No announcement yet.

GPO Mismatch (possibly)

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Mismatch (possibly)

    Windows Active Directory Domain: 3 DC's.
    Win2k3 (A) <--- PDC (Actually holds all 5 FSMO roles ATM)
    Win2k8 (B)
    Win2k8 (C)

    Hello all, I'm pretty sure something is broken but I am having a hard time confirming what exactly, but I know it has something to do with my GPO's.

    First, I noticed group policies applying sometimes successfully and other times not at all. So I tried a few things but came up with the same results. Then it hit me, can my GPO's be corrupted or out of sync?

    So I ran gpotool.exe on my Win7 machine and did find a lot of version mismatches. But, when I run this same tool on the Win2k3 server it shows all of my GPO's are "Ok". I know this can't be right because of all the weird inconsistencies surrounding the GPO's applying or not applying correctly.

    I ran it on the Win2k8 (B) machine and it came up with version mismatches as well. I haven't ran it on Win2k8 (C) because I'm assuming it'll be the same result.

    If these results are in fact correct, how does one go about fixing this issue? I've searched and most of the time it states to find the oldest version and deleted it, and I've found one post stating to run the GPT.ini and change the version number there. Seems like changing the version number would be the quickest and safest way to go about this, what do you think?

    I've backed up my GPO's as well so I'm ready to proceed.

    Quick update: I also heard of there possibly being an older version of GPOtool.exe which can give you bad results? So I was told by a coworker to run this other GPOtool58.exe and those results came back "Ok". So I'm lost as to what is going on here. I know my GPO's aren't working correctly, but the tool doesn't show any errors?

    Win7 <------------ GPOtool.exe (numerous errors) ----GPOtool58.exe <---- (no errors)
    Win2k3 (A) <---- GPOtool.exe (no errors) --------------GPOtool58.exe <---- (no errors)
    WIn2k8 (B) <---- GPOtool.exe (numberous errors) --GPOtool58.exe <---- (no errors)
    WIn2k8 (C) <---- Have not tested yet.

    GPOtool.exe (found errors)
    GPOtool58.exe (never found any errors on any machine)

    At a loss about what is going on concerning these GPO's being applied to users or machines correctly. All I know is, some settings work at times and don't at others.
    Last edited by beatrixkiddo; 3rd June 2016, 18:00.

  • #2
    I'm no GPO expert... What happens when you run gpupdate /force on the affected clients? If the policy fails to apply you may get more info from the error message. Is replication working properly between your DC's? Have you run dcdiag to determine the health of the domain?
    A recent poll suggests that 6 out of 7 dwarfs are not happy


    • #3
      Today I saw this article that may help you with this. The article that referenced said the information is old but that it can apply to 2012. Is this the article you saw?
      A recent poll suggests that 6 out of 7 dwarfs are not happy


      • #4
        Thank you for trying to assist me with this Blood, it's much appreciated cause it's driving me bonkers!

        Anyway, get this, I did try the gpupdate /force on two clients. One that did have the WIN10 (GWX.exe) upgrade running and one WITHOUT. The one WITH the upgrade running did not load after being prompted to log out after running the gpupdate /force. The one WITHOUT the WIN10 (GWX.exe) upgrade did start up after running the gpupdate /force. I'm at a loss as to what is going on here.

        I'll take a look at that document and it wouldn't hurt to clean things up around here. My coworker got all BIG EYED when I showed him the list of all Active Directory Objects still recorded in AD after he manually deleted a ton of objects from AD. So I guess he thought he got rid of them by just deleting them. I did mention to him he may need to do a metadata cleanup too.
        Last edited by beatrixkiddo; 6th June 2016, 17:37.


        • #5
          Update: After setting up another GPO to restrict some students from making system changes and testing with that GPO. I noticed on the machine I was testing on the GWX.exe (WIN10) process for the WIN10 upgrade again returned!

          So I once again decided to revisit that issue. I notice on the security filtering only "authenticated users" was there so I added the "everyone" group and it started working again. But, since this issue has been hit-and-miss so I don't know if this will be the Be-All-End-All solution. I can say that on my admin machine after running gpupdate/force, the GWX.exe went away immediately afterwards of running that command. So to me, that is a good sign! I'll keep my fingers crossed.


          • #6
            Great googley moogley, so far the GPO restriction to not allow GWX.exe to run seems to be working on my client machines but not on my admin machine which is ok by me. Just thought I'd update you all on that.

            What I think might be occurring is this, there were two GPO's that were trying to apply settings and when I disabled one, plus also giving the "everyone" read to the GPO, it seems to be working pretty much. My other settings for another GPO seems to be working as well for other restrictive user settings.

            Thanks for all your help, I'll call this good! (for now).