[gptalk] Re: GPO not being applied - custom ADM - Empty?

Hi Victor,

 

The only unlikely suggestion I can make is that replication is failing and
you are reporting contents of the GPO from one server and applying it from
the other.

 

Alternatively, when GPResult says a GPO is "empty" it will be referring to
either the Machine or User component, not both. 

 

I ran a test on my machine with an Empty policy and a Denied access policy
and got the following entries in the log. It doesn't give a "denied" section
like you mentioned. Can you post your entries from  GPResult? (My GPResult
reports Version 2.0 at the top of the report)

 

   Applied Group Policy Objects

    -----------------------------

        Default Domain Controllers Policy

        Default Domain Policy

 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        empty

            Filtering:  Not Applied (Empty)

 

        test deny

            Filtering:  Denied (Security)

 

        Local Group Policy

            Filtering:  Not Applied (Empty) 

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

.

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Thursday, 16 November 2006 5:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

 

Hi Alan,

 

What I actually meant was that in the output of GPResult I can see the GPO
but it is in a section which has Denied above it. It also says the GPO is
empty.

The custom adm does indeed have settings and they are specifie in the GPO. I
can see that when I choose to generate a report with settings from within
GPMC.

Somehow it specifies it as Emtpy.

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: woensdag 15 november 2006 0:10
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

Hi Victor,

 

Not sure if I understood you correctly, but you originally said ". GPresult
tells me that the GPO is being denied because it is empty"

 

This sort of answers your question. Although it has an ADM template in it,
none of the settings in the ADM template have been activated and so it
considers it to be empty.

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Wednesday, 15 November 2006 9:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

 

Thanks for that Alan, that cleared things up. 

 

Do you know why the GPO is being displayed as a Denied GPO in GPResult, when
I run GPResult from withing GPMC on the DC?

 

Victor

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: maandag 13 november 2006 21:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty?

Hi Victor,

 

I think you are misunderstanding what an ADM file does. It does not contain
the Policy settings, it just enables you to see the settings.

 

When you add an ADM file from within GPEdit it takes a copy to the ADM
directory within the SYSVOL\Policies\GUID\ADM directory (where GUID is a
unique identifier for that Policy.

 

This then makes the settings available within GPEDIT under the Computer
Configuration\Administrative Templates  or User Configuration\Administrative
Templates branches.

 

That is where you activate the policies. Activitating the policies then
creates entries in the Machine\ Registry.POL file and User\ Registry.POL
files.

 

After that, you can actually remove the ADM files and the settings will not
be visible in GPEDIT, but the settings will still stay applied, since they
exist in the Registry.POL file. Put the templates back and they reappear
again.

 

One thing that may have confused you was that by default it only displays
"Tattooed" policies (i.e. those in the "Software/Policies" or
"Software/Microsoft/Current Version/Policies" keys).

 

On a Windows 2000 workstation, to see non-tattooed policies you must select
"Administrative Templates" in the left panel, then Unclick "View/Show
Policies Only".

 

Note: The Sysvol\Scripts directory is not used for Policies. It is normally
just used for holding Logon Scripts 

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

.

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Tuesday, 14 November 2006 6:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO not being applied - custom ADM - Empty?

 

Some time ago I posted something here about a custom adm I made.

 

I didnt have the time to really implement it untill today but I ran into
some problems.

 

The GPO is not being applied. GPresult tells me that the GPO is being denied
because

it is empty. I checked into this and this would be the case if no settings
were defined in the adm.

The adm has surely got settings defined, so there must be something else
what is causing the error.

 

I managed to get it working after some time after doing the following:

 

When I first started to implement it, I logged on to the DC (we only have 2
by the way)

and I created the GPO from within the GPMC. In GPedit.msc I added the adm
file which I 

had saved in C:\temp.

Whatever I did, I could not get it to apply.

 

I then copied the custom adm file to the SYSVOL\Scripts folder and removed
it within GPedit.msc

and readded it again, but now I browsed to the SYSVOL\Scripts folder to add
it and not to C:\temp where the

other copy was.

 

Now the GPO worked. This was strange I thought, because even before I had
saved the adm file into the SYSVOL\Scripts 

folder, it already was in the SYSVOL\Policies folder in the folder with the
corresponding GUID.

 

Anyway, the issue was then solved I thought. I then build another GPO for
which I needed the oulk11.adm file (we were'nt yet using this adm file).

I downloaded this adm file and saved it to the SYSVOL\Scripts folder and
added the outlk11.adm  from within GPedit.msc.

From that point on that GPO worked but the GPO with the custom settings as
described above, stopped working.

 

Perhaps this is all a coincedence, it probably is. 

 

But I have the following two questions:

 

Does it matter from where the adm is added in the first place, I mean when
browsing to the adm file from within GPedit.msc

does it need to be in the SYSVOL folder to start with?

 

Why is the GPO being displayed as a Denied GPO described as empty within
GRresult.

 

Cheers,

 

 

Victor

Other related posts: