Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory Group Policy Management

Posted on 2010-11-23
3
Medium Priority
?
1,192 Views
Last Modified: 2012-06-21
I have a problem accessing my Acitve Directory Default Policy on my Windows 2003 SP2 Servers.
I have 3 Active Directory Domain Controllers. Two of the servers have the FMSO roles and they are WINDOWS 2003 SP2 Servers. A third controller is a Windows 2008 R2 Standard Server.
The DOMAIN is operating at a  Windows 2003 Functional Level. When I open the Group Policy Mangement console on one of the WIndows 2003 domain servers I can look at the Group Policy settings for any number of OTHER policies "BUT" the DEFAULT domain policy. WHen I open the default policy it opens. Then I click on the settings tab and it DIsplays "GENERATING REPORT" for a few seconds then it returns with a ERROR message that reads (An Error occurred while generating report.. An Unknown error occurred while the HTML report was being created.)
Here is the interesting part. I downloaded the Windows 7 Administrators tools and installed them on my administration laptop and I can Open the group policy management tools and open / view / edit the default policy there with no problem. If I open the Group policy management tool on the Windows 2008 R2 Server I can open the default domain policy and also open / view / edit the settings there without any problem. So I guess my question here is Why can't I view the default domain policy on the 2003 Domain servers that hold the FMSO roles especially when the Domain AD is running at the 2003 Functional level?
Strange that the 2008R2 server and the WIndows 7 tools work fine?
This is not a deal breaker since I can get to the default domain policy on the Windows 7 machine but it concerns me. Any ideas what is going on and how to possible correct it?
0
Comment
Question by:NaplesFLDave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Accepted Solution

by:
markpalinux earned 2000 total points
ID: 34202575


Group Policy lives in the SysVol folder of the domain controllers. It could be that one of your DCs is out of sync as far as the SysVol directories.

Look at the event logs .

Be sure to get a backup of your group policies using the gpmc.

GET BACKUP!!!

Check out this post. - it points you to sonar which is a tool to help troubleshoot.
http://davebritt.blogspot.com/2006/05/gpotool-to-check-gpo-consistency.html

also another tool ultrasound
How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457

Also I would recommend creating a new policy using GPMC look at the guid and the path, be sure this is replicated to all of your DCs.

If you need help looking at the AD replication look at
Microsoft Active Directory Topology Diagrammer
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en


Hope this helps.
Mark
0
 

Author Closing Comment

by:NaplesFLDave
ID: 34204859
These are all good tips. I used the command line tools to SYNC and test the replication of the DOMAIN CONTROLLERS and ALL checks out just fine. I suspect the anomoly may be caused by the Mixed Servers. 2 are 2003 servers and the one 2008 R2. But I will look into the tools outlined to see if they offer any insight.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34205754
You should not be editing the Default Policies in the first place,...ever.   The Default Domain Policy would only be edited to cover Password Policies because that is the only place it can be done,...but beyond that,...no edits,...ever.  The Default Domain Controllers Policy should be left completely virgin,...no edits,...ever.

Create new policies when you want to make changes.  It is even a good idea to group similar settings together with separate GPOs for each "group",...just don't get carried aways with the idea,...to many individual policies is a bad idea as well.

There is a way to re-create new default "virgin" policies.

http://geekswithblogs.net/DotNetCoder/archive/2007/07/14/113937.aspx

http://support.microsoft.com/kb/833783




0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question