Group Policy in limbo

  • Thread starter Thread starter Steve Birchfield
  • Start date Start date
S

Steve Birchfield

I have a group policy that installed a software application. It was
linked to an OU but only was applied to one user within the OU. The
problem is that I accidentally locked myself out of it in the process.
I cannot delete the policy. I can link it but that is all. I would
like to delete it completely. I have tried deleting the object folder
in SYSVOL but in AD I still see the object. I have three domain
controllers and I see that the object has disappeared in SYSVOL on all
three. How can I completely remove it from AD?

I would have thought deleting the folder object would have done it. I
went into the registry and I don't see it in history either. HELP!
 
Hello Steve,

1. Install Windows 2000 Support Tools. (ADSI Editor is included in this
package). You can find Windows 2000 Support Tools on the Windows 2000
installation CD. (\SUPPORT\TOOLS\Setup.exe)

2. Start "Active Directory Users and Computers".

3. Right-click on the OU (Organization Unit) and pick up "Properties".

4. In the "Group Policy" tab, highlight the undeletable GPO, click
"Properties" to view its properties.

5. In the "Unique Name" entry, write down the name exactly.
- It may look like: {4F23451F-DCA6-DF55-5162-12623FD923A0}

6. Exit "Active Directory Users and Computers".

7. Start ADSI Edit. "Start"->"Programs"->"Windows 2000 Support
Tools"->"Tools"->"ADSI Edit".

8. Locate the following entry:
"Domain NC
[Server.Domain.Ext]"->"DC=Domain,DC=Ext"->"CN=System"->"CN=Policies"->"CN=Un
ique Name"
Where, Server is the NetBIOS name of the DC, Domain is the domain name of
your domain, Ext is the extension of the domain (for example, com, net and
such) and Unique Name is the string you recorded in step 5.

9. Right-click on the entry: "CN=Unique Name" and then click "Delete" to
delete it.

10. Delete the corresponding policies folder for this GPO in the SYSVOL
folder. It would be:
\\Server\SYSVOL\Domain.Ext\Policies\Unique Name

- If the permission of the object is completely removed and this object
become an orphoned object. (It appears to be Inaccassible Object in AD), we
can use
DSACLS.exe in support tool.

1. Grant the user permission to access
\\Server\SYSVOL\Domain.Ext\Policies\Unique
Name (FULL CONTROL), also: SYSTEM: FULL CONTROL

2. Run:

DSACLS CN={Unique Name},CN=Policies,CN=System,DC=Server,DC=com /G
Domain\User:GAWD to grant the proper permission
and then delete the object. You can obtain this string from ADSIEDIT

281146 How to Use Dsacls.exe in Windows 2000
http://support.microsoft.com/?id=281146

Thank You.

Diana.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top