Monday, September 28, 2009

Group Policies Gone

Today, a number of my LAN users lost their O: and P: drives, which were mapped to the shares on my old Windows 2000 Server. The drives are mapped in a logon script, defined in a group policy object. When I checked the GPOs, they were not loaded.

Next, I checked the event log on the domain controller and there were numerous Event ID 1000 messages. Some said that "Windows cannot query for the list of Group Policy objects", while others insisted that "Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted."

What I did next was to open the GPO editor and check the GPO, of course. They were there, all four of them, including the default domain policy, but I found I couldn't edit them. All I got was the dialog box saying "Failed to open the Group Policy Object. You may not have appropriate rights."

The GPO permissions were OK. The next step was running gpotool. To my surprise, the only response I got from the tool was "DC list is empty". I had an impression that the AD is down, but it wasn't. From what I could find with Google, DNS could be the point of failure, but DNS was working well, like everything else. Another tool I tried to use at that moment was netdiag, but it gave no results, things were up and running.

I checked whether SYSVOL was accessible from the workstations and it was. The permissions on directories and files in SYSVOL were OK, but some files were missing. So, the domain\Policies was pristinely empty. I tried to create a new policy in the GPO editor and the corresponding directory appeared in sysvol\Policies.

So, I made sure I could recreate the GPOs from scratch, but I didn't have the Default Domain Policy. I found a tool to recreate it, Windows 2000 Default Group Policy Restore Tool. I didn't run it, though. Instead, I decided to compare the contents of my SYSVOL and that in the backed up system. Of course, I found the old policies in the domain\Policies and simply copied them into the corresponding directory. The immediate result was that gpotool could run and produce some meaningful results. So, it complained about a missing policy, but the old ones were there. Altogether, gpotool found seven policies instead of five actually present (the default one, three GPOs I had defined and one more which was created five minutes ago), but it was more or less OK.

So, now I have the default policy and I can use the GPO editor to recreate my old policies. There were only a few of them and it shouldn't take long.

No comments:

Post a Comment