none
Help, removing old GPO... Migrated from 2003 to 2008 R2

    Question

  • Hi

    I read here a lot and I'm lost on this one. Just trying to figure out what I can do to remove or fix these problem GPOs. They were fine on the 2003 server with no errors but, as soon as I moved all the roles from 2003 to 2008, they started showing up. There is only 3 that I am having issues with. I think my OCD is kicking in because I hate these types of errors in the event log...

    I have gone in the GPME to try to even find the settings for these GPOs but I am unable to find them.

    I have run the GPRESULT /H c:\GPReport.htm and pulled it out in parts here to see if someone can help.

    1.

    Component Status <v:group alt="Warning" class="vmlimage" coordsize="100,100" style="width:15px;height:15px;vertical-align:middle;"><v:shape class="vmlimage" fillcolor="yellow" strokecolor="yellow" style="width:100px;height:100px;z-index:0;"><v:path v="m 50,0 l 0,99 99,99 x e"></v:path><v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="left:45px;top:35px;width:10px;height:35px;z-index:1;"></v:rect><v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="left:45px;top:85px;width:10px;height:5px;z-index:1;"></v:rect></v:shape></v:group>
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 6/11/2014 11:58:33 AM
    Registry Success 6/11/2014 10:39:28 AM
    Scripts Failed 6/11/2014 11:58:11 AM
    Scripts failed due to the error listed below.

    The system cannot find the file specified.

    Additional information may have been logged.  Review the Policy Events tab in the console or the application event log for events between 6/11/2014 11:58:11 AM and 6/11/2014 11:58:11 AM.
    Security Success

    6/11/2014 10:39:30 AM

    I have checked the event log and there is only one update but, nothing refering to this GPO (just saying GP updated) but, the event log is geting bombed with 1085 errors because of this.

    The other one is Internet Explorer branding.

    Component Status <v:group alt="Warning" class="vmlimage" coordsize="100,100" style="width:15px;height:15px;vertical-align:middle;"><v:shape class="vmlimage" fillcolor="yellow" strokecolor="yellow" style="width:100px;height:100px;z-index:0;"><v:path v="m 50,0 l 0,99 99,99 x e"></v:path><v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="left:45px;top:35px;width:10px;height:35px;z-index:1;"></v:rect><v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="left:45px;top:85px;width:10px;height:5px;z-index:1;"></v:rect></v:shape></v:group>
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 6/11/2014 11:58:33 AM
    Folder Redirection Success 6/11/2014 10:39:28 AM
    Internet Explorer Branding Failed 6/10/2014 10:07:37 PM
    Internet Explorer Branding failed due to the error listed below.

    The specified procedure could not be found.

    Additional information may have been logged.  Review the Policy Events tab in the console or the application event log for events between 6/10/2014 10:07:37 PM and 6/10/2014 10:07:37 PM.
    Scripts Success 6/10/2014 11:45:30 PM

    If these cant be used, how can I find them and remove them ? With this last one nothing in the event log.

    Any idea how I can fix these or remove them ? I have been googling/Binging for about 2-3 days on these and I cant find how to remove them. I am not a GP expert by any means.

    Thanks for any help anyone can give !!!


    -Dave

    Wednesday, June 11, 2014 4:14 PM

Answers

  • >    displayname
    >    Default Domain Policy
     
    Normally you would now use dcgpofix.exe which resets DDP and DDCP to
    their initial content. That's one of the reasons to NEVER use DDP/DDCP,
    but create own copies. Nevertheless: Either remove the scripts CSE from
    gPCMachineExtensionNames the same way I described for IE Branding, or
    put a dummy scripts.ini in
    \\domain\sysvol\domain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\scripts.
     
    Content:
     
    [Startup]
    0CmdLine=dummy.exe
    0Parameters=dummy params
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, June 12, 2014 2:05 PM

All replies

  • Hi Dave,

    Before going further, have we used IE to open the group policy result? By running gpresult/h c:\gpreport.html, we should get a friendly view of group policy result like a table. The result will show all the GPOs and their corresponding settings applied and report specific group policy errors.

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best regards,
    Frank Shen

    Thursday, June 12, 2014 7:28 AM
    Moderator
  • > *Scripts failed due to the error listed below.*
    > *The system cannot find the file specified. *
     
    Review the GPO eventlog for more information. Seems we are missing a
    scripts.ini in a GPO that is supposed to contain scripts. To be precise:
    We have a GPO whose gPCMachineExtensionNames attribute contains the
    scripts CSE GUID {42B5FAAE-6536-11D2-AE5A-0000F87571E3}. To easily
    identify GPOs in question:
     
    dsquery * -filter
    "(&(gPCMachineExtensionNames=*{42B5FAAE-6536-11D2-AE5A-0000F87571E3}*))"
    -attr displayname
     
    > *Internet Explorer Branding failed due to the error listed below.*
    > *The specified procedure could not be found. *
     
    This is a result of IE Branding being abandoned with IE10 and above. To
    get rid of it, you have to cleanup all your existing GPOs and remove all
    appearances of IE Branding. Not easy if you cannot edit it anymore after
    installing IE10 on your Admin Workstation :))
     
    And to identify these, too:
     
    dsquery * -filter
    "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))"
    -attr name,displayname
     
    To get rid of IE Branding: dsa.msc, enable Tools - Advanced Features,
    move to System - Policies - <GUID from above query>, open this
    container's properties, switch to "Attribute Editor", edit
    gPCUserExtensionNames, copy to notepad, identify a section in square
    brackets [] that contains the above GUID and a second one (should be
    {5C935941-A954-4F7C-B507-885941ECE5C4}, but don't bet on that :)) and
    remove the whole block from [ to ]. Then paste back into the
    gPCUserExtensionNames and save.
     
    Sounds weird? Isn't - that's the way how GPO works under the hood.
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, June 12, 2014 9:15 AM
  • Hi Dave,

    Before going further, have we used IE to open the group policy result? By running gpresult/h c:\gpreport.html, we should get a friendly view of group policy result like a table. The result will show all the GPOs and their corresponding settings applied and report specific group policy errors.

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best regards,
    Frank Shen

    Yes, that is what I copied above. Those were copies directly from the HTML output....

    The scripts error came from Summary>Computer Configration Summary>Compoent Status Under Component name

    I have gone into Default Domain Policy [Server] Group Policy Mangerment Editor and looked for these GPs and unable to find them, that is why I am asking here as I have googled/binged these for the last 2-3 days with out luck finding anything.


    -Dave

    Thursday, June 12, 2014 12:42 PM
  • Martin,

    Thanks, I've been out of this GPO thing for years. Just want to clean this up and get it working like it shoud.

    So, I ran this on the DC...for scripts

    dsquery * -filter "(&(gPCMachineExtensionNames=*{42B5FAAE-6536-11D2-AE5A-0000F87571E3}*))" -attr displayname

    that came back with

      displayname
      Default Domain Policy

    I found it was in the Computer Configuration already, there is a option to disable Computer Configuration and Under Configuration, checked them one by one, ran GPupdate, watched the results, that is how I found it was in Computer configuration (makes sense here).

    How can I find what file is missing or at least a folder where it should be, then replace it or fix it, if it needs me to remove the file, then I am willing to do that to try to build it. The only scripts I have are logon/Logoff scripts and I have confirmed they are in place, nothing funky in them and they are working as the should.

    The scripts thing seems to be my big problem, as I am geting almost bombed with the 1085 errors in the event log on the servers and on the workstations.

    The screwy thing here is, This was migrated from a 2003 server. I transfered all the FSMO roles over to a 2008 R2 server. Never had an issue before on the 2003 server, as soon as the migration was complete this started happened, even before I demoted the old server.

    I still have a backup of the 2003 server before the demotion or even before the 2008 server was promoted, is there files in the old server that I could restore to the 2008 server that might fix this. Or should I look into rebuilding the Sysvol tree as I saw in this KB ?

    http://support.microsoft.com/kb/315457/en-us

    I checked on the old server, a backup done from Nov 2013 (this was the domain controller at the time way before any migration was in action).

    I checked

    C:\Windows\SYSVOL\sysvol\<my domain>\SCRIPTS

    The folder is empty.

    As for the Explorer branding, It's just not in use and not being applied, no events in the event log. Worst case, I'll build a quick Win7 box with IE 9 on it and put the tools on there, I should be able to remove them from there. I'll deal with this later, as I tried 

    dsquery * -filter "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))" -attr name,displayname

    It comes back with just

       name,displayname


    -Dave




    • Edited by TheCoolDave Thursday, June 12, 2014 1:53 PM
    Thursday, June 12, 2014 1:06 PM
  • >    displayname
    >    Default Domain Policy
     
    Normally you would now use dcgpofix.exe which resets DDP and DDCP to
    their initial content. That's one of the reasons to NEVER use DDP/DDCP,
    but create own copies. Nevertheless: Either remove the scripts CSE from
    gPCMachineExtensionNames the same way I described for IE Branding, or
    put a dummy scripts.ini in
    \\domain\sysvol\domain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\scripts.
     
    Content:
     
    [Startup]
    0CmdLine=dummy.exe
    0Parameters=dummy params
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, June 12, 2014 2:05 PM
  • >    displayname
    >    Default Domain Policy
    Normally you would now use dcgpofix.exe which resets DDP and DDCP to
    their initial content. That's one of the reasons to NEVER use DDP/DDCP,
    but create own copies. Nevertheless: Either remove the scripts CSE from
    gPCMachineExtensionNames the same way I described for IE Branding, or
    put a dummy scripts.ini in
    \\domain\sysvol\domain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\scripts.
    Content:
    [Startup]
    0CmdLine=dummy.exe
    0Parameters=dummy params

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Awesome, that took care of it, nice simple fix, Thank you !

    -Dave

    Thursday, June 12, 2014 2:43 PM