Link to home
Start Free TrialLog in
Avatar of Eprs_Admin
Eprs_AdminFlag for Austria

asked on

GPO problems

Hi Experts,

I have some problems with my DEFAULT DOMAIN POLICY.
For some reason this policy is denied when I check GPRESULT.

This policy must be accessible also by my domain conrollers right ?
Avatar of mohammad bazzari
mohammad bazzari
Flag of Jordan image

1.In GPMC, open Group Policy Objects node, select the GPO you are troubleshooting, and then in the right pane select the Scope tab. The Security Filtering and WMI Filtering panels show the current filtering configuration.

2.To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:
- If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.

- If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.

If a GPO is incorrectly denied or applied due to security filtering because the user or computer had different security group memberships than expected, use Active Directory Users and Computers to check and, if necessary change, the security group memberships.

When restricting the application of a GPO, be sure to remove Authenticated Users. Otherwise all users will always be affected by the GPO.

Computers are members of the Authenticated Users group. If you remove Authenticated Users from the list on the Scope tab and you want the GPO to apply to a computer, you must specifically ensure that the computer belongs to a group that is included in the Security Filtering section on the Scope tab.

Copied from TechNet
Avatar of Eprs_Admin


about the DEFAULT DOMAIN POLICY, which filter do I have to set ?



my client cannot read the DEFAULT DOMAIN POLICY.
Which filtering is recommended for this policy ?
ok thanks,
can you explain the difference between these two groups ?
on my TS Server I have still the problem with no access of the DEFAULT DOMAIN POLICY.

Can you help me please ?
on my TS I get event error 1058,

the server cannot read the DEFAULT DOMAIN POLICY and therefore all other policies are not applied.

Any ideas to fix it ?
Avatar of Muhammad Burhan
Muhammad Burhan
Flag of Pakistan image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The permissions should be like:
Authenticate Users - Read & Apply Group Policy
Creator Owner - Special permission
Domain Admins - Full Control & Special permission
Enterprise Admins - Full Control & Special permission
Enterprise Domain Controllers - Special permission
System - Full Control except Apply Group Policy
Hi I have checked this.

After more analysis I have seen something strange.

1. When I connect to my DC and go to my sysvol : \\domain.local\sysvol\domain.local\Policies\.... I can see my Policy with an actual date.

2. When I connect to another server and go to my sysvol : \\domain.local\sysvol\domain.local\Policies\.... I can see my Policy with an old date and the version number is wrong.

How it comes, the path to the sysvol is the same ?
On the server with the wrong version number in GPT.ini the GPUPDATE is also not working, see the error:

C:\>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were enc

The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016
D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hbg,DC=local. Group Policy se
ttings will not be resolved until this event is resolved. View the event details
 for more information on the file name and path that caused the failure.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Please clear all of the logs and then run gpupdate /force
Also generate gpresult report for troubleshooting.
Create another gpo and apply it on any PC/user and then try gpupdate and gpresult for troubleshooting
this problem is solved.
My second DC was the problem and the sysvol wasn´t up to date.
After a D2 restore the system was ok again.

Thanks too all your posts and help
it is a way to solve it