Deleting a GPO directly from the sysvol

[Owen@7]

I am running a mix of 2003 sp2 and 2000 sp 4 server domain.
I was wondering if I can delete GPO's directly from the Sysvol folder?
Is there anything that I need to worry about?
for ex: never delete the domain GPO.

Any thoughts?
Regards,

 

[Meinolf Weber]

Hello (e-mail address removed),

Why not using GPMC? Then can be sure that it is done correctly, because not
only SYSVOL is used also Active directory service.

Each Group Policy object (GPO) is stored partly in the Sysvol folder on the
domain controller and partly in the Active Directory directory service. GPMC,
Group Policy Object Editor, and the old Group Policy user interface that
is provided in the Active Directory snap-ins present and manage a GPO as
a single unit. For example, when you set permissions on a GPO in GPMC, GPMC
sets permissions on objects both in Active Directory and in the Sysvol folder.
For each GPO, the permissions in Active Directory must be consistent with
the permissions in the Sysvol folder. You must not change these separate
objects outside GPMC and Group Policy Object Editor. If you do so, this may
cause Group Policy processing on the client to fail, or certain users who
generally have access may no longer be able to edit a GPO.

Additionally, file system objects and directory service objects do not have
the same available permissions because they are different types of objects.
When permissions mismatch, it may not be easy to make them consistent. To
help you make sure that the security for the Active Directory and for the
Sysvol components of a GPO is consistent, GPMC automatically checks the consistency
of the permissions of any GPO when you click the GPO in GPMC. If GPMC detects
a problem with a GPO, you receive one of the messages that is described in
the "Symptoms" section, depending on whether or not you have permissions
to modify security on that GPO:

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Owen@7]

Thanks again for your help.
This answers my question and gives me something more to work with.
I am having some errors while I am migrating the domain to 2003.

regards,

 

[Meinolf Weber]

Hello (e-mail address removed),

If you post the errors and what you have done, maybe we can find a solution.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Owen@7]

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 2/13/2008
Time: 11:26:48 PM
User: NT AUTHORITY\SYSTEM
Computer: 2000SERVER
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=keypoint,DC=org.
The file must be present at the location
<\\keypoint.org\sysvol\keypoint.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Meinolf Weber]

Hello (e-mail address removed),

Event ID 1058 can have a lot of reasons. Google for "event id 1058" and use
them first. It's easier then listing all links here. Also post an ipcomnfig
/all from all DC's and your DNS server, if not a DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm