Solved

Invisible domain group policies?!

Posted on 2008-10-16
9
1,115 Views
Last Modified: 2012-05-05
I am running a single Windows 2000 domain with mostly Windows XP Pro clients. A while back I had a few group policies set up to enable Windows firewall and disable USB drive. However, for some reason, they got "lost."

So I re-created those policies from scratch with some small changes. Please note the Windows firewall policy must be created through a Windows XP machine as Windows 2000 Server admin tool does not support it.

After I created new policies to again enable Windows firewall and disable USB drive, a week later I found out that no matter how many times I rebooted or gpupdate, the client computers only use the old policies. Gpresult does not show any of the new policy being applied.

Now, how can I purge those old policies out of my system? They are no where to be found. I followed the normal steps trying to delete them, but they don't exist in the GPedit or admin console, OU, Group Policy

0
Comment
Question by:PaperTiger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 22733947
Do they exist on the GPMC?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22734121
No, they don't. unless you can help me to find them because i cannot find them. I even deleted the applicable OU that contained the client computers and move those computers to a different OU with new group policies.

No luck.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22734880
1. under GPMC ,go to the Group policy objects and this will show you all the list of group policies..see if it is there

2.Also in the properties of GPMC you can run and see what are all the linked policies and un-linked polices...remove them if not using.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 8

Author Comment

by:PaperTiger
ID: 22735181
like i said, they are not there. see this GPResult and note the 4 applied GPO.

then go see the screenshot from GPMC and note the 4 applied GPOs do not even exist in the GPMC.

COMPUTER SETTINGS
------------------
    CN=IT-LAPTOP01,OU=Company Computers,OU=Corporate,DC=mycompany,DC=com
    Last time Group Policy was applied: 10/16/2008 at 2:09:56 PM
    Group Policy was applied from:      mycompany.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Disable USB Floppy
        Windows Update
        Default Domain Policy
        Windows Firewall Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Turn-on Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

gpmc.jpg
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736414
Interesting...most of the GPOs showed applied were not displayed in your GPMC Console. How many domain controller you have? On the GPResult, which domain controller are those GPOs applied from? Is that the same domain controller you are running the GPMC from? I'm  wondering if you have a problem with GPO replication...
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736463
btw, you may want to run the gpotool /verbose to verify all your GPO and domain controllers etc. You may be able to find something there.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22737081
it's a single domain with 2 domain controllers. GPresult shows the computer can get policy from either controller but with the same results.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22741065
i took one of the computer off the domain and then put it back to the domain. now, none of the newly created policies are applied, nor is any old invisible policies.

the new policies were created with GPMC 1.0.2 while those old ones were created with 1.0 or Windows 2000's GPMC.
0
 
LVL 8

Accepted Solution

by:
PaperTiger earned 0 total points
ID: 22744967
Solved it myself.

After some extensive research and analysis, I found out that somehow the default domain policy went missing. This was indicated by event id 1058:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-....

The system cannot find the path specified.

The missing policies can also be identified from ADUC, System, Policies with View set as "Advanced Options"

I pulled the backup and follow this link

http://support.microsoft.com/kb/315457/

but i skipped a few steps.

Here's what I did:
1. stop NTFRS on all DCs
2. set one DC as authoritative
3. set the other as non-authoritative
4. delete the policies from sysvol folder (see the above KB on what to delete)
5. copy the two missing policies back to the authoritative DC
6. restart NTFRS
7. GPupdate or reboot on client

Vola!
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question