GPO problems
Hi Experts,
I have some problems with my DEFAULT DOMAIN POLICY.
For some reason this policy is denied when I check GPRESULT.
This policy must be accessible also by my domain conrollers right ?
I have some problems with my DEFAULT DOMAIN POLICY.
For some reason this policy is denied when I check GPRESULT.
This policy must be accessible also by my domain conrollers right ?
ASKER
about the DEFAULT DOMAIN POLICY, which filter do I have to set ?
DOMAIN USERS
or
AUTHENTICATED USER ?
DOMAIN USERS
or
AUTHENTICATED USER ?
ASKER
my client cannot read the DEFAULT DOMAIN POLICY.
Which filtering is recommended for this policy ?
Which filtering is recommended for this policy ?
AUTHENTICATED USER
ASKER
ok thanks,
can you explain the difference between these two groups ?
can you explain the difference between these two groups ?
ASKER
on my TS Server I have still the problem with no access of the DEFAULT DOMAIN POLICY.
Can you help me please ?
Can you help me please ?
ASKER
on my TS I get event error 1058,
the server cannot read the DEFAULT DOMAIN POLICY and therefore all other policies are not applied.
Any ideas to fix it ?
the server cannot read the DEFAULT DOMAIN POLICY and therefore all other policies are not applied.
Any ideas to fix it ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The permissions should be like:
Authenticate Users - Read & Apply Group Policy
Creator Owner - Special permission
Domain Admins - Full Control & Special permission
Enterprise Admins - Full Control & Special permission
Enterprise Domain Controllers - Special permission
System - Full Control except Apply Group Policy
Authenticate Users - Read & Apply Group Policy
Creator Owner - Special permission
Domain Admins - Full Control & Special permission
Enterprise Admins - Full Control & Special permission
Enterprise Domain Controllers - Special permission
System - Full Control except Apply Group Policy
ASKER
Hi I have checked this.
After more analysis I have seen something strange.
1. When I connect to my DC and go to my sysvol : \\domain.local\sysvol\doma
2. When I connect to another server and go to my sysvol : \\domain.local\sysvol\doma
How it comes, the path to the sysvol is the same ?
After more analysis I have seen something strange.
1. When I connect to my DC and go to my sysvol : \\domain.local\sysvol\doma
2. When I connect to another server and go to my sysvol : \\domain.local\sysvol\doma
How it comes, the path to the sysvol is the same ?
ASKER
On the server with the wrong version number in GPT.ini the GPUPDATE is also not working, see the error:
C:\>gpupdate /force
Updating policy...
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016
D-11D2-945F-00C04FB984F9},CN=Policie s,CN=Syste m,DC=hbg,D C=local. Group Policy se
ttings will not be resolved until this event is resolved. View the event details
for more information on the file name and path that caused the failure.
User Policy update has completed successfully.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
C:\>
Please clear all of the logs and then run gpupdate /force
Also generate gpresult report for troubleshooting.
Also generate gpresult report for troubleshooting.
Create another gpo and apply it on any PC/user and then try gpupdate and gpresult for troubleshooting
ASKER
this problem is solved.
My second DC was the problem and the sysvol wasn´t up to date.
After a D2 restore the system was ok again.
Thanks too all your posts and help
My second DC was the problem and the sysvol wasn´t up to date.
After a D2 restore the system was ok again.
Thanks too all your posts and help
ASKER
it is a way to solve it
2.To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:
- If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
- If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.
If a GPO is incorrectly denied or applied due to security filtering because the user or computer had different security group memberships than expected, use Active Directory Users and Computers to check and, if necessary change, the security group memberships.
When restricting the application of a GPO, be sure to remove Authenticated Users. Otherwise all users will always be affected by the GPO.
Computers are members of the Authenticated Users group. If you remove Authenticated Users from the list on the Scope tab and you want the GPO to apply to a computer, you must specifically ensure that the computer belongs to a group that is included in the Security Filtering section on the Scope tab.
Copied from TechNet https://technet.microsoft.com/en-us/library/cc759506(v=ws.10).aspx