Phantom GPO preventing software installation

Posted on 2008-10-06
Last Modified: 2011-10-19
I am working on a 2003 Windows domain. Multiple domain controllers. Replication is working fine as verified by dcdiag, replmon, etc.

A little background...A few months ago, our domain controller hosting all FSMO roles (server1) died. A new server has replaced it (server2). FSMO roles were seized by a third DC (server3). Metadata and DNS were cleaned up to remove all references to this server (server1) from Active Directory. AD is running fine, no replication issues, AD errors, etc.

The problem...Apparently there was an old GPO to deploy Java to PC's. I have been maintaining this network for a few years and was not aware of this GPO, so it must have been set up and then deleted at some point a few years back.

Last week I was tasked with deploying Java to our network. I was using a specific OU to test (HQ). I noticed that this Java GPO was not being applied as expected so I ran the GP Modeling wizard (on all domain controllers to verify consistency). The results indicated that the GPO should be applied based on the user/computer settings I was using. I logged on as the same user and the same PC that I used in GP modeling. When I ran gpresult from this PC, the GPO was not listed. So I ran gpresult /v to get more detailed info. Sure enough, there was an unnamed GPO listed (it says GPO: N/A) under the 'Software Installations' portion that referred to an old version of Java...The package was to deployed from a share located on the dead server (server1).

I need to know how to get rid of this phantom GPO. Will implementing a 'wait for network' GPO force the affected PC's to 'erase' old policies? I have determined that the phantom GPO applies to computer settings. Also, if someone could let me know if this could prevent the new Java package from appearing in the gpresult command from the affected PC (but using modeling wizard, it says the new GPO should apply). Lots of details here....let me know if you need anything clarified. Thanks for any help.
Question by:FIFBA
  • 4
  • 2
  • 2
  • +1
LVL 19

Expert Comment

ID: 22654276
Might suggest running the attached script. Change extension to .wsf
LVL 53

Expert Comment

ID: 22654313
What I don't understand is, why would the ghost stop the new policy from applying? The new policy may not care for any policy (ghost or not ;) no matter if another older version of java (jre?) was being deployed. Please make sure by using a computer in a test gpo that blocks inheritance that your new gpo applies and installs first.

Author Comment

ID: 22654440
I was thinking the same thing...doesn't make sense that the old java would prevent the new one. Good idea about the block inheritance in a test OU. I'll try to test this soon... I need to run this on a domain controller? If so, can you provide a link to the source as I will need approval to run a .wsf.

Thanks to both...

Author Comment

ID: 22654808
OK, I created a test OU, recreated the java policy, blocked inheritance on the OU. I created a test user in the OU (user policy). I have forced replication between all DC's and gpupdate /force on the test PC. The GPO is enabled and enforced. I have rebooted the test PC a few times mention of the test policy when I run a gpresult. I am receiving no errors on any domain controller...
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Expert Comment

ID: 22654875
run mpsreports for DC from Microsoft on the local DC to the test client... post the results as an attatchment. It will send domain information but no security sensitive info. (another words no need to clean unless you just really want to...)
LVL 53

Accepted Solution

McKnife earned 250 total points
ID: 22654929
This sw installation will have to be a computer setting, no user setting. Why did you write ...(user policy)...., you want to deploy the software, so assign it to computers. No user object involved here.

Assisted Solution

lscapa earned 250 total points
ID: 22654964
I don't even think we're at that point... He doesn't even see the policy which should at least show up as emtpy or blocked... Where the sw installs from doesn't matter and yes it will install just fine as a user package... it'll just uninstall each time the user logs off.

Author Comment

ID: 22655563
I take your point about the user installation, McKnife...I need to get this out ASAP and don't have a clean and easy way to reboot all PC's in the enterprise which would be required to push out computer settings quickly (am i correct?) I thought I would push it out as a user setting. Anyway, lscapa, I will try to run mpsreports. Just fyi, I had another policy that I needed to push out today and it worked fine...

Author Comment

ID: 22656663
I've decided to run as a computer policy, which is installing fine in testing. I will just need to find a way to reboot all PCs. Some parts of this still don't make sense since I should at least see the user policy when running gpresult. Anyway, time to move on. Thanks for the help...

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Removing Group Policy from user machines 3 29
local administrator password solution 26 77
RSOP Red "X" 7 29
Applying GPO in GPMC 8 13
Resolve DNS query failed errors for Exchange
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now