GPO Details

There are a variety of details about GPOs that are useful for troubleshooting and other purposes. For example, since the data for a given GPO is stored in both Active Directory and Sysvol, it’s important to have details about of these components. As shown in Figure 18, the Details tab of any GPO displays this type of information and other useful attributes.



The Details tab of a GPO shows the following information:

*The domain where the GPO is defined.

*The owner of the GPO. In most cases this is the user that created the GPO. However, if a member of the Domain Admins group creates the GPO, then Domain Admins will be the owner.

*The date and time when the GPO was created.

*The date and time when the GPO was last modified.

*The version number for the user configuration component of the GPO. This is broken out into a version number for the Active Directory component and the Sysvol component. In a healthy GPO, these numbers should match. However, the user version numbers need not match the computer version numbers.

*The version number for the computer configuration component of the GPO. This is broken out into a version number for the Active Directory component and one for the Sysvol component. In a healthy GPO, these numbers should match. However, the computer version numbers need not match the user version numbers.

*The unique ID of the GPO, also known as the GPO GUID.

*The GPO Status. This indicates whether either the user configuration or computer configuration of the GPO is enabled or disabled. It can have four possible values:

--Enabled.
--User configuration settings disabled.
--Computer configuration settings disabled.
--All settings disabled.

Ensuring consistency of permissions on a GPO

Each Group Policy object (GPO) is stored partly in the Sysvol on the domain controller and partly in Active Directory. GPMC, Group Policy Object Editor, and the old Group Policy user interface provided in the Active Directory snap-ins present and manage a GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the Sysvol.

It is essential that the permissions in the Active Directory component are consistent with the Sysvol component for a given GPO. It is not recommended that you manipulate these separate objects independently outside of GPMC and Group Policy Object Editor. Doing so can potentially cause Group Policy processing on the client to fail, or certain users that should normally have access may no longer be able to edit a GPO. Furthermore, file system objects and directory service objects don’t have the same available permissions since they are different types of objects. So in the event of a permissions mismatch, it might not be immediately apparent how to make them consistent.

To help you ensure that the security for the Active Directory and Sysvol component of a given GPO is consistent, GPMC will automatically check the consistency of the permissions of any GPO when you navigate to the GPO using GPMC. If it detects a problem with that GPO, you will be presented with one of the following dialog boxes, depending on whether you have permission to modify security on that GPO:

*“The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the permissions in SYSVOL to those in Active Directory, click OK.”

*“The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO.”

If you have permission to modify security on the GPO, you should click OK in this dialog box. This action will reset the permission on the Sysvol component of the GPO to be consistent with the existing permissions on the Active Directory component of the GPO. Note that the information presented on the Delegation tab (and Security Filtering section) for a GPO is based on the Active Directory component of the GPO, so this will simply correctly ensure that the permissions you see in the GPMC UI are being applied to that GPO.

Note:
When running GPMC in a Windows 2000 domain, clicking on either the Default Domain Policy or the Default Domain Controllers Policy opens the dialog box described above. This is the result of a bug in Windows 2000 that is expected to be fixed in Windows 2000 Service Pack 4. The issue occurs because the Access Control List (ACL) on the Sysvol portion of the GPO is mistakenly set to inherit permissions from the parent folder. If you have permissions to modify security on the default GPOs, you should click OK in this dialog box. This will correct the problem by modifying the ACLs on the Sysvol portion to make them consistent with the ACLs on the Active Directory component. In this case, it will remove the inheritance attribute in the Sysvol.