2012 domain GPO inconsistancy between GPO's and SYSVOL/Polices

Hi all,

Need some help as a bit stuck with this. I have a 2012 domain with several DCs on different sites.
I can create new GPO's and they are created and replicated with a problem ( it appears)
Ive run DCDIAG and repladmin and they dont come back with any errors.

The FSMO roles are all running on windc01.
The baseline DC is windc02.
I have 47 GPO's but 55 folders in the polices folder of the sysvol. This is consistent with all DC's.

Today I tested the deletion of a GPO after deleting from the GPMT the corresponding police wasn't deleted.

When drilling into the orphaned policy folder on windc01 I get policy->machine->scripts which is empty. If I do the same on any other DC i get an access denied message when clicking into the scripts folder.

If I click on 2 subsequent polices that have been deleted I can see the polices are still there. I get an access denied when trying click into.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
You can check GPO problems with GPMC since Windows 2012.

Check Group Policy Infrastructure Status
MattAuthor Commented:
Yes im aware of that. Its telling that all is OK apart from Windc01 which the SYSVOL is inaccessible.

The sysvol on the server is OK  though?
Check your DFS Replication Log for errors for starters:
DFS Replication
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

MattAuthor Commented:
There are no errors. Like I said the replication isnt the problem. Its the sysvol on the PDC not as should be
Toni UranjekConsultant/TrainerCommented:
"Inaccesible" looks like link. Is more info available?
MattAuthor Commented:
No help given. Just says :

"Active directory or sysvol is not accessible on this domain controller or an object is missing"
MattAuthor Commented:
I have found 4 polices folders that still exist in the sysvol/polices folder of all DC's

The four folders arent matched to any exisint SID of my GPO's because they have been deleted at some point, however they have failed to be removed from the SYSVOL.

If I try and select navigate into any of these on WINDC01 I get an access denied.
If try the same on any other DC I can navigate into them all of which are empty or have remnants of a GPO.

Looks to me like there is an issue with the permission of the GPOs on WINDC01 as this holds the FSMO roles.
Toni UranjekConsultant/TrainerCommented:
Place any text file on Sysvol on MTCD01. Does it replicate?
If not, place any text file on any other DC. Does it replicate?

If not, check the following article:
How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
MattAuthor Commented:
There is no issue with replication!
MattAuthor Commented:
OK I have just changed the baseline server to my PDC and run a detect now... heres the results:
MattAuthor Commented:
The MEU direct access GPO in question was created recently. When I select that in the management window it says the permissions are inconsistent.
Toni UranjekConsultant/TrainerCommented:
Check permissions on MTDC01 and any other DC for this GPO. Are the really different?
MattAuthor Commented:
No the permissions are not different.

As an example i just deleted the MEU_directaccess_setting GPO using the GPMT on windc01. Once I had removed the GPO I checked the sysvol folder. It hasnt removed the corresponding folder instead it has marked as being the last modified GPO and gives me an access denied when trying to click into.

This has replicated the same over to windc02 however I can select into the folder (which is empty)
Toni UranjekConsultant/TrainerCommented:
Once I had removed the GPO I checked the sysvol folder. It hasnt removed the corresponding folder instead it has marked as being the last modified GPO and gives me an access denied when trying to click into.

And your account has Full Control permission on SYSVOL folder and subfolders?
MattAuthor Commented:
Im a domain admin

( or should I say my admin account is a domain admin)
Toni UranjekConsultant/TrainerCommented:
Check effective NTFS permission for folder you are getting access denied. Does is actually show Full Control?
MattAuthor Commented:
Shows I have no ownership of the folder. So no effective permissions. (this is only on polices that I have been deleted. Yet on the other dc's with my same account I have no issue.
Toni UranjekConsultant/TrainerCommented:
Who is the owner?
MattAuthor Commented:
It should be domain admins..

Doesn't really make any sense.

It would appear the problem is with permissions of policies being created on the PDC. I can create new GPOs but cannot delete them properly which then makes windc01 show as inaccesible
Toni UranjekConsultant/TrainerCommented:
I concur. It does not make a lot of sense.

Did you try to use another Domain Admins account? Can you reproduce the issue?

Even if you do not see any replication error's you can still restore SYSVOL following posted article.
MattAuthor Commented:
Tried the domain\administrators account. Same issue.

Can create a GPO without a problem. I then delete the GPO and the corresponding folder isn't deleted. I then get access denied errors to various subfolders. Before its deleted I have full control.
MattAuthor Commented:
I checked ADSIEDIT the polices do not exist in under system-policies after they have been deleted.

It appears they just aren't being removed from the SYSVOL
Toni UranjekConsultant/TrainerCommented:
These are called orphaned GPOs. They actually don't have any effect, except using space.

You can find them and delete them with help of script like this:

How Can Get a List of All My Orphaned Group Policy Objects?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.