Solved

Help understanding Group Policy

Posted on 2015-02-19
9
209 Views
Last Modified: 2015-03-16
Hi,

I have an Active Directory on Windows 2008R2 with a replicated second server which has collected many Policies over the years. I am trying to clean them up but first need to understand a few things and unleash some mysteries.

I will explain my issues and questions with as much information as possible.

1.) I checked the GUID of each policy and then checked the \\domain\sysvol\policies directory and there is a corresponding folder for each except for one folder which has no corresponding Policy in GP. I checked the Machine and User subfolders and they are empty. Is this safe to delete from Windows Explorer?

2.) Also when I run a Group Policy Results, there are some policies which come up with the name of the policy while others come up with the GUID. Any idea why and how to have the name show for all of them.

3.) Some policies appear twice in the Applied GPO section. Is this a problem?

4.) Some policies appear in the section Denied GPO with reason Inaccessible. I actually deleted one of these and renamed the other one from GP. Why are they appearing here and how do I clean this up?

5.) Some policies appear in Denied GPO as Inaccessible. I realized that the Security Filter was for a Group of users, but the policy was linked to the Computer OU,
5A.) I changed one Policy to link to the top level OU domain name which includes all OU underneath. It seemed like this worked because the policy was simply to assign the default printer to a specific printer and when I logged in as the user it changed to that printer. However, it still appears as a Denied policy with inaccessible. How can I fix this as I would like to use the Group Policy Results tool to make sure all the policies are assigned and working properly?
5B.) I changed another policy from the User Group in the security Filter to Authenticated Users. This still shows denied, but I am not sure if it is working because it involves too many changes to check. Is there a way to make sure that the Group Policy Results tool reflects the current GPO or is there a better tool to use?

6.) If I want to create a policy with User settings to apply to specific users in a specific OU of Computers, what is the best way to do this?

7.) If I want to delete a policy, either because I don't need it any more or because I combined the settings into another policy, Can I simply Delete it from GPO or is there a better way?

8.) I always thought that I had to set the setting under Computer Configuration for System/Group Policy/User Group Policy loopback processing mode to Merge since I have many policies. But I noticed that not all have this. Do I need this for policies which only have user settings? Is there a simple rule when I use this and when not?

Thanks,
0
Comment
Question by:swenger7
  • 5
  • 4
9 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 40619068
This is a lot of questions... Answers are simplified below...
1 - if you have a policy that is in the sysvol folder that does not correspond with a GPO that is in Group Policy Management this is an orphaned policy. I would check all of the other DC's Sysvol share to see if this orphaned policy is being replicated to the other DC's. If it is not you might have a USN Roll back issue.

2 - Policies that are showing up with only a GUID have been orphaned

3 - Some policies will could appear twice if you have it linked to a top level OU and linked to a sub OU

4 - If you are getting denied it could be related to the orphaned issue described earlier, or you are denied on the security filtering

5 - I think you need to correct your policy structure first. Cleaning up the orphaned GPO's and making sure that security filtering is set properly

6 - If you want user policies to apply to specific computers this is called "Loopback Processing" which will need to be enabled

7 - You can delete policies, make sure that you are not deleting the link because this will not delete the GPO object itself. You need to delete the object specifically under Group Policy Objects in the Group Policy Management Console. Also before deleting any of the GPO's make sure that your AD replication is working accordingly. Using repadmin /replsum and repladmin /showrepl, and dcdiag /v

8 - Loopback processing is a computer based policy and should only be applied when you want to only allow specific user access to these machines.

Will.
0
 

Author Comment

by:swenger7
ID: 40619092
1. The Sysvol Folder in both Domain Controllers are identical. Can I delete this Folder without any repercussions
2. How do I fix this since there is a policy with this GUID in GPO linked to OU
3. That makes sense
6 & 8. So if I enable this "Loopback Processing" in a policy, can I then link this policy to a Computer OU and have the security to a group of Users?
7. /replsum shows 0 failed and 5 total
/showrepl was successful
dcdiag - all tests passed
So it is completely safe to delete?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619112
If you are showing GUID's for your GPO's then they are orphaned. You should be able to remove these with out any issues.

Will.
0
 

Author Comment

by:swenger7
ID: 40619135
I understand that I can delete the Folder for the GUID which has no corresponding Policy, but it doesn't make sense that a policy which I just created and linked to an OU is orphaned. Could there be another reason why it is showing up as GUID in the Results Wizard.

Also why would there be a policy showing up which is no longer in my GPO. It was deleted month ago.

Could it be that the Results tool is not accurate or using old cache info or something
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619175
It seems that aside from the questions you have asked above there is other issues going on in your domain. I can tell you that if you create a new GPO and it is referencing itself on the client using the GUID (there is something wrong). I do not know what you have done in your environment to get to this point so i can only offer limited help.

I would start but running the following commnads to check your current overall health of AD...
- repadmin /replsum
- repadmin /showrepl
- repadmin /bridgeheads
- dcdiad /v
- netdom query fsmo
- netdom query dc

Also run the Active Directory Best Practices Analyzer
https://technet.microsoft.com/en-us/library/dd391875%28v=ws.10%29.aspx

Will.
0
 

Author Comment

by:swenger7
ID: 40619422
I am running BPA on each role.

ADDS had some non-compliants. I fixed and reran and all is good
DHCP is good
Netowrk Policy is good
File Services and IIS didn't have BPA option

DNS has two issues which I need help please
1. Issue:
The network adapter Local Area Connection 4 does not list the loopback IP address as a DNS server, or it is configured as the first entry. However I added 127.0.0.1 to the secondary DNS server as the MS kb mentioned

2. Issue:
The Active Directory integrated DNS zone _msdcs.{domainname.ca} was not found. Based on the link it takes me to https://technet.microsoft.com/en-us/library/ff807395(WS.10).aspx I need to restore an AD-integrated zone. I need to enter the FQDN of the zone name but I am not sure what to enter. Can you help with that?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619448
Answers are below...
1 - Each DC/DNS server should be primary (pointing to itself)
2- _msdcs.{domainname.ca} this zone is used for SRV records to find correct services. This is critical for Active Directory to function properly.

You will need to restore the integrated zone from backup. You would have to do an Authoritative Restore.

Will.
0
 

Assisted Solution

by:swenger7
swenger7 earned 0 total points
ID: 40658957
So I had to add Authenticated Users to each GP for Read policy only and not apply policy and then leave my security groups that I wanted to be applied as i had and now nothing appears as inaccessible.
0
 

Author Closing Comment

by:swenger7
ID: 40667534
part of the issue was not resolved here but found solution elsewhere
0

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now