[gptalk] Re: GPO not being applied - custom ADM - Empty?

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 14 Nov 2006 15:05:04 -0800

Denied means that security filtering on the GPO is preventing the user or
computer from processing that GPO.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Tuesday, November 14, 2006 2:49 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

Thanks for that Alan, that cleared things up. 
Do you know why the GPO is being displayed as a Denied GPO in GPResult, when
I run GPResult from withing GPMC on the DC?


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: maandag 13 november 2006 21:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

Hi Victor,


I think you are misunderstanding what an ADM file does. It does not contain
the Policy settings, it just enables you to see the settings.


When you add an ADM file from within GPEdit it takes a copy to the ADM
directory within the SYSVOL\Policies\GUID\ADM directory (where GUID is a
unique identifier for that Policy.


This then makes the settings available within GPEDIT under the Computer
Configuration\Administrative Templates  or User Configuration\Administrative
Templates branches.


That is where you activate the policies. Activitating the policies then
creates entries in the Machine\ Registry.POL file and User\ Registry.POL


After that, you can actually remove the ADM files and the settings will not
be visible in GPEDIT, but the settings will still stay applied, since they
exist in the Registry.POL file. Put the templates back and they reappear


One thing that may have confused you was that by default it only displays
"Tattooed" policies (i.e. those in the "Software/Policies" or
"Software/Microsoft/Current Version/Policies" keys).


On a Windows 2000 workstation, to see non-tattooed policies you must select
"Administrative Templates" in the left panel, then Unclick "View/Show
Policies Only".


Note: The Sysvol\Scripts directory is not used for Policies. It is normally
just used for holding Logon Scripts 


Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Tuesday, 14 November 2006 6:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO not being applied - custom ADM - Empty?


Some time ago I posted something here about a custom adm I made.


I didnt have the time to really implement it untill today but I ran into
some problems.


The GPO is not being applied. GPresult tells me that the GPO is being denied

it is empty. I checked into this and this would be the case if no settings
were defined in the adm.

The adm has surely got settings defined, so there must be something else
what is causing the error.


I managed to get it working after some time after doing the following:


When I first started to implement it, I logged on to the DC (we only have 2
by the way)

and I created the GPO from within the GPMC. In GPedit.msc I added the adm
file which I 

had saved in C:\temp.

Whatever I did, I could not get it to apply.


I then copied the custom adm file to the SYSVOL\Scripts folder and removed
it within GPedit.msc

and readded it again, but now I browsed to the SYSVOL\Scripts folder to add
it and not to C:\temp where the

other copy was.


Now the GPO worked. This was strange I thought, because even before I had
saved the adm file into the SYSVOL\Scripts 

folder, it already was in the SYSVOL\Policies folder in the folder with the
corresponding GUID.


Anyway, the issue was then solved I thought. I then build another GPO for
which I needed the oulk11.adm file (we were'nt yet using this adm file).

I downloaded this adm file and saved it to the SYSVOL\Scripts folder and
added the outlk11.adm  from within GPedit.msc.

From that point on that GPO worked but the GPO with the custom settings as
described above, stopped working.


Perhaps this is all a coincedence, it probably is. 


But I have the following two questions:


Does it matter from where the adm is added in the first place, I mean when
browsing to the adm file from within GPedit.msc

does it need to be in the SYSVOL folder to start with?


Why is the GPO being displayed as a Denied GPO described as empty within








Other related posts: