Solved

GPO on Window 2003

Posted on 2013-12-04
18
285 Views
Last Modified: 2013-12-15
I found that some GPOs are filtered out. The Delegation has been given to "Authenticated Users". Any idea ?

Tks
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 2
18 Comments
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 39695048
Please add some more details about your setup.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39695134
please enable userenv.log on the problematic computer to help troubleshooting this issue. To enable userenv debug logs, please refer to the following KB for detailed steps:
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Meanwhile, please also open Event Viewer to check if there is any related error.

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39695486
Here are the screen dump for the a gpo that can't deploy to the workstation..

can't find any error. In fact, some GPOs can deployed successfully...

Tks
GPO1.png
GPO2.png
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39695559
Have you enable logging as my earlier comment ?
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.

If you could try to latch another policy and check what happens ?

This is only policy having trouble ?

Mahesh
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 39697371
Password policy is applicable at domain level ONLY (In server 2003 or earlier, in 2008 you can have password policy at OU level). So it doesn't take effect if applied at OU level.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39697467
You can't apply OU level password policy even in 2012 Active directory

You are mixing Fine Grained Password Policy with normal password policy

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39697493
In fact, some GPOs can't deployed successfully, beside the password policy.

Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...

Attached please find one of the few GPOs that can't be deployed successfully..

Tks
WinLogon.png
GPO2.png
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39697598
If you could share GPResult output please to get more clues

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39697644
0
 

Author Comment

by:AXISHK
ID: 39710797
Some finding for the GPO.

Using the Group Policy Results in Window 2008, we run the result for a  selected workstation. All the GPO can be applied.

However, on the actual workstation,  some GPO can't be applied. It means that the result on the server does not match with that on the workstation.

Any idea ?

Thanks
0
 

Author Comment

by:AXISHK
ID: 39713227
A interest finding, the GPO has been applied to the computer but it doesn't show the applied GPO policy using gpresult.

I have run the RsOP as recommended and see that setting from new created GPO policy

Any idea ?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39713356
Not sur if this is orphaned GPOs issue

please download powershell script in below link and find orphaned GPOs

http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807

Just remove those orphaned GPos and check if now GPos are applying correctly

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39713463
Get the following result when running the powershell...

The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Any idea ? Tks
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39715781
How you run the above script ?

You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory

Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted

Also download script with right click and save as option and then change extension to .ps1

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716037
Still the same...

PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
 policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ set-ExecutionPolicy <<<<  unrestricted
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
   rizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.SetExecutionPolicyCommand

PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\Users\adm_abc>
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39716052
You must be running as administrator on server

I can see you got an access denie error

Also you have not run Import-Module ActiveDirectory prior to execute the script

Also you need to go to actual path where script is stored

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716098
Worked. So, should I go to the directory "\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks


Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)

There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-19815D8F47BD}
{41136837-E4CA-4C64-9EAE-BB40940453CA}
{46DF3929-2833-426E-9096-76D29CFD6613}
{4B001C75-ACD9-46C7-8484-55B46258ABCC}
{8ABA53D7-B2BB-4D1C-BCCA-C0F04B00A539}
{90B08902-156D-4143-B578-371A65BE9ACC}
{A2E3D91F-B969-47F6-9EF6-CCCAA3B302FA}
{A3ED534A-B0D6-4C9D-93DA-38C91BB02462}
{B28BF07F-74B4-45D8-A4FC-5987787CB2F1}
{C014BD7C-104C-49E0-8DF7-19C83FB09965}
{FA63AD25-4FF8-456F-9575-C4AB2613AF11}
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39716464
Yes, you are right.

1st take AD system state backup and also Copy Sysvol contents also for safer side.

then Delete those GPOs folder carefully and restart File replication service, force replication and wait for replication occurs

Once that done check if GPOs got deleted from all domain controllers and then check if your original GPO is applying or not

Mahesh
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question