Link to home
Start Free TrialLog in
Avatar of NaplesFLDave
NaplesFLDave

asked on

Active Directory Group Policy Management

I have a problem accessing my Acitve Directory Default Policy on my Windows 2003 SP2 Servers.
I have 3 Active Directory Domain Controllers. Two of the servers have the FMSO roles and they are WINDOWS 2003 SP2 Servers. A third controller is a Windows 2008 R2 Standard Server.
The DOMAIN is operating at a  Windows 2003 Functional Level. When I open the Group Policy Mangement console on one of the WIndows 2003 domain servers I can look at the Group Policy settings for any number of OTHER policies "BUT" the DEFAULT domain policy. WHen I open the default policy it opens. Then I click on the settings tab and it DIsplays "GENERATING REPORT" for a few seconds then it returns with a ERROR message that reads (An Error occurred while generating report.. An Unknown error occurred while the HTML report was being created.)
Here is the interesting part. I downloaded the Windows 7 Administrators tools and installed them on my administration laptop and I can Open the group policy management tools and open / view / edit the default policy there with no problem. If I open the Group policy management tool on the Windows 2008 R2 Server I can open the default domain policy and also open / view / edit the settings there without any problem. So I guess my question here is Why can't I view the default domain policy on the 2003 Domain servers that hold the FMSO roles especially when the Domain AD is running at the 2003 Functional level?
Strange that the 2008R2 server and the WIndows 7 tools work fine?
This is not a deal breaker since I can get to the default domain policy on the Windows 7 machine but it concerns me. Any ideas what is going on and how to possible correct it?
ASKER CERTIFIED SOLUTION
Avatar of markpalinux
markpalinux
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NaplesFLDave
NaplesFLDave

ASKER

These are all good tips. I used the command line tools to SYNC and test the replication of the DOMAIN CONTROLLERS and ALL checks out just fine. I suspect the anomoly may be caused by the Mixed Servers. 2 are 2003 servers and the one 2008 R2. But I will look into the tools outlined to see if they offer any insight.
You should not be editing the Default Policies in the first place,...ever.   The Default Domain Policy would only be edited to cover Password Policies because that is the only place it can be done,...but beyond that,...no edits,...ever.  The Default Domain Controllers Policy should be left completely virgin,...no edits,...ever.

Create new policies when you want to make changes.  It is even a good idea to group similar settings together with separate GPOs for each "group",...just don't get carried aways with the idea,...to many individual policies is a bad idea as well.

There is a way to re-create new default "virgin" policies.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

http://support.microsoft.com/kb/833783