GPO Weirdness

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Ok so my GPMC is acting up again. It already did this once before on another GPO, after which the GPO just vanished without me deleting it. So lets see what y'all think.


I created a new group (a few minutes ago, so it was completely empty) to test something out. I added two computer accounts, which don't actually correspond to any computers; they're just accounts for testing.

So the only members of the group were two computer accounts.
Then I went to GPMC and added the group to my Default Domain Policy's ACL.
I denied the group Full Control.

Then, I suddenly can't view the GPO anymore. This is what I get:



It says I don't have read level permissions on it, but that would only happen if:
1, I denied my own account permission (I didn't), or
2, I denied permission to a group which I am a member of (I didn't).

So I don't get why I am denied permission.

This is what I see when I look in the container that houses all the GPOs:



As you can see, the Default Domain Policy is...invisible/gone.

And GPMC doesn't let me get a security tab on the GPO, from where I could check out the problem.


Any ideas?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey, I met a bit similar. I can't view my GPO regarless of anyway. So, I can't repair and I reinstall my Winserver, so sad.

I think I do something wrong in Registry Key. I just clean up some keys contain my multimedia players and ... T.T

 

Have you looked in the Event logs?

From here http://www.microsoft.com/resources/...all/proddocs/en-us/sag_sptshoot.mspx?mfr=true

 

Good call.

I'd have a look in there and see if you notice any weirdness relating to inability to read the gpt.ini file. That might indicate that your rights have somehow been FUBARed without your knowledge.

Have you looked at using DCGPOFIX to reset default permissions?

 

Ok so I went to the sysvol folder and checked the policy in question, and the Authenticated Users group was denied Full Control. That's weird because I never did that. So I gave it read permissions. It still doesn't work. Event viewer doesn't have any errors or anything relevant, as far as I can tell.
I remember backing up the polilies before, but I must have deleted them.
If anything, I might just make a new default domain policy and import the template.
I'm gonna try gpofix now...

edit: Oh awesome, first time cmd has ever told me anything in red!

edit 2: Ok got it to work. GPOFIX told me it couldn't read the policy, and was kind enough to give the DN of the policy in AD...duh! So I went there and gave the Authenticated Users their read permissions back, and voila! the GPO is back!
And I saw some of the other test GPOs that had disappeared before, all there hiding in AD.

 

GPOFix is a gem - one of those tools like DCDiag and NetDiag which can really help you out in a jam.

As to what removed the permissions, my guess is that something else you were doing affected it without your knowledge, maybe something related to DNS?

Of course, its entirely possible that AD just had one of those random DNS whiteys that it sometimes gets...