Help understanding Group Policy


I have an Active Directory on Windows 2008R2 with a replicated second server which has collected many Policies over the years. I am trying to clean them up but first need to understand a few things and unleash some mysteries.

I will explain my issues and questions with as much information as possible.

1.) I checked the GUID of each policy and then checked the \\domain\sysvol\policies directory and there is a corresponding folder for each except for one folder which has no corresponding Policy in GP. I checked the Machine and User subfolders and they are empty. Is this safe to delete from Windows Explorer?

2.) Also when I run a Group Policy Results, there are some policies which come up with the name of the policy while others come up with the GUID. Any idea why and how to have the name show for all of them.

3.) Some policies appear twice in the Applied GPO section. Is this a problem?

4.) Some policies appear in the section Denied GPO with reason Inaccessible. I actually deleted one of these and renamed the other one from GP. Why are they appearing here and how do I clean this up?

5.) Some policies appear in Denied GPO as Inaccessible. I realized that the Security Filter was for a Group of users, but the policy was linked to the Computer OU,
5A.) I changed one Policy to link to the top level OU domain name which includes all OU underneath. It seemed like this worked because the policy was simply to assign the default printer to a specific printer and when I logged in as the user it changed to that printer. However, it still appears as a Denied policy with inaccessible. How can I fix this as I would like to use the Group Policy Results tool to make sure all the policies are assigned and working properly?
5B.) I changed another policy from the User Group in the security Filter to Authenticated Users. This still shows denied, but I am not sure if it is working because it involves too many changes to check. Is there a way to make sure that the Group Policy Results tool reflects the current GPO or is there a better tool to use?

6.) If I want to create a policy with User settings to apply to specific users in a specific OU of Computers, what is the best way to do this?

7.) If I want to delete a policy, either because I don't need it any more or because I combined the settings into another policy, Can I simply Delete it from GPO or is there a better way?

8.) I always thought that I had to set the setting under Computer Configuration for System/Group Policy/User Group Policy loopback processing mode to Merge since I have many policies. But I noticed that not all have this. Do I need this for policies which only have user settings? Is there a simple rule when I use this and when not?

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
This is a lot of questions... Answers are simplified below...
1 - if you have a policy that is in the sysvol folder that does not correspond with a GPO that is in Group Policy Management this is an orphaned policy. I would check all of the other DC's Sysvol share to see if this orphaned policy is being replicated to the other DC's. If it is not you might have a USN Roll back issue.

2 - Policies that are showing up with only a GUID have been orphaned

3 - Some policies will could appear twice if you have it linked to a top level OU and linked to a sub OU

4 - If you are getting denied it could be related to the orphaned issue described earlier, or you are denied on the security filtering

5 - I think you need to correct your policy structure first. Cleaning up the orphaned GPO's and making sure that security filtering is set properly

6 - If you want user policies to apply to specific computers this is called "Loopback Processing" which will need to be enabled

7 - You can delete policies, make sure that you are not deleting the link because this will not delete the GPO object itself. You need to delete the object specifically under Group Policy Objects in the Group Policy Management Console. Also before deleting any of the GPO's make sure that your AD replication is working accordingly. Using repadmin /replsum and repladmin /showrepl, and dcdiag /v

8 - Loopback processing is a computer based policy and should only be applied when you want to only allow specific user access to these machines.

swenger7Author Commented:
1. The Sysvol Folder in both Domain Controllers are identical. Can I delete this Folder without any repercussions
2. How do I fix this since there is a policy with this GUID in GPO linked to OU
3. That makes sense
6 & 8. So if I enable this "Loopback Processing" in a policy, can I then link this policy to a Computer OU and have the security to a group of Users?
7. /replsum shows 0 failed and 5 total
/showrepl was successful
dcdiag - all tests passed
So it is completely safe to delete?
Will SzymkowskiSenior Solution ArchitectCommented:
If you are showing GUID's for your GPO's then they are orphaned. You should be able to remove these with out any issues.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

swenger7Author Commented:
I understand that I can delete the Folder for the GUID which has no corresponding Policy, but it doesn't make sense that a policy which I just created and linked to an OU is orphaned. Could there be another reason why it is showing up as GUID in the Results Wizard.

Also why would there be a policy showing up which is no longer in my GPO. It was deleted month ago.

Could it be that the Results tool is not accurate or using old cache info or something
Will SzymkowskiSenior Solution ArchitectCommented:
It seems that aside from the questions you have asked above there is other issues going on in your domain. I can tell you that if you create a new GPO and it is referencing itself on the client using the GUID (there is something wrong). I do not know what you have done in your environment to get to this point so i can only offer limited help.

I would start but running the following commnads to check your current overall health of AD...
- repadmin /replsum
- repadmin /showrepl
- repadmin /bridgeheads
- dcdiad /v
- netdom query fsmo
- netdom query dc

Also run the Active Directory Best Practices Analyzer

swenger7Author Commented:
I am running BPA on each role.

ADDS had some non-compliants. I fixed and reran and all is good
DHCP is good
Netowrk Policy is good
File Services and IIS didn't have BPA option

DNS has two issues which I need help please
1. Issue:
The network adapter Local Area Connection 4 does not list the loopback IP address as a DNS server, or it is configured as the first entry. However I added to the secondary DNS server as the MS kb mentioned

2. Issue:
The Active Directory integrated DNS zone _msdcs.{} was not found. Based on the link it takes me to I need to restore an AD-integrated zone. I need to enter the FQDN of the zone name but I am not sure what to enter. Can you help with that?
Will SzymkowskiSenior Solution ArchitectCommented:
Answers are below...
1 - Each DC/DNS server should be primary (pointing to itself)
2- _msdcs.{} this zone is used for SRV records to find correct services. This is critical for Active Directory to function properly.

You will need to restore the integrated zone from backup. You would have to do an Authoritative Restore.

swenger7Connect With a Mentor Author Commented:
So I had to add Authenticated Users to each GP for Read policy only and not apply policy and then leave my security groups that I wanted to be applied as i had and now nothing appears as inaccessible.
swenger7Author Commented:
part of the issue was not resolved here but found solution elsewhere
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.