GPO problems

Hi Experts,

I have some problems with my DEFAULT DOMAIN POLICY.
For some reason this policy is denied when I check GPRESULT.

This policy must be accessible also by my domain conrollers right ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mohammad bazzariMicrosoft Infrastructure ExpertCommented:
1.In GPMC, open Group Policy Objects node, select the GPO you are troubleshooting, and then in the right pane select the Scope tab. The Security Filtering and WMI Filtering panels show the current filtering configuration.


2.To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:
- If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.


- If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.




If a GPO is incorrectly denied or applied due to security filtering because the user or computer had different security group memberships than expected, use Active Directory Users and Computers to check and, if necessary change, the security group memberships.

When restricting the application of a GPO, be sure to remove Authenticated Users. Otherwise all users will always be affected by the GPO.

Computers are members of the Authenticated Users group. If you remove Authenticated Users from the list on the Scope tab and you want the GPO to apply to a computer, you must specifically ensure that the computer belongs to a group that is included in the Security Filtering section on the Scope tab.



Copied from TechNet https://technet.microsoft.com/en-us/library/cc759506(v=ws.10).aspx
Eprs_AdminSystem ArchitectAuthor Commented:
about the DEFAULT DOMAIN POLICY, which filter do I have to set ?

DOMAIN USERS

or

AUTHENTICATED USER ?
Eprs_AdminSystem ArchitectAuthor Commented:
my client cannot read the DEFAULT DOMAIN POLICY.
Which filtering is recommended for this policy ?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

mohammad bazzariMicrosoft Infrastructure ExpertCommented:
AUTHENTICATED USER
Eprs_AdminSystem ArchitectAuthor Commented:
ok thanks,
can you explain the difference between these two groups ?
Eprs_AdminSystem ArchitectAuthor Commented:
on my TS Server I have still the problem with no access of the DEFAULT DOMAIN POLICY.

Can you help me please ?
Eprs_AdminSystem ArchitectAuthor Commented:
on my TS I get event error 1058,

the server cannot read the DEFAULT DOMAIN POLICY and therefore all other policies are not applied.

Any ideas to fix it ?
Muhammad BurhanManager I.T.Commented:
1. First of all check the SYSVOL and NETLOGON shares are available and on server, problematic GPO is present.
2. Run Group Policy Best Practice Analyzer to check errors.
3. Right click on the faulty gpt.ini file and click Permissions.
4. Switch to Security tab and click Edit.
5. Highlight Authenticated Users, remove all the boxes under Deny and check the following items under Allow.
  Read & execute
  Read
6. Click OK twice to test the issue.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b894419-0174-450d-8764-b2fa404d768f/what-does-event-id-1058-mean?forum=winserverDS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Muhammad BurhanManager I.T.Commented:
The permissions should be like:
Authenticate Users - Read & Apply Group Policy
Creator Owner - Special permission
Domain Admins - Full Control & Special permission
Enterprise Admins - Full Control & Special permission
Enterprise Domain Controllers - Special permission
System - Full Control except Apply Group Policy
Eprs_AdminSystem ArchitectAuthor Commented:
Hi I have checked this.

After more analysis I have seen something strange.

1. When I connect to my DC and go to my sysvol : \\domain.local\sysvol\domain.local\Policies\.... I can see my Policy with an actual date.

2. When I connect to another server and go to my sysvol : \\domain.local\sysvol\domain.local\Policies\.... I can see my Policy with an old date and the version number is wrong.

How it comes, the path to the sysvol is the same ?
Eprs_AdminSystem ArchitectAuthor Commented:
On the server with the wrong version number in GPT.ini the GPUPDATE is also not working, see the error:


C:\>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object LDAP://CN=Machine,CN={31B2F340-016
D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hbg,DC=local. Group Policy se
ttings will not be resolved until this event is resolved. View the event details
 for more information on the file name and path that caused the failure.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

C:\>
Muhammad BurhanManager I.T.Commented:
Please clear all of the logs and then run gpupdate /force
Also generate gpresult report for troubleshooting.
Muhammad BurhanManager I.T.Commented:
Create another gpo and apply it on any PC/user and then try gpupdate and gpresult for troubleshooting
Eprs_AdminSystem ArchitectAuthor Commented:
this problem is solved.
My second DC was the problem and the sysvol wasn´t up to date.
After a D2 restore the system was ok again.

Thanks too all your posts and help
Eprs_AdminSystem ArchitectAuthor Commented:
it is a way to solve it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.