Microsoft Knowledge Base Archive

Symptoms

When you use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO), the Group Policy settings that you configure are not applied to client computers.

↑ Back to the top

Cause

This problem occurs if you create a GPO by using the script that is named Creategpo.wsf. In this scenario, the GPO that you create does not work until you manually modify it by using the Group Policy Object Editor snap-in Gpedit.msc.

When you programmatically create the GPO by using the Creategpo.wsf script, the script does not set the gPCMachineExtensionNames attribute in the Active Directory directory service. This attribute must be set in the following location in Active Directory:

CN={GUIDOfTheGPO},CN=Policies,CN=System,DC=Domain,DC=com

The gPCMachineExtensionNames attribute stores the GUID of the client-side extension that processes the GPO, and this attribute is set by Gpedit.msc. Depending on the settings that are configured by the GPO, Gpedit.msc determines the correct extension DLL to process the GPO. Then, Gpedit.msc populates the gPCMachineExtensionNames attribute accordingly.

↑ Back to the top

Workaround

To work around this problem, manually set the gPCMachineExtensionNames attribute in the script that creates the GPO. For example, a GPO that modifies restricted groups would have the gPCMachineExtensionNames attribute set to the following GUID:

[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]

The following example script creates a GPO, links that GPO to an organizational unit, sets the gPCMachineExtensionNames attribute to the correct value, and then populates the GPO. In this example, the GPO sets the content of a restricted group. The corresponding data is stored in a file that is named GptTmpl.inf. The GptTmpl.inf file is copied to the Sysvol share when the GPO is created.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. Example script to create a GPO

'////////////////////////////////////////////////////////////////////////////
' Copyright (c) Microsoft Corporation.  All rights reserved
'
' Title:	createGPO.wsf
' Author:	emmanud@microsoft.com
' Created:	11/08/2004
'
' Purpose:	Create a GPO, link it, and set the gPCMachineExtensionNames attribute.
'		It also creates the directory structure in the Sysvol.
'////////////////////////////////////////////////////////////////////////////

'Define variables.
'-----------------

Const ForWriting = 2
const ForReading = 1
Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2
Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = &H4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H8

' ------------------------------------------------------------------------
' Define variables.
' -------------------------------------------------------------------------
'Determine the domain.
strDomainDNSName = "domb.com"
strDC = "dcdomb"
strGPODisplayName = "Sample GPO" 
strDomainDN = "dc=mydomain,dc=com"
strOU = "OU=testOU" & "," & strDomainDN
strDC = strDC & "." & strDomainDNSName

intLinkPos = -1 'GPO appended at end of link
strGPT = "c:\temp\GptTmpl.inf"

' ==============================================================================================
' Main script
' ==============================================================================================
'--------------------------------
'Create the GPO in Active Directory.
'-----------------------------------
Set objGPM = CreateObject("GPMgmt.GPM")
Set objGPMConstants = objGPM.GetConstants()

' Initialize the domain object.
Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,"",objGPMConstants.UseAnyDC)

' Create the GPO.
Set objGPO = objGPMDomain.CreateGPO()
objGPO.DisplayName = strGPODisplayName
strGPOGUID = cstr(objGPO.ID)
strGPOPath = cstr(objGPO.path)


' --------------------------
' Link the GPO to the OU.
' --------------------------
Set objGPM = CreateObject("GPMgmt.GPM")
Set objGPMConstants = objGPM.GetConstants()

' Initialize the domain object.
Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,"",objGPMConstants.UseAnyDC)

' Find the specified OU.
Set objSOM = objGPMDomain.GetSOM(strOU)
If IsNull(objSOM) Then
	WScript.Echo "Did not find OU: " & strOU
	WScript.Echo "Exiting"
	WScript.Quit
Else
	WScript.Echo "Found OU: " & strOU
End If

Set objGPMGPO = objGPMDomain.GetGPO (strGPOGUID)
If IsNull(objGPMGPO) Then
	WScript.Echo "Could not get GPO " & strGPOGUID
	WScript.Echo "Exiting"
	WScript.Quit
End If


Set objGPMGPOLink = objSOM.CreateGPOLink(intLinkPos, objGPMGPO)
If IsNull(objGPMGPOLink) Then
	WScript.Echo "Could not link GPO " & strGPOGUID
	WScript.Echo "Exiting"
	WScript.Quit

Else
	wscript.Echo "Group Policy Successfully Linked to OU"
End If
 
wscript.sleep 5000 'waiting 5 seconds before continuing

'-------------------
'Populate the GPO.
'-------------------
'
' In this sample, we copy a security template into the secedit folder.
'
' First create the directory structure.
strPath = "\\" & strDC & "\SYSVOL\" & strDomainDNSName & "\Policies\" & strGPOGUID & "\Machine"
WScript.Echo "SYSVOL Path:" & strPath
Set objFolder = objFSO.GetFolder(strPath)
Set objFolder = objfso.createFolder(strPath & "\scripts")
Set objFolder = objfso.createFolder(strPath & "\scripts\startup")
Set objFolder = objfso.createFolder(strPath & "\scripts\shutdown")
Set objFolder = objfso.createFolder(strPath & "\microsoft")
Set objFolder = objfso.createFolder(strPath & "\microsoft\Windows NT")
Set objFolder = objfso.createFolder(strPath & "\microsoft\Windows NT\Secedit")

' Copy the Security Template file to the Sysvol.
Set objFSO = CreateObject("Scripting.FileSystemObject")
set WKS = objFSO.getfile(strGPT)

If IsNull(WKS) Then
	WScript.Echo "Could not open " & strGPT
	WScript.Echo "Exiting."
	WScript.Quit

Else
	WKS.copy(strPath & "\microsoft\Windows NT\Secedit\GptTmpl.inf")	
end If

' Update the Gpt.ini file.
'-------------------------
Set GPTF = objFSO.OpenTextFile("\\" &strDC& "\SYSVOL\" &strDomainDNSName& "\policies\" &strGPOGUID& "\GPT.INI",ForWriting, 

True)
If IsNull(GPTF) Then
	msgbox "Error occurred when the GPT.ini file was created",,"Check Sysvol"	
	WScript.Quit
Else
GPTF.WriteLine "[General]"
GPTF.WriteLine "Version=2"
GPTF.WriteLine "displayName=" & strGPO
wscript.Echo "GPT.INI updated"
GPTF.Close
end If

'Update AD.
'----------
strGPO = strGPOPath
Set objGPO = GetObject("LDAP://" & strGPO & "") 'connect to GPO
objGPO.versionNumber = 2
objGPO.Put "gPCMachineExtensionNames" , "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"
objGPO.setinfo

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Group Policy Management Console.

↑ Back to the top

More information

For additional information about how to obtain and use the Group Policy Management Console, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

For additional information about how to manage Group Policy, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx

↑ Back to the top

Article ID	:	885009
Revision	:	6
Created on	:	10/30/2006
Published on	:	10/30/2006
Exists online	:	False
Views	:	209

Microsoft KB Archive Search

Group Policy settings that you configure by using the Group Policy Management Console are not applied to client computers

Symptoms

Cause

Workaround

Status

More information

Applies to: