Solved

Invisible domain group policies?!

Posted on 2008-10-16
9
1,062 Views
Last Modified: 2012-05-05
I am running a single Windows 2000 domain with mostly Windows XP Pro clients. A while back I had a few group policies set up to enable Windows firewall and disable USB drive. However, for some reason, they got "lost."

So I re-created those policies from scratch with some small changes. Please note the Windows firewall policy must be created through a Windows XP machine as Windows 2000 Server admin tool does not support it.

After I created new policies to again enable Windows firewall and disable USB drive, a week later I found out that no matter how many times I rebooted or gpupdate, the client computers only use the old policies. Gpresult does not show any of the new policy being applied.

Now, how can I purge those old policies out of my system? They are no where to be found. I followed the normal steps trying to delete them, but they don't exist in the GPedit or admin console, OU, Group Policy

0
Comment
Question by:PaperTiger
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 22733947
Do they exist on the GPMC?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22734121
No, they don't. unless you can help me to find them because i cannot find them. I even deleted the applicable OU that contained the client computers and move those computers to a different OU with new group policies.

No luck.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22734880
1. under GPMC ,go to the Group policy objects and this will show you all the list of group policies..see if it is there

2.Also in the properties of GPMC you can run and see what are all the linked policies and un-linked polices...remove them if not using.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22735181
like i said, they are not there. see this GPResult and note the 4 applied GPO.

then go see the screenshot from GPMC and note the 4 applied GPOs do not even exist in the GPMC.

COMPUTER SETTINGS
------------------
    CN=IT-LAPTOP01,OU=Company Computers,OU=Corporate,DC=mycompany,DC=com
    Last time Group Policy was applied: 10/16/2008 at 2:09:56 PM
    Group Policy was applied from:      mycompany.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Disable USB Floppy
        Windows Update
        Default Domain Policy
        Windows Firewall Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Turn-on Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

gpmc.jpg
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736414
Interesting...most of the GPOs showed applied were not displayed in your GPMC Console. How many domain controller you have? On the GPResult, which domain controller are those GPOs applied from? Is that the same domain controller you are running the GPMC from? I'm  wondering if you have a problem with GPO replication...
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736463
btw, you may want to run the gpotool /verbose to verify all your GPO and domain controllers etc. You may be able to find something there.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22737081
it's a single domain with 2 domain controllers. GPresult shows the computer can get policy from either controller but with the same results.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22741065
i took one of the computer off the domain and then put it back to the domain. now, none of the newly created policies are applied, nor is any old invisible policies.

the new policies were created with GPMC 1.0.2 while those old ones were created with 1.0 or Windows 2000's GPMC.
0
 
LVL 8

Accepted Solution

by:
PaperTiger earned 0 total points
ID: 22744967
Solved it myself.

After some extensive research and analysis, I found out that somehow the default domain policy went missing. This was indicated by event id 1058:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-....

The system cannot find the path specified.

The missing policies can also be identified from ADUC, System, Policies with View set as "Advanced Options"

I pulled the backup and follow this link

http://support.microsoft.com/kb/315457/

but i skipped a few steps.

Here's what I did:
1. stop NTFRS on all DCs
2. set one DC as authoritative
3. set the other as non-authoritative
4. delete the policies from sysvol folder (see the above KB on what to delete)
5. copy the two missing policies back to the authoritative DC
6. restart NTFRS
7. GPupdate or reboot on client

Vola!
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now