Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Help understanding Group Policy

Posted on 2015-02-19
Medium Priority
Last Modified: 2015-03-16

I have an Active Directory on Windows 2008R2 with a replicated second server which has collected many Policies over the years. I am trying to clean them up but first need to understand a few things and unleash some mysteries.

I will explain my issues and questions with as much information as possible.

1.) I checked the GUID of each policy and then checked the \\domain\sysvol\policies directory and there is a corresponding folder for each except for one folder which has no corresponding Policy in GP. I checked the Machine and User subfolders and they are empty. Is this safe to delete from Windows Explorer?

2.) Also when I run a Group Policy Results, there are some policies which come up with the name of the policy while others come up with the GUID. Any idea why and how to have the name show for all of them.

3.) Some policies appear twice in the Applied GPO section. Is this a problem?

4.) Some policies appear in the section Denied GPO with reason Inaccessible. I actually deleted one of these and renamed the other one from GP. Why are they appearing here and how do I clean this up?

5.) Some policies appear in Denied GPO as Inaccessible. I realized that the Security Filter was for a Group of users, but the policy was linked to the Computer OU,
5A.) I changed one Policy to link to the top level OU domain name which includes all OU underneath. It seemed like this worked because the policy was simply to assign the default printer to a specific printer and when I logged in as the user it changed to that printer. However, it still appears as a Denied policy with inaccessible. How can I fix this as I would like to use the Group Policy Results tool to make sure all the policies are assigned and working properly?
5B.) I changed another policy from the User Group in the security Filter to Authenticated Users. This still shows denied, but I am not sure if it is working because it involves too many changes to check. Is there a way to make sure that the Group Policy Results tool reflects the current GPO or is there a better tool to use?

6.) If I want to create a policy with User settings to apply to specific users in a specific OU of Computers, what is the best way to do this?

7.) If I want to delete a policy, either because I don't need it any more or because I combined the settings into another policy, Can I simply Delete it from GPO or is there a better way?

8.) I always thought that I had to set the setting under Computer Configuration for System/Group Policy/User Group Policy loopback processing mode to Merge since I have many policies. But I noticed that not all have this. Do I need this for policies which only have user settings? Is there a simple rule when I use this and when not?

Question by:swenger7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 53

Accepted Solution

Will Szymkowski earned 750 total points
ID: 40619068
This is a lot of questions... Answers are simplified below...
1 - if you have a policy that is in the sysvol folder that does not correspond with a GPO that is in Group Policy Management this is an orphaned policy. I would check all of the other DC's Sysvol share to see if this orphaned policy is being replicated to the other DC's. If it is not you might have a USN Roll back issue.

2 - Policies that are showing up with only a GUID have been orphaned

3 - Some policies will could appear twice if you have it linked to a top level OU and linked to a sub OU

4 - If you are getting denied it could be related to the orphaned issue described earlier, or you are denied on the security filtering

5 - I think you need to correct your policy structure first. Cleaning up the orphaned GPO's and making sure that security filtering is set properly

6 - If you want user policies to apply to specific computers this is called "Loopback Processing" which will need to be enabled

7 - You can delete policies, make sure that you are not deleting the link because this will not delete the GPO object itself. You need to delete the object specifically under Group Policy Objects in the Group Policy Management Console. Also before deleting any of the GPO's make sure that your AD replication is working accordingly. Using repadmin /replsum and repladmin /showrepl, and dcdiag /v

8 - Loopback processing is a computer based policy and should only be applied when you want to only allow specific user access to these machines.


Author Comment

ID: 40619092
1. The Sysvol Folder in both Domain Controllers are identical. Can I delete this Folder without any repercussions
2. How do I fix this since there is a policy with this GUID in GPO linked to OU
3. That makes sense
6 & 8. So if I enable this "Loopback Processing" in a policy, can I then link this policy to a Computer OU and have the security to a group of Users?
7. /replsum shows 0 failed and 5 total
/showrepl was successful
dcdiag - all tests passed
So it is completely safe to delete?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619112
If you are showing GUID's for your GPO's then they are orphaned. You should be able to remove these with out any issues.

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 40619135
I understand that I can delete the Folder for the GUID which has no corresponding Policy, but it doesn't make sense that a policy which I just created and linked to an OU is orphaned. Could there be another reason why it is showing up as GUID in the Results Wizard.

Also why would there be a policy showing up which is no longer in my GPO. It was deleted month ago.

Could it be that the Results tool is not accurate or using old cache info or something
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619175
It seems that aside from the questions you have asked above there is other issues going on in your domain. I can tell you that if you create a new GPO and it is referencing itself on the client using the GUID (there is something wrong). I do not know what you have done in your environment to get to this point so i can only offer limited help.

I would start but running the following commnads to check your current overall health of AD...
- repadmin /replsum
- repadmin /showrepl
- repadmin /bridgeheads
- dcdiad /v
- netdom query fsmo
- netdom query dc

Also run the Active Directory Best Practices Analyzer


Author Comment

ID: 40619422
I am running BPA on each role.

ADDS had some non-compliants. I fixed and reran and all is good
DHCP is good
Netowrk Policy is good
File Services and IIS didn't have BPA option

DNS has two issues which I need help please
1. Issue:
The network adapter Local Area Connection 4 does not list the loopback IP address as a DNS server, or it is configured as the first entry. However I added to the secondary DNS server as the MS kb mentioned

2. Issue:
The Active Directory integrated DNS zone _msdcs.{} was not found. Based on the link it takes me to I need to restore an AD-integrated zone. I need to enter the FQDN of the zone name but I am not sure what to enter. Can you help with that?
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619448
Answers are below...
1 - Each DC/DNS server should be primary (pointing to itself)
2- _msdcs.{} this zone is used for SRV records to find correct services. This is critical for Active Directory to function properly.

You will need to restore the integrated zone from backup. You would have to do an Authoritative Restore.


Assisted Solution

swenger7 earned 0 total points
ID: 40658957
So I had to add Authenticated Users to each GP for Read policy only and not apply policy and then leave my security groups that I wanted to be applied as i had and now nothing appears as inaccessible.

Author Closing Comment

ID: 40667534
part of the issue was not resolved here but found solution elsewhere

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question