Article ID: 216359
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q216359
IN THIS TASK
- Determining the GUID of a GPO Using the Properties of the GPO
- Identifying the File-Based GPO Structure on the System Volume
- Identifying the GPO in the Active Directory Using Search.vbs
- Identifying the GPO in the Active Directory Using Ldp.exe
SUMMARY
When you are troubleshooting the application of a group policy, it may be necessary to validate that the appropriate objects are in the Active Directory and that the file structure is correct in SYSVOL on each domain controller on which the Group Policy Object (GPO) is replicated.
A key piece of information in this process is the Globally Unique Identifier (GUID) associated with the GPO. This article discusses identifying a GPO with its GUID.
back to the top
Determining the GUID of a GPO Using the Properties of the GPO
- Using the "Active Directory Users and Computers" or "Active Directory Sites and Services" administrative tool, click Properties on the context menu of a domain, site, or organizational unit object in the Active Directory.
- Click the Group Policy tab, click the GPO, and then click Properties. The Unique Name field contains the GUID of the selected GPO. Also note the Domain field. This is where the GPI is stored, even though it may be used (linked to) by other domains.
Identifying the File-Based GPO Structure on the System Volume
- On a domain controller in the domain identified above, determine which drive hosts the system volume (Sysvol).
- Using Windows Explorer, open the Sysvol folder.
- The following folders exist: Domain, Staging, Staging Areas, and Sysvol. Change to the Sysvol folder.
- A folder with the name of the domain that the local domain controller is a member of should exist. Change to the following folder:
Path to Sysvol
\Sysvol\DomainName
\Policies. - Open the folder identified by the GUID of the GPO that you recorded in the previous section of this article.
Note: The Group Policy structure on the system volume contains a Gpt.ini file that contains version information (of the GPO) and other optional data. Additionally, the file-based policy is broken into Machine and User folders with the appropriate policy for each. An Adm folder may also be present when software policies (administrative templates) are being used.
Without access to the properties of a given GPO, the administrator can use other methods of attaining either the GUID for a known GPO or the friendly name of a GPO of which the administrator has the associated GUID.
back to the top
Identifying the GPO in the Active Directory Using Search.vbs
Search.vbs is a Microsoft Visual Basic script that is included in the Support\Tools\Support.cab file on the Windows 2000 retail CD-ROM. You can use this script to perform an LDAP search against the Active Directory and either display or output the results to a text file.
To resolve a GPO name to a GUID, type
cscript search.vbs "LDAP://dc=mydomain
,dc=com
" /C:"&(objectClass=groupPolicyContainer)(displayName=Default Domain Policy)" /P:name /S:SubTree
where mydomain
and com
is the correct domain name.
The output displays how many objects were found (there should be only one in this case--a specific GPO) and presents the value for the Name attribute for each object found. For example:
Finished the query.
Found 1 objects.
name 1 = {31B2F340-016D-11D2-945F-00C04FB984F9}
To resolve a GUID to the name of a GPO, type
cscript search.vbs "LDAP://dc=mydomain
,dc=com
" /C:"&(objectClass=groupPolicyContainer)(name={31B2F340-016D-11D2-945F-00C04FB984F9
})" /P:displayName /S:SubTree
replacing mydomain
and com
with the correct domain name and replacing 31B2F340-016D-11D2-945F-00C04FB984F9
with the appropriate GUID.
The output displays how many objects were found (there should be only one in this case--a specific GPO) and presents the value for the DisplayName attribute (the friendly name seen in Administrative Tools) for each object found. For example:
Finished the query. Found 1 objects. displayName 1 = Default Domain Policy
Identifying the GPO in the Active Directory Using Ldp.exe
NOTE: Ldp.exe is a Resource Kit utility used to view and modify objects and their attributes in the the Active Directory. Other utilities can be used to accomplish the same result.
- Run Ldp.exe from the Support\Reskit\Netmgmt\Dstool folder on the retail Windows 2000 CD-ROM.
- On the Connection menu, click Connect.
- Type the server name, verify that the port setting is set to 389, click to clear the Connectionless check box, and then click OK. Once the connection is complete, server-specific data is displayed in the right pane.
- On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:'YourUserID'" in the right pane.
- On the Browse menu, click Search.
- In the Base DN box, type
dc=
mydomain
,dc=com
mydomain
andcom
with the appropriate domain name. - In the Filter box, type
(&(objectClass=groupPolicyContainer)(name={
31B2F340-016D-11D2-945F-00C04FB984F9
}))replacing
31B2F340-016D-11D2-945F-00C04FB984F9
with the appropriate GUID if you have the GUID and are looking for the friendly name of the GPO.
Or, type(&(objectClass=groupPolicyContainer)(displayName=
Default Domain Policy
))Default Domain Policy
with the appropriate GPO name if you have the friendly name and need to resolve the GUID. - In the Scope frame, click Subtree.
- Click Options. In the Attributes box, type displayName if you have the GUID and are looking for the friendly name, or type name if you have the GPO name and need to resolve the GUID.
- Accept all other defaults, click OK and then click Run. After the query completes, the Distinguished Name (DN) of the object found (there should be only one in this case) and the value of the attribute requested in the query are displayed in the right pane.
Keywords: kbenv kbhowtomaster KB216359