General discussion


Domain Policy Deleted

By The Young One ·
Hi Everyone,
The Default Domain Policy on our network was unlinked and a new default domain policy was manually created in its place. The problem being that the GUID that the clients refer to for the default domain policy has changed along with the name of the GPO.

For ease of explanation lets call the original out of the box default domain policy POLICY-A
and the new renamed policy POLICY-B

After POLICY-A was unlinked, half our clients were rolled out and joined to the network. These clients now only read policies from POLICY-B as that was the default domain policy when they were joined to the network.

When I found out about the policy rename I did the following:
A) went berko at the person who did it
B) Relinked the original policy as it was via gpmgmt console
C) Successfully applied the policy to the machines I rolled out the following week after I arrived back.
D) Removed POLICY-B as it was a complete disaster

Half of my clients now look for POLICY-B which is non existent and don't respond to POLICY-A at all, most likely because POLICY-B had some sort of ridiculous Policy Refresh Interval or 'tattooing' in place.

I have tried GPUPDATE on these machines, I have tried adding and removing the machines from the domain. The only thing that seems to work is running an inplace upgrade (Repair the previous installation) from the XP PRO installation CD. With 120 clients with this issue and not enough time to roll out the machines again, I am desperately seeking a fix to get things working again.

I have had a quick look at Secedit but Microsoft doesn't seem to think that this'll fix it, but will gladly take $300 AUS off me to talk me through an A to Z fix.

PS. Replication is non existent as I have only one DC in place until I get this fixed (can't afford the replication variable right now)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by tamj123 In reply to Domain Policy Deleted

Try this:

Using Secedit.exe to Force Group Policy to Be Applied Again
View products that this article applies to.

When an administrator changes a Group Policy Object (GPO), the change takes place on a domain controller (typically the Windows domain controller holding the primary domain controller Flexible Single Master Operation [FSMO] role). The change is then replicated to other domain controllers through Active Directory and SYSVOL replication. At regular intervals, domain controllers and clients check for modifications to the GPOs. If any changes exist, they are applied.

If immediate re-evaluation and application of group policy is necessary, you can invoke a command that triggers this process. For additional information about the default intervals for background refresh of Group Policy, click the article number below to view the article in the Microsoft Knowledge Base:
203607 How to Modify the Default Group Policy Refresh Interval

To trigger Group Policy application for the local computer, type the following line at a command prompt:
secedit /refreshpolicy machine_policy

To trigger Group Policy application for the currently logged on user, type the following line at a command prompt:
secedit /refreshpolicy user_policy

Collapse -

by tamj123 In reply to

Normally, if the GPOs that define the environment for the user have not changed from the last time Group Policy was applied, the GPO is skipped and not applied again. In either case, specifying /enforce on the command line re-applies the policy even if the GPOs that apply to the computer or user have not changed. An example of the command line in this case is:
secedit /refreshpolicy machine_policy /enforce

After Windows 2000 has accepted the request, the following text should be displayed to the user:
Group policy propagation from the domain has been initiated for this computer. It may take a few minutes for the propagation to complete and the new policy to take effect. Please check Application Log for errors, if any.

For information about the new command-line utility, Gpupdate.exe, in Microsoft Windows XP and Microsoft Windows Server 2003 that replaces the /refreshpolicy switch in Secedit.exe in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

Collapse -

by The Young One In reply to

Poster rated this answer.

Collapse -

by lcampbell In reply to Domain Policy Deleted

secedit /refreshpolicy machine_policy /enforce

From the domain controller

Collapse -

by lcampbell In reply to

you can also check where from and what policy the machine is pulling from by running 'gpresult' from the command line of the local machine.

Collapse -

by The Young One In reply to

Poster rated this answer.

Related Discussions

Related Forums