Help understanding Group Policy

Posted on 2015-02-19
Medium Priority
Last Modified: 2015-03-16

I have an Active Directory on Windows 2008R2 with a replicated second server which has collected many Policies over the years. I am trying to clean them up but first need to understand a few things and unleash some mysteries.

I will explain my issues and questions with as much information as possible.

1.) I checked the GUID of each policy and then checked the \\domain\sysvol\policies directory and there is a corresponding folder for each except for one folder which has no corresponding Policy in GP. I checked the Machine and User subfolders and they are empty. Is this safe to delete from Windows Explorer?

2.) Also when I run a Group Policy Results, there are some policies which come up with the name of the policy while others come up with the GUID. Any idea why and how to have the name show for all of them.

3.) Some policies appear twice in the Applied GPO section. Is this a problem?

4.) Some policies appear in the section Denied GPO with reason Inaccessible. I actually deleted one of these and renamed the other one from GP. Why are they appearing here and how do I clean this up?

5.) Some policies appear in Denied GPO as Inaccessible. I realized that the Security Filter was for a Group of users, but the policy was linked to the Computer OU,
5A.) I changed one Policy to link to the top level OU domain name which includes all OU underneath. It seemed like this worked because the policy was simply to assign the default printer to a specific printer and when I logged in as the user it changed to that printer. However, it still appears as a Denied policy with inaccessible. How can I fix this as I would like to use the Group Policy Results tool to make sure all the policies are assigned and working properly?
5B.) I changed another policy from the User Group in the security Filter to Authenticated Users. This still shows denied, but I am not sure if it is working because it involves too many changes to check. Is there a way to make sure that the Group Policy Results tool reflects the current GPO or is there a better tool to use?

6.) If I want to create a policy with User settings to apply to specific users in a specific OU of Computers, what is the best way to do this?

7.) If I want to delete a policy, either because I don't need it any more or because I combined the settings into another policy, Can I simply Delete it from GPO or is there a better way?

8.) I always thought that I had to set the setting under Computer Configuration for System/Group Policy/User Group Policy loopback processing mode to Merge since I have many policies. But I noticed that not all have this. Do I need this for policies which only have user settings? Is there a simple rule when I use this and when not?

Question by:swenger7
  • 5
  • 4
LVL 53

Accepted Solution

Will Szymkowski earned 750 total points
ID: 40619068
This is a lot of questions... Answers are simplified below...
1 - if you have a policy that is in the sysvol folder that does not correspond with a GPO that is in Group Policy Management this is an orphaned policy. I would check all of the other DC's Sysvol share to see if this orphaned policy is being replicated to the other DC's. If it is not you might have a USN Roll back issue.

2 - Policies that are showing up with only a GUID have been orphaned

3 - Some policies will could appear twice if you have it linked to a top level OU and linked to a sub OU

4 - If you are getting denied it could be related to the orphaned issue described earlier, or you are denied on the security filtering

5 - I think you need to correct your policy structure first. Cleaning up the orphaned GPO's and making sure that security filtering is set properly

6 - If you want user policies to apply to specific computers this is called "Loopback Processing" which will need to be enabled

7 - You can delete policies, make sure that you are not deleting the link because this will not delete the GPO object itself. You need to delete the object specifically under Group Policy Objects in the Group Policy Management Console. Also before deleting any of the GPO's make sure that your AD replication is working accordingly. Using repadmin /replsum and repladmin /showrepl, and dcdiag /v

8 - Loopback processing is a computer based policy and should only be applied when you want to only allow specific user access to these machines.


Author Comment

ID: 40619092
1. The Sysvol Folder in both Domain Controllers are identical. Can I delete this Folder without any repercussions
2. How do I fix this since there is a policy with this GUID in GPO linked to OU
3. That makes sense
6 & 8. So if I enable this "Loopback Processing" in a policy, can I then link this policy to a Computer OU and have the security to a group of Users?
7. /replsum shows 0 failed and 5 total
/showrepl was successful
dcdiag - all tests passed
So it is completely safe to delete?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619112
If you are showing GUID's for your GPO's then they are orphaned. You should be able to remove these with out any issues.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 40619135
I understand that I can delete the Folder for the GUID which has no corresponding Policy, but it doesn't make sense that a policy which I just created and linked to an OU is orphaned. Could there be another reason why it is showing up as GUID in the Results Wizard.

Also why would there be a policy showing up which is no longer in my GPO. It was deleted month ago.

Could it be that the Results tool is not accurate or using old cache info or something
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619175
It seems that aside from the questions you have asked above there is other issues going on in your domain. I can tell you that if you create a new GPO and it is referencing itself on the client using the GUID (there is something wrong). I do not know what you have done in your environment to get to this point so i can only offer limited help.

I would start but running the following commnads to check your current overall health of AD...
- repadmin /replsum
- repadmin /showrepl
- repadmin /bridgeheads
- dcdiad /v
- netdom query fsmo
- netdom query dc

Also run the Active Directory Best Practices Analyzer


Author Comment

ID: 40619422
I am running BPA on each role.

ADDS had some non-compliants. I fixed and reran and all is good
DHCP is good
Netowrk Policy is good
File Services and IIS didn't have BPA option

DNS has two issues which I need help please
1. Issue:
The network adapter Local Area Connection 4 does not list the loopback IP address as a DNS server, or it is configured as the first entry. However I added to the secondary DNS server as the MS kb mentioned

2. Issue:
The Active Directory integrated DNS zone _msdcs.{domainname.ca} was not found. Based on the link it takes me to https://technet.microsoft.com/en-us/library/ff807395(WS.10).aspx I need to restore an AD-integrated zone. I need to enter the FQDN of the zone name but I am not sure what to enter. Can you help with that?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619448
Answers are below...
1 - Each DC/DNS server should be primary (pointing to itself)
2- _msdcs.{domainname.ca} this zone is used for SRV records to find correct services. This is critical for Active Directory to function properly.

You will need to restore the integrated zone from backup. You would have to do an Authoritative Restore.


Assisted Solution

swenger7 earned 0 total points
ID: 40658957
So I had to add Authenticated Users to each GP for Read policy only and not apply policy and then leave my security groups that I wanted to be applied as i had and now nothing appears as inaccessible.

Author Closing Comment

ID: 40667534
part of the issue was not resolved here but found solution elsewhere

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question