Announcement

Collapse
No announcement yet.

Cannot access or delete GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot access or delete GPO

    I'm planning to upgrade my work domain to 2003 R2. While testing and running all the checks I discovered that there are two copy of 'Default Domain Policy' GPO on my network. One is enable with all settings and is named 'Default Domain Policy' with and ID of '{30EBDBD4-F3A0-4D87-AE7A-7EB82D07C39A}'. The other policy is called 'Temp' with an ID of '{31B2F340-016D-11D2-945F-00C04FB984F9}'. Interesting thing to note is that 'Temp' has an ID that is reserved for 'Default Domain Policy' GPO. So as a result I cannot delete this GPO. When i try to view the settings from Group Policy Management console I get an error saying 'System cannot find specified file'. I'd really appreciate any help on this topic. I'm currently running Windows 2004 domain controller with SP4.

  • #2
    Re: Cannot access or delete GPO

    crazyleo_EA,

    Please DO NOT double post. I'll let you off with a warning this time.

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Cannot access or delete GPO

      I'm currently running Windows 2004 domain controller with SP4
      Is there a SP4 for Windows 2004 Domain Controlers already? I didn't even know that there was a Windows 2004 before Windows 2008.


      You already knew that:
      => {31B2F340-016D-11D2-945F-00C04FB984F9} is expected to be the 'Default Domain Policy'
      And that:
      => {30EBDBD4-F3A0-4D87-AE7A-7EB82D07C39A} is not supposed to be the 'Default Domain Policy' (and in fact is not, Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder).

      I cannot give you a best answer, but
      this is what I would try to do,

      1st-
      (Rename, then..) Backup and Delete {30EBDBD4-F3A0-4D87-AE7A-7EB82D07C39A} by using a script:
      - http://technet2.microsoft.com/window....mspx?mfr=true
      (If renaming was not possible, then you probably have to edit in ADSIEdit.
      Domain /CN=System / CN=Policies / rightclick-Properties {30EBDBD4-F3A0-4D87-AE7A-7EB82D07C39A} change "Display name").

      2nd-
      (Rename only if possible now, and Backup then..) Restore to defaults {31B2F340-016D-11D2-945F-00C04FB984F9}
      - http://windowsitpro.com/article/arti...ects-gpos.html / http://technet2.microsoft.com/window....mspx?mfr=true
      - Win2k: http://support.microsoft.com/?kbid=226243 / http://windowsitpro.com/article/arti...ects-gpos.html


      By using the free utility "sysexp.exe" you can export the 'listView' of both GPO GUIDs in ADSIEdit.
      Could you post them, so we can compare and see if they point to the correct file path.


      \Rems


      EDIT
      -in addition-
      Found this article about How to manually create Default Domain GPO;
      http://www.codedigest.com/Articles/D...omain_GPO.aspx
      .
      Last edited by Rems; 5th June 2008, 06:07.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Cannot access or delete GPO

        Originally posted by m80arm View Post
        crazyleo_EA,

        Please DO NOT double post. I'll let you off with a warning this time.

        Michael
        My bad, i thought i deleted it from here before posting the other thread. will take care in future posts.

        Comment


        • #5
          Re: Cannot access or delete GPO

          Originally posted by Rems View Post
          Is there a SP4 for Windows 2004 Domain Controlers already? I didn't even know that there was a Windows 2004 before Windows 2008.
          heh heh, that was a typo, i meant win2k with sp4.

          Originally posted by Rems View Post
          2nd-
          (Rename only if possible now, and Backup then..) Restore to defaults {31B2F340-016D-11D2-945F-00C04FB984F9}
          The only problem is that there is no folder or files that exists for GPO '{31B2F340-016D-11D2-945F-00C04FB984F9}' under sysvol location.

          This is what i did to resolve this issue:

          1. Created a new folder for '{31B2F340-016D-11D2-945F-00C04FB984F9}' under sysvol.
          2. Copied files from '{30EBDBD4-F3A0-4D87-AE7A-7EB82D07C39A}' folder to '{31B2F340-016D-11D2-945F-00C04FB984F9}' folder as it had all the required settings.
          3. Ran GPOTOOL.exe to find out that there is a version mismatch between AD and SYSVOL versions.
          4. Edited '{31B2F340-016D-11D2-945F-00C04FB984F9}' GPO from gpedit.msc and added a new settings (anything goes) and saved the changes.
          5. Ran GPOTOOL and voila no version mismatch and i've got the default domain policy' GPO without using any scripts or modifying schema.

          Thanks for contributing to this post.

          Comment


          • #6
            Re: Cannot access or delete GPO

            nice!

            Thanks for sharing Leo!

            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment

            Working...
            X