Forum Discussion
GPO processing fails
Hello everyone, I have recently figured out that gpupdate /force command on any machine leads to an error Event Viewer shows up 1058 error messages related to gpt.ini access Previou...
Here's five PowerShell commands to run that will provide some useful information on the two halves that make up a group policy object:
- The files on the SYSVOL area of the file system (lines 1 and 2); and
- The data from the Active Directory GPO object (lines 4 to 6).
Get-Content -Raw -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini";
(Get-Acl -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini").Access | fl AccessControlType, IdentityReference, FileSystemRights;
$gpo = Get-ADObject -Filter { (objectClass -like "*") -and (cn -eq "{D6735583-A7D1-4988-83C3-75D788D95E7B}") } -SearchBase "CN=Policies,CN=System,DC=sm,DC=local" -SearchScope OneLevel -Properties *;
$gpo | Select-Object objectGUID, objectClass, cn, displayName, gPCFunctionalityVersion, versionNumber, gPCFileSysPath;
$gpo.nTSecurityDescriptor.Access | fl AccessControlType, IdentityReference, ActiveDirectoryRights;
If you get any errors such as "file not found" or "access denied" while running these commands, be sure to let me know as that may be quite relevant.
Cheers,
Lain
here is the outcome:
[General]
Version=4
displayName=New Group Policy Object
AccessControlType : Allow
IdentityReference : SM\Domain Admins
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : SM\Enterprise Admins
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
FileSystemRights : FullControl
objectGUID : ca9334eb-ebf2-409f-9622-8c0c602d8cc5
objectClass : groupPolicyContainer
cn : {D6735583-A7D1-4988-83C3-75D788D95E7B}
displayName : Biometry
gPCFunctionalityVersion : 2
versionNumber : 4
gPCFileSysPath : \\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}
AccessControlType : Allow
IdentityReference : CREATOR OWNER
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
WriteOwner
AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
ActiveDirectoryRights : GenericRead
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
ActiveDirectoryRights : GenericRead
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
WriteOwner
AccessControlType : Allow
IdentityReference : SM\Domain Admins
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
WriteOwner
AccessControlType : Allow
IdentityReference : SM\Enterprise Admins
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
WriteOwner
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
ActiveDirectoryRights : ExtendedRight