AXISHK
asked on
GPO on Window 2003
I found that some GPOs are filtered out. The Delegation has been given to "Authenticated Users". Any idea ?
Tks
Tks
hirenvmajithiya
Please add some more details about your setup.
please enable userenv.log on the problematic computer to help troubleshooting this issue. To enable userenv debug logs, please refer to the following KB for detailed steps:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
Meanwhile, please also open Event Viewer to check if there is any related error.
Mahesh
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
Meanwhile, please also open Event Viewer to check if there is any related error.
Mahesh
ASKER
Have you enable logging as my earlier comment ?
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.
If you could try to latch another policy and check what happens ?
This is only policy having trouble ?
Mahesh
From screen shots I assumes that it is password policy
If that's the case, password policies applied to OU level will always ignored and only password policy applied to Domain level will get apply.
If you could try to latch another policy and check what happens ?
This is only policy having trouble ?
Mahesh
Password policy is applicable at domain level ONLY (In server 2003 or earlier, in 2008 you can have password policy at OU level). So it doesn't take effect if applied at OU level.
You can't apply OU level password policy even in 2012 Active directory
You are mixing Fine Grained Password Policy with normal password policy
Mahesh
You are mixing Fine Grained Password Policy with normal password policy
Mahesh
ASKER
In fact, some GPOs can't deployed successfully, beside the password policy.
Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...
Attached please find one of the few GPOs that can't be deployed successfully..
Tks
WinLogon.png
GPO2.png
Enable the debug log on the workstation but no log file is generated. No idea at this stage where I can identify the problems ...
Attached please find one of the few GPOs that can't be deployed successfully..
Tks
WinLogon.png
GPO2.png
If you could share GPResult output please to get more clues
Mahesh
Mahesh
ASKER
ASKER
Some finding for the GPO.
Using the Group Policy Results in Window 2008, we run the result for a selected workstation. All the GPO can be applied.
However, on the actual workstation, some GPO can't be applied. It means that the result on the server does not match with that on the workstation.
Any idea ?
Thanks
Using the Group Policy Results in Window 2008, we run the result for a selected workstation. All the GPO can be applied.
However, on the actual workstation, some GPO can't be applied. It means that the result on the server does not match with that on the workstation.
Any idea ?
Thanks
ASKER
A interest finding, the GPO has been applied to the computer but it doesn't show the applied GPO policy using gpresult.
I have run the RsOP as recommended and see that setting from new created GPO policy
Any idea ?
I have run the RsOP as recommended and see that setting from new created GPO policy
Any idea ?
Not sur if this is orphaned GPOs issue
please download powershell script in below link and find orphaned GPOs
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
Just remove those orphaned GPos and check if now GPos are applying correctly
Mahesh
please download powershell script in below link and find orphaned GPOs
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
Just remove those orphaned GPos and check if now GPos are applying correctly
Mahesh
ASKER
Get the following result when running the powershell...
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (FindOrphanedGPOs.ps1:Stri
, CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Any idea ? Tks
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (FindOrphanedGPOs.ps1:Stri
, CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Any idea ? Tks
How you run the above script ?
You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory
Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted
Also download script with right click and save as option and then change extension to .ps1
Mahesh
You should 1st start active directory powershell module with elevated command prompt on 2008 R2 DC, then execute script from there.
If you don't find AD module for powershell, then just open PowerShell with elevated command prompt and run below command:
Import-Module ActiveDirectory
Also in powershell allow script execution before running the script
Run below command in above powershell
Set-ExecutionPolicy unrestricted
press Y and enter when prompted
Also download script with right click and save as option and then change extension to .ps1
Mahesh
ASKER
Still the same...
PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWA
icrosoft\PowerShell\1\Shel
At line:1 char:20
+ set-ExecutionPolicy <<<< unrestricted
+ CategoryInfo : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
rizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessE
erShell.Commands.SetExecut
PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (FindOrphanedGPOs.ps1:Stri
, CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\adm_abc>
PS C:\Users\adm_abc> set-ExecutionPolicy unrestricted
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose you to the security risks described
in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWA
icrosoft\PowerShell\1\Shel
At line:1 char:20
+ set-ExecutionPolicy <<<< unrestricted
+ CategoryInfo : NotSpecified: (:) [Set-ExecutionPolicy], Unautho
rizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessE
erShell.Commands.SetExecut
PS C:\Users\adm_abc> FindOrphanedGPOs.ps1
The term 'FindOrphanedGPOs.ps1' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:21
+ FindOrphanedGPOs.ps1 <<<<
+ CategoryInfo : ObjectNotFound: (FindOrphanedGPOs.ps1:Stri
, CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\adm_abc>
You must be running as administrator on server
I can see you got an access denie error
Also you have not run Import-Module ActiveDirectory prior to execute the script
Also you need to go to actual path where script is stored
Mahesh
I can see you got an access denie error
Also you have not run Import-Module ActiveDirectory prior to execute the script
Also you need to go to actual path where script is stored
Mahesh
ASKER
Worked. So, should I go to the directory "\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks
Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)
There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-1
{41136837-E4CA-4C64-9EAE-B
{46DF3929-2833-426E-9096-7
{4B001C75-ACD9-46C7-8484-5
{8ABA53D7-B2BB-4D1C-BCCA-C
{90B08902-156D-4143-B578-3
{A2E3D91F-B969-47F6-9EF6-C
{A3ED534A-B0D6-4C9D-93DA-3
{B28BF07F-74B4-45D8-A4FC-5
{C014BD7C-104C-49E0-8DF7-1
{FA63AD25-4FF8-456F-9575-C
om.hk\Policies" and delete each of them ? I only need to do this on DC and it will synchronize each of them, correct ? Tks
Discovered 45 GPTs (Group Policy Templates) in SYSVOL (\\abc.com.hk\SYSVOL\abc.c
om.hk\Policies)
There are 11 GPTs in SYSVOL that don't exist in Active Directory (32.35% of the
total)
These are:
{226005BC-1311-4EAD-9CBD-1
{41136837-E4CA-4C64-9EAE-B
{46DF3929-2833-426E-9096-7
{4B001C75-ACD9-46C7-8484-5
{8ABA53D7-B2BB-4D1C-BCCA-C
{90B08902-156D-4143-B578-3
{A2E3D91F-B969-47F6-9EF6-C
{A3ED534A-B0D6-4C9D-93DA-3
{B28BF07F-74B4-45D8-A4FC-5
{C014BD7C-104C-49E0-8DF7-1
{FA63AD25-4FF8-456F-9575-C
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.