• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 300
  • Last Modified:

GPO on Window 2003

I found that some GPOs are filtered out. The Delegation has been given to "Authenticated Users". Any idea ?

Tks
0
AXISHK
Asked:
AXISHK
  • 8
  • 8
  • 2
1 Solution
 
hirenvmajithiyaManager (System Administration)Commented:
Please add some more details about your setup.
0
 
MaheshArchitectCommented:
please enable userenv.log on the problematic computer to help troubleshooting this issue. To enable userenv debug logs, please refer to the following KB for detailed steps:
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Meanwhile, please also open Event Viewer to check if there is any related error.

Mahesh
0
 
AXISHKAuthor Commented:
Here are the screen dump for the a gpo that can't deploy to the workstation..

can't find any error. In fact, some GPOs can deployed successfully...

Tks
GPO1.png
GPO2.png
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MaheshArchitectCommented:
Have you enable logging as my earlier comment ?
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.

If you could try to latch another policy and check what happens ?

This is only policy having trouble ?

Mahesh
0
 
hirenvmajithiyaManager (System Administration)Commented:
Password policy is applicable at domain level ONLY (In server 2003 or earlier, in 2008 you can have password policy at OU level). So it doesn't take effect if applied at OU level.
0
 
MaheshArchitectCommented:
You can't apply OU level password policy even in 2012 Active directory

You are mixing Fine Grained Password Policy with normal password policy

Mahesh
0
 
AXISHKAuthor Commented:
In fact, some GPOs can't deployed successfully, beside the password policy.

Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...

Attached please find one of the few GPOs that can't be deployed successfully..

Tks
WinLogon.png
GPO2.png
0
 
MaheshArchitectCommented:
If you could share GPResult output please to get more clues

Mahesh
0
 
AXISHKAuthor Commented:
0
 
AXISHKAuthor Commented:
Some finding for the GPO.

Using the Group Policy Results in Window 2008, we run the result for a  selected workstation. All the GPO can be applied.

However, on the actual workstation,  some GPO can't be applied. It means that the result on the server does not match with that on the workstation.

Any idea ?

Thanks
0
 
AXISHKAuthor Commented:
A interest finding, the GPO has been applied to the computer but it doesn't show the applied GPO policy using gpresult.

I have run the RsOP as recommended and see that setting from new created GPO policy

Any idea ?
0
 
MaheshArchitectCommented:
Not sur if this is orphaned GPOs issue

please download powershell script in below link and find orphaned GPOs

http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807

Just remove those orphaned GPos and check if now GPos are applying correctly

Mahesh
0
 
AXISHKAuthor Commented:
Get the following result when running the powershell...

The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Any idea ? Tks
0
 
MaheshArchitectCommented:
How you run the above script ?

You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory

Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted

Also download script with right click and save as option and then change extension to .ps1

Mahesh
0
 
AXISHKAuthor Commented:
Still the same...

PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
 policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ set-ExecutionPolicy <<<<  unrestricted
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
   rizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.SetExecutionPolicyCommand

PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\Users\adm_abc>
0
 
MaheshArchitectCommented:
You must be running as administrator on server

I can see you got an access denie error

Also you have not run Import-Module ActiveDirectory prior to execute the script

Also you need to go to actual path where script is stored

Mahesh
0
 
AXISHKAuthor Commented:
Worked. So, should I go to the directory "\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks


Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)

There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-19815D8F47BD}
{41136837-E4CA-4C64-9EAE-BB40940453CA}
{46DF3929-2833-426E-9096-76D29CFD6613}
{4B001C75-ACD9-46C7-8484-55B46258ABCC}
{8ABA53D7-B2BB-4D1C-BCCA-C0F04B00A539}
{90B08902-156D-4143-B578-371A65BE9ACC}
{A2E3D91F-B969-47F6-9EF6-CCCAA3B302FA}
{A3ED534A-B0D6-4C9D-93DA-38C91BB02462}
{B28BF07F-74B4-45D8-A4FC-5987787CB2F1}
{C014BD7C-104C-49E0-8DF7-19C83FB09965}
{FA63AD25-4FF8-456F-9575-C4AB2613AF11}
0
 
MaheshArchitectCommented:
Yes, you are right.

1st take AD system state backup and also Copy Sysvol contents also for safer side.

then Delete those GPOs folder carefully and restart File replication service, force replication and wait for replication occurs

Once that done check if GPOs got deleted from all domain controllers and then check if your original GPO is applying or not

Mahesh
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now