?
Solved

Orphaned GPO issue

Posted on 2014-02-03
2
Medium Priority
?
570 Views
Last Modified: 2014-02-03
All the sudden I have this type of messages cropping up in the event log:
GroupPolicy: 1058: The processing of Group Policy failed. Windows attempted to read the file \mydomain.local\SysVol\mydomain.local\Policies\{10A9F4FA-C707-4E92-9E91-53FDFC685107}\gpt.ini from a domain controller and was not successful. 
Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
 a) Name Resolution/Network Connectivity to the current domain controller.
 b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled. GroupPolicy: 1058: The processing of Group Policy failed. Windows attempted to read the file \mydomain.local\SysVol\mydomain.local\Policies\{10A9F4FA-C707-4E92-9E91-53FDFC685107}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

Open in new window


seems that so GPO is referenced in the AD but the actual GPO file is not present (not quite sure what has triggered this...).

I have run the FindOrphanedGPOs power-script from jhouseconsulting.com and it did indeed identify 4 orphaned GPOs:

Finding all orphaned Group Policy Objects (GPOs)...

Reading GPO information from Active Directory (CN=Policies,CN=System,DC=mydomain
,DC=local)...
Discovered 15 GPCs (Group Policy Containers) in Active Directory (CN=Policies,CN
=System,DC=mydomain,DC=local)

Reading GPO information from SYSVOL (\\mydomain.local\SYSVOL\mydomain.local\Poli
cies)...
Discovered 11 GPTs (Group Policy Templates) in SYSVOL (\\mydomain.local\SYSVOL\mydomain.local\Policies)

There are 0 GPTs in SYSVOL that don't exist in Active Directory (0.00 % of the t
otal)


There are 4 GPCs in Active Directory that don't exist in SYSVOL (26.67 % of the
total)
These are:
{10A9F4FA-C707-4E92-9E91-53FDFC685107}
{B5556118-5CBF-48AD-96E6-6CC121864261}
{D0FD14A4-C3D3-4FB3-A239-A4073EE365BE}
{DC1B4291-8306-4720-A21E-A7CD992E0E5A}

Open in new window


how do I locate the offending GPOs in the GPC admin console ?
0
Comment
Question by:Alexandre Takacs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39829492
All of the GPO's have a unique SID associsted with it. You will need to reference that SID to the once that are missing.

- Open gpmc.msc
- go through the GPO's listed
- Click on the GPO's
- Click the details tab
- You will see Unique ID (this is what you will need to reference to)
seen screenshot below...
Unique ID
Will.
0
 
LVL 1

Author Closing Comment

by:Alexandre Takacs
ID: 39829515
thanks - exactly what I was looking for.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question