Solved

GPO on Window 2003

Posted on 2013-12-04
18
267 Views
Last Modified: 2013-12-15
I found that some GPOs are filtered out. The Delegation has been given to "Authenticated Users". Any idea ?

Tks
0
Comment
Question by:AXISHK
  • 8
  • 8
  • 2
18 Comments
 
LVL 7

Expert Comment

by:hirenvmajithiya
Comment Utility
Please add some more details about your setup.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
please enable userenv.log on the problematic computer to help troubleshooting this issue. To enable userenv debug logs, please refer to the following KB for detailed steps:
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Meanwhile, please also open Event Viewer to check if there is any related error.

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
Here are the screen dump for the a gpo that can't deploy to the workstation..

can't find any error. In fact, some GPOs can deployed successfully...

Tks
GPO1.png
GPO2.png
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Have you enable logging as my earlier comment ?
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.

If you could try to latch another policy and check what happens ?

This is only policy having trouble ?

Mahesh
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
Comment Utility
Password policy is applicable at domain level ONLY (In server 2003 or earlier, in 2008 you can have password policy at OU level). So it doesn't take effect if applied at OU level.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You can't apply OU level password policy even in 2012 Active directory

You are mixing Fine Grained Password Policy with normal password policy

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
In fact, some GPOs can't deployed successfully, beside the password policy.

Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...

Attached please find one of the few GPOs that can't be deployed successfully..

Tks
WinLogon.png
GPO2.png
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If you could share GPResult output please to get more clues

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:AXISHK
Comment Utility
Some finding for the GPO.

Using the Group Policy Results in Window 2008, we run the result for a  selected workstation. All the GPO can be applied.

However, on the actual workstation,  some GPO can't be applied. It means that the result on the server does not match with that on the workstation.

Any idea ?

Thanks
0
 

Author Comment

by:AXISHK
Comment Utility
A interest finding, the GPO has been applied to the computer but it doesn't show the applied GPO policy using gpresult.

I have run the RsOP as recommended and see that setting from new created GPO policy

Any idea ?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Not sur if this is orphaned GPOs issue

please download powershell script in below link and find orphaned GPOs

http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807

Just remove those orphaned GPos and check if now GPos are applying correctly

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
Get the following result when running the powershell...

The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Any idea ? Tks
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
How you run the above script ?

You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory

Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted

Also download script with right click and save as option and then change extension to .ps1

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
Still the same...

PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
 policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\M
icrosoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ set-ExecutionPolicy <<<<  unrestricted
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
   rizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow
   erShell.Commands.SetExecutionPolicyCommand

PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
    + CategoryInfo          : ObjectNotFound: (FindOrphanedGPOs.ps1:String) []
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\Users\adm_abc>
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You must be running as administrator on server

I can see you got an access denie error

Also you have not run Import-Module ActiveDirectory prior to execute the script

Also you need to go to actual path where script is stored

Mahesh
0
 

Author Comment

by:AXISHK
Comment Utility
Worked. So, should I go to the directory "\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks


Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)

There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-19815D8F47BD}
{41136837-E4CA-4C64-9EAE-BB40940453CA}
{46DF3929-2833-426E-9096-76D29CFD6613}
{4B001C75-ACD9-46C7-8484-55B46258ABCC}
{8ABA53D7-B2BB-4D1C-BCCA-C0F04B00A539}
{90B08902-156D-4143-B578-371A65BE9ACC}
{A2E3D91F-B969-47F6-9EF6-CCCAA3B302FA}
{A3ED534A-B0D6-4C9D-93DA-38C91BB02462}
{B28BF07F-74B4-45D8-A4FC-5987787CB2F1}
{C014BD7C-104C-49E0-8DF7-19C83FB09965}
{FA63AD25-4FF8-456F-9575-C4AB2613AF11}
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Yes, you are right.

1st take AD system state backup and also Copy Sysvol contents also for safer side.

then Delete those GPOs folder carefully and restart File replication service, force replication and wait for replication occurs

Once that done check if GPOs got deleted from all domain controllers and then check if your original GPO is applying or not

Mahesh
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now