AfternoonShift
asked on
Remove GPO from Server 2012 R2
How do i go about removing/resetting the Default Domain Policy on a Server 2012 R2 server?
The previous admin made all his changes in the Default Domain Policy and when i added applied to "Authenticated Users" to the policy, the policy was sent out to a few of the servers. I originally was just changing the domain password policy but it wasn't getting applied to anyone and i noticed there was no one listed in the "Security Filtering".
Now it currently tells me when i run gpresult /Scope User /v that the permission is denied. I removed "Authenticated Users" from the "Security Filtering" so it wouldn't push out the policy anymore.
Also when i do gpupdate /force on the Domain controller (2012 R2 as well), i get a different message.
C:\>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.
if i type GPRESULT /H GPReport, i get access denied.
The previous admin made all his changes in the Default Domain Policy and when i added applied to "Authenticated Users" to the policy, the policy was sent out to a few of the servers. I originally was just changing the domain password policy but it wasn't getting applied to anyone and i noticed there was no one listed in the "Security Filtering".
Now it currently tells me when i run gpresult /Scope User /v that the permission is denied. I removed "Authenticated Users" from the "Security Filtering" so it wouldn't push out the policy anymore.
Also when i do gpupdate /force on the Domain controller (2012 R2 as well), i get a different message.
C:\>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.
if i type GPRESULT /H GPReport, i get access denied.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Yeah before the bad policy was deployed, i could run rsop... but whichever PC has the policy applied i get access denied. I will give a few of your suggestions a try and update. thanks to both comments so far!
Open the command prompt as run as administrator on Server or client and run gpresult /h C:\GP.html. This will create GP.html file in C volume. Open the html file and see if you can view the policies applied.
ASKER
Here is what i get when i run this on the DC or on a client with the bad Default Group Policy.
C:\>gpresult /h C:\GP.html
ERROR: Access Denied.
i did make a OU called "testing" added a user and computer to one of the affected client computers. i then made a new GPO and enforced it. GPO is mostly blank, besides a few options to see if it applied. Nothing seemed to change on the clients PC. I did go into regedit, and looked under HLM -> Group Policy -> History and i can see just the enforced GPO and the Local GPO.
I still get this error when i do gpupdate as well.
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
tho both services are running.
C:\>gpresult /h C:\GP.html
ERROR: Access Denied.
i did make a OU called "testing" added a user and computer to one of the affected client computers. i then made a new GPO and enforced it. GPO is mostly blank, besides a few options to see if it applied. Nothing seemed to change on the clients PC. I did go into regedit, and looked under HLM -> Group Policy -> History and i can see just the enforced GPO and the Local GPO.
I still get this error when i do gpupdate as well.
Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
tho both services are running.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok. i did that to the workstation and rebooted. Still won't let me do rsop.msc and still get an error when doing gpupdate /force
I haven't rebooted the server since all this went down either, tho its at the end of the work week so i can do that now without anyone in the building.
I had another idea of maybe enabled the old strict one, but changing all the options that were enabled to disabled. instead of "not defined"...not sure if that would force a change to the servers and clients.
I haven't rebooted the server since all this went down either, tho its at the end of the work week so i can do that now without anyone in the building.
I had another idea of maybe enabled the old strict one, but changing all the options that were enabled to disabled. instead of "not defined"...not sure if that would force a change to the servers and clients.
Yes, you can apply the old gpo and set the gpo setting to disable as per requirements and check.
ASKER
Everything seems to be running smoothly again. While i still have 1 PC that won't remove some of the bad GPO...all the others have picked it up and applied the settings. Thanks for your help Sandeshdubey & Cliff.
Once i enabled the OLD GPO with the settings back to default and tested on a few machines that were online, it seemed to take effect. Thankfully i still have a 2003 server online, so i could removed the settings that are no longer listed in the 2012 R2 Default Domain Policy.
Once i enabled the OLD GPO with the settings back to default and tested on a few machines that were online, it seemed to take effect. Thankfully i still have a 2003 server online, so i could removed the settings that are no longer listed in the 2012 R2 Default Domain Policy.
ASKER
I change the default domain policy all back to default manually. Instead of using "Authenticated Users", can i just add a single user for testing?
Could i also make another GPO and make it force to overwrite the Default domain Policy?