Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Invisible domain group policies?!

Posted on 2008-10-16
9
Medium Priority
?
1,146 Views
Last Modified: 2012-05-05
I am running a single Windows 2000 domain with mostly Windows XP Pro clients. A while back I had a few group policies set up to enable Windows firewall and disable USB drive. However, for some reason, they got "lost."

So I re-created those policies from scratch with some small changes. Please note the Windows firewall policy must be created through a Windows XP machine as Windows 2000 Server admin tool does not support it.

After I created new policies to again enable Windows firewall and disable USB drive, a week later I found out that no matter how many times I rebooted or gpupdate, the client computers only use the old policies. Gpresult does not show any of the new policy being applied.

Now, how can I purge those old policies out of my system? They are no where to be found. I followed the normal steps trying to delete them, but they don't exist in the GPedit or admin console, OU, Group Policy

0
Comment
Question by:PaperTiger
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:Americom
ID: 22733947
Do they exist on the GPMC?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22734121
No, they don't. unless you can help me to find them because i cannot find them. I even deleted the applicable OU that contained the client computers and move those computers to a different OU with new group policies.

No luck.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22734880
1. under GPMC ,go to the Group policy objects and this will show you all the list of group policies..see if it is there

2.Also in the properties of GPMC you can run and see what are all the linked policies and un-linked polices...remove them if not using.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 8

Author Comment

by:PaperTiger
ID: 22735181
like i said, they are not there. see this GPResult and note the 4 applied GPO.

then go see the screenshot from GPMC and note the 4 applied GPOs do not even exist in the GPMC.

COMPUTER SETTINGS
------------------
    CN=IT-LAPTOP01,OU=Company Computers,OU=Corporate,DC=mycompany,DC=com
    Last time Group Policy was applied: 10/16/2008 at 2:09:56 PM
    Group Policy was applied from:      mycompany.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Disable USB Floppy
        Windows Update
        Default Domain Policy
        Windows Firewall Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Turn-on Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

gpmc.jpg
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736414
Interesting...most of the GPOs showed applied were not displayed in your GPMC Console. How many domain controller you have? On the GPResult, which domain controller are those GPOs applied from? Is that the same domain controller you are running the GPMC from? I'm  wondering if you have a problem with GPO replication...
0
 
LVL 18

Expert Comment

by:Americom
ID: 22736463
btw, you may want to run the gpotool /verbose to verify all your GPO and domain controllers etc. You may be able to find something there.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22737081
it's a single domain with 2 domain controllers. GPresult shows the computer can get policy from either controller but with the same results.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22741065
i took one of the computer off the domain and then put it back to the domain. now, none of the newly created policies are applied, nor is any old invisible policies.

the new policies were created with GPMC 1.0.2 while those old ones were created with 1.0 or Windows 2000's GPMC.
0
 
LVL 8

Accepted Solution

by:
PaperTiger earned 0 total points
ID: 22744967
Solved it myself.

After some extensive research and analysis, I found out that somehow the default domain policy went missing. This was indicated by event id 1058:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-....

The system cannot find the path specified.

The missing policies can also be identified from ADUC, System, Policies with View set as "Advanced Options"

I pulled the backup and follow this link

http://support.microsoft.com/kb/315457/

but i skipped a few steps.

Here's what I did:
1. stop NTFRS on all DCs
2. set one DC as authoritative
3. set the other as non-authoritative
4. delete the policies from sysvol folder (see the above KB on what to delete)
5. copy the two missing policies back to the authoritative DC
6. restart NTFRS
7. GPupdate or reboot on client

Vola!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question