Solved

GPO on Window 2003

Posted on 2013-12-04
18
270 Views
Last Modified: 2013-12-15
I found that some GPOs are filtered out. The Delegation has been given to "Authenticated Users". Any idea ?

Tks
0
Comment
Question by:AXISHK
  • 8
  • 8
  • 2
18 Comments
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 39695048
Please add some more details about your setup.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39695134
please enable userenv.log on the problematic computer to help troubleshooting this issue. To enable userenv debug logs, please refer to the following KB for detailed steps:
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Meanwhile, please also open Event Viewer to check if there is any related error.

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39695486
Here are the screen dump for the a gpo that can't deploy to the workstation..

can't find any error. In fact, some GPOs can deployed successfully...

Tks
GPO1.png
GPO2.png
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39695559
Have you enable logging as my earlier comment ?
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.

If you could try to latch another policy and check what happens ?

This is only policy having trouble ?

Mahesh
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 39697371
Password policy is applicable at domain level ONLY (In server 2003 or earlier, in 2008 you can have password policy at OU level). So it doesn't take effect if applied at OU level.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39697467
You can't apply OU level password policy even in 2012 Active directory

You are mixing Fine Grained Password Policy with normal password policy

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39697493
In fact, some GPOs can't deployed successfully, beside the password policy.

Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...

Attached please find one of the few GPOs that can't be deployed successfully..

Tks
WinLogon.png
GPO2.png
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39697598
If you could share GPResult output please to get more clues

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39697644
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:AXISHK
ID: 39710797
Some finding for the GPO.

Using the Group Policy Results in Window 2008, we run the result for a  selected workstation. All the GPO can be applied.

However, on the actual workstation,  some GPO can't be applied. It means that the result on the server does not match with that on the workstation.

Any idea ?

Thanks
0
 

Author Comment

by:AXISHK
ID: 39713227
A interest finding, the GPO has been applied to the computer but it doesn't show the applied GPO policy using gpresult.

I have run the RsOP as recommended and see that setting from new created GPO policy

Any idea ?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39713356
Not sur if this is orphaned GPOs issue

please download powershell script in below link and find orphaned GPOs

http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807

Just remove those orphaned GPos and check if now GPos are applying correctly

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39713463
Get the following result when running the powershell...

The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Any idea ? Tks
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39715781
How you run the above script ?

You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory

Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted

Also download script with right click and save as option and then change extension to .ps1

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716037
Still the same...

PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
 policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ set-ExecutionPolicy <<<<  unrestricted
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
   rizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.SetExecutionPolicyCommand

PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\Users\adm_abc>
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39716052
You must be running as administrator on server

I can see you got an access denie error

Also you have not run Import-Module ActiveDirectory prior to execute the script

Also you need to go to actual path where script is stored

Mahesh
0
 

Author Comment

by:AXISHK
ID: 39716098
Worked. So, should I go to the directory "\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks


Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)

There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-19815D8F47BD}
{41136837-E4CA-4C64-9EAE-BB40940453CA}
{46DF3929-2833-426E-9096-76D29CFD6613}
{4B001C75-ACD9-46C7-8484-55B46258ABCC}
{8ABA53D7-B2BB-4D1C-BCCA-C0F04B00A539}
{90B08902-156D-4143-B578-371A65BE9ACC}
{A2E3D91F-B969-47F6-9EF6-CCCAA3B302FA}
{A3ED534A-B0D6-4C9D-93DA-38C91BB02462}
{B28BF07F-74B4-45D8-A4FC-5987787CB2F1}
{C014BD7C-104C-49E0-8DF7-19C83FB09965}
{FA63AD25-4FF8-456F-9575-C4AB2613AF11}
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39716464
Yes, you are right.

1st take AD system state backup and also Copy Sysvol contents also for safer side.

then Delete those GPOs folder carefully and restart File replication service, force replication and wait for replication occurs

Once that done check if GPOs got deleted from all domain controllers and then check if your original GPO is applying or not

Mahesh
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now