer settings quickly (am i correct?)...so I thought I would push it out as a user setting. Anyway, lscapa, I will try to run mpsreports. Just fyi, I had another policy that I needed to push out today and it worked fine...
0
 

Author Comment

by:FIFBA
ID: 22656663
I've decided to run as a computer policy, which is installing fine in testing. I will just need to find a way to reboot all PCs. Some parts of this still don't make sense since I should at least see the user policy when running gpresult. Anyway, time to move on. Thanks for the help...
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now