2012 domain GPO inconsistancy between GPO's and SYSVOL/Policies folder - access denied


  • Hi all,

    Need some help as a bit stuck with this. I have a 2012 domain with several DCs on different sites. 
    I can create new GPO's and they are created and replicated with a problem ( it appears) 
    Ive run DCDIAG and repladmin and they dont come back with any errors. 

    The FSMO roles are all running on windc01. 
    The baseline DC is windc02. 
    I have 47 GPO's but 55 folders in the polices folder of the sysvol. This is consistent with all DC's.

    Today I tested the deletion of a GPO after deleting from the GPMT the corresponding police wasn't deleted. 

    When drilling into the orphaned policy folder on windc01 I get policy->machine->scripts which is empty. If I do the same on any other DC i get an access denied message when clicking into the scripts folder.

    If I click on 2 subsequent polices that have been deleted I can see the polices are still there. I get an access denied when trying click into.

    I have found 4 polices folders that still exist in the sysvol/polices folder of all DC's

    The four folders arent matched to any exisint SID of my GPO's because they have been deleted at some point, however they have failed to be removed from the SYSVOL. 

    If I try and select navigate into any of these on WINDC01 I get an access denied. 
    If try the same on any other DC I can navigate into them all of which are empty or have remnants of a GPO. 

    Looks to me like there is an issue with the permission of the GPOs on WINDC01 as this holds the FSMO roles.

    matt barnes

    Tuesday, September 15, 2015 2:43 PM

All replies

  • matt barnes

    Tuesday, September 15, 2015 3:08 PM
  • As an example i just deleted the MEU_directaccess_setting GPO using the GPMT on windc01. Once I had removed the GPO I checked the sysvol folder. It hasnt removed the corresponding folder instead it has marked as being the last modified GPO and gives me an access denied when trying to click into. 

    This has replicated the same over to windc02 however I can select into the folder (which is empty)

    matt barnes

    Tuesday, September 15, 2015 3:14 PM
  • Hi Matt,

    Can you restart DFS-R service and see if it helps?


    Tuesday, September 15, 2015 3:34 PM
  • Tried hasn't helped. 

    matt barnes

    Tuesday, September 15, 2015 3:53 PM
  • I checked ADSIEDIT the polices do not exist in under system-policies after they have been deleted. 

    It appears they just aren't being removed from the SYSVOL

    matt barnes

    Wednesday, September 16, 2015 10:57 AM