Can't delete a Group Policy Object.

[Mario Lavigne]

Hey there,

There's a policy I can't delete right now. I added a package in the GPO and
set the authentificated users read security to Deny. Must have messed the
GPO really bad because I can't delete it nor can I see the package I put
there.

Do you know anyway I could delete it manually? Does deleting it in SYSVOL
would be enough?


I sure won't mess with Authentificated users security again, I swear


Mario Lavigne

 

[Mark Heitbrink [MVP]]

Hi,

There's a policy I can't delete right now. I added a package in the GPO and
set the authentificated users read security to Deny. [...]
Do you know anyway I could delete it manually?

Yes. Take a look at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294257
You can take the ownership like in the filsystem, but not so
easy like this.

Does deleting it in SYSVOL would be enough?

Please don´t do this.

I sure won't mess with Authentificated users security again, I swear

Good boy ..

HTH
Mark

 

[Mario Lavigne]

Thanks for your quick answer.

Unfortunately, that didn't work.I can open the GPO fine, even add new
applications.The thing I can't do is delete it.

Here's the error message I have when I try to delete it in GPMC (Deleting in
standard console doesn't give any errors). It's in french so i'll translate
it the best I can :

"Le service d'annuaire ne peut effectuer l'opération requise que sur un
objet Noeud Terminal."

Seems the object is not a "valid node object" and the opération can't be
done.

I've tried looking on technet and Google for this message to no avail.

I,ve also check every SYSVOL security and the actual GPO security and it's
quite fine. The packages inside is what is bugging the GPO.

Any other tips?

Hi,

There's a policy I can't delete right now. I added a package in the GPO
and
set the authentificated users read security to Deny. [...]
Do you know anyway I could delete it manually?

Yes. Take a look at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294257
You can take the ownership like in the filsystem, but not so
easy like this.

Does deleting it in SYSVOL would be enough?

Please don´t do this.

I sure won't mess with Authentificated users security again, I swear

Good boy ..

HTH
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

 

[Mark Heitbrink [MVP]]

Hi,

Unfortunately, that didn't work.I can open the GPO fine, even add new
applications.The thing I can't do is delete it.

You have worked with the dsacls command in the cmd?

Mark

 

[Mario Lavigne]

Hey

Hi,



You have worked with the dsacls command in the cmd?

Yes I did. The command completed successfully. I even tried removing every
other security except Domain Admins Full Control and I still can't delete
the policy, been given the error message I told you.

 

[Darren Mar-Elia]

Ok, so you are trying to delete the whole GPO and not just the package,
correct? It could be that package object itself is not allowing the GPO to
be deleted because of the permissions you set on it, even though you've
re-permissioned the GPC object using dsacls. Here is what I would do.
Following the KB article, you found the path to the GPO, which looks
something like this:
CN={10B2684E-019A-4461-AEC0-D4FFD71002A8},CN=Policies,CN=System,DC=test,DC=tld
(your GPO's GUID will be different of course).
Underneath that container, in ADSIEdit, you will see two sub-containers--one
called machine and the other called user. If the package that you deployed
was a per-computer package, then expand the machine sub-folder. If it was a
per-user package then expand the user sub-folder. Under the appropriate
folder, you will see another folder called Class Store, and then under that
folder you will see a Packages folder. Within that packages folder are one
or more packageRegistrationObjects which represent the applications that
you've deployed in that GPO. Hopefully, you only have one--the one that is
giving you problems. If not, then I would first delete any others if you
can. Once you get to the right object, right-click it and try to delete it.
My guess is that you can't. The next step is to right-click it and choose
Properties, then choose the security tab. You may get some message about not
having rights to view the object's security, but you should be able to click
the Advanced tab at the bottom. Once in the advanced view, click the Owner
tab and take ownership of the object. Once that's done, you should be able
to change the permissions of the object, so go back to the security tab and
add Domain Admins with Full Control. At which you should be able to delete
it (both the package and the GPO).

Let me know if that doesn't work.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp

 

[Mario Lavigne]

Thanks everyone, that did work. Just a thing though, I had to take ownership
on the CN=Packages containers instead of the packages themselves.

Thanks again!

Mario Lavigne

 

[Darren Mar-Elia]

Excellent. Glad to hear it.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp