none
Unknown group policy applying to objects in domain

    Question

  • Running a mixed Windows Server 2008 R1 / Windows Server 2012 environment (Server 2008 level AD), trying to troubleshoot printer connections.  They are giving me mixed results when running Group Policy Modeling Wizard from each server.

    There should only be one GPO applying the deployed printers to a given user, but when I run Group Policy Results wizard from my 2008 server I see multiple GPOs applying to the Print Connections setting: the correct GPO, the default domain GPO and an unknown GPO.  In my case the the proper GPO is applying, but I also see additional print mappings being applied from the default domain policy (even though it has been explicitly disabled and unlinked from any OUs for months) and another GPO whose SID does not belong to any existing policy.  I checked every policy in my domain (I only have about 9 GPOs) but none of them have this SID.  I also used this Get-GPO command in Powershell:

    Get-GPO -domain mydomain.com -server myserver -all

    and this policy is not listed.  If I specify the SID directly with the Get-GPO command it returns a result that that policy was not found in the domain.  However if I browse to the SYSVOL directory for my domain there is a folder in there with that SID.  Using ADSIEdit.msc and browsing to the system/policy folder, there is no listing for this unknown SID when connected to either server.  It appears to be orphaned.

    When running Group Policy Results Wizard from Server 2012 I do not see these additional GPOs applying settings, it only shows up in the GPRW in Server 2008.  

    1.  Can I move, delete or rename this unknown orphaned SID folder in SYSVOL?  

    2.  How is the default domain policy applying even if it's not linked?

    3.  Group Policy Results Wizard shows only three printers properly mapped out of the six specified, and test users only get those three printers installed.  I have verified that all six printers have been deployed to the domain and specified in the Printer Connections under User/Preferences in the same GPO.  

    Any ideas?  (Sorry I don't know why my text is small)




    • Edited by NeverQuiteSure Tuesday, October 25, 2016 6:37 PM Clarification
    Tuesday, October 25, 2016 6:10 PM

Answers

  • Hi,
    >>1.  Can I move, delete or rename this unknown orphaned SID folder in SYSVOL? 
    I would suggest to check every GPO manually in GPMC using an account with highest permissions and confirm that there are no corresponding GPO objects in AD. In that case, you could delete it. In addition, we always suggest you backup before deleting.
    >>2.  How is the default domain policy applying even if it's not linked?
    If you unkink the DDP, it should not be applied, please check again to see if the DDP is linked or not. Maybe, others have linked it to OU again. In addition, it is not suggested to disable/unlink DDP.
    >>3.  Group Policy Results Wizard shows only three printers properly mapped out of the six specified, and test users only get those three printers installed.  I have verified that all six printers have been deployed to the domain and specified in the Printer Connections under User/Preferences in the same GPO. 
    Please run gpresult /h command to see if we could get some error message or information about these printers which are not deployed.
    And you could choose a problematic printer and try to connect it manually and see if it is works.
    Also we suggest you deploy printers under computer configuration /Preferences and try to disable a policy “Point and print restrictions” in the GPO, then run gpupdate /force to see if all printers are deployed.
    Here is a similar problems, and you could take a look and use for reference:
    Not all printers are deployed on the client using Group Policy
    http://serverfault.com/questions/746567/not-all-printers-are-deployed-on-the-client-using-group-policy
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by NeverQuiteSure Thursday, October 27, 2016 1:57 PM
    Wednesday, October 26, 2016 2:50 AM
    Moderator

All replies

  • Hi,
    >>1.  Can I move, delete or rename this unknown orphaned SID folder in SYSVOL? 
    I would suggest to check every GPO manually in GPMC using an account with highest permissions and confirm that there are no corresponding GPO objects in AD. In that case, you could delete it. In addition, we always suggest you backup before deleting.
    >>2.  How is the default domain policy applying even if it's not linked?
    If you unkink the DDP, it should not be applied, please check again to see if the DDP is linked or not. Maybe, others have linked it to OU again. In addition, it is not suggested to disable/unlink DDP.
    >>3.  Group Policy Results Wizard shows only three printers properly mapped out of the six specified, and test users only get those three printers installed.  I have verified that all six printers have been deployed to the domain and specified in the Printer Connections under User/Preferences in the same GPO. 
    Please run gpresult /h command to see if we could get some error message or information about these printers which are not deployed.
    And you could choose a problematic printer and try to connect it manually and see if it is works.
    Also we suggest you deploy printers under computer configuration /Preferences and try to disable a policy “Point and print restrictions” in the GPO, then run gpupdate /force to see if all printers are deployed.
    Here is a similar problems, and you could take a look and use for reference:
    Not all printers are deployed on the client using Group Policy
    http://serverfault.com/questions/746567/not-all-printers-are-deployed-on-the-client-using-group-policy
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by NeverQuiteSure Thursday, October 27, 2016 1:57 PM
    Wednesday, October 26, 2016 2:50 AM
    Moderator
  • I disabled the Point and Print policy and all printers appear to be mapping correctly now.  Thank you for the detailed response, it was very helpful.  
    Thursday, October 27, 2016 1:57 PM
  • Hi,
    You are welcome, and appreciate you for marking the answer.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 28, 2016 1:37 AM
    Moderator