Active Directory Administration Cookbook

上QQ阅读APP看书，第一时间看更新

Fixing up Group Policy permissions

Group Policy preparation, as part of adprep.exe, adds two pieces of functionality to Active Directory:

Cross-domain planning functionality for Group Policy
Resultant Set of Policy (RSoP) planning mode

GPOs are stored in both the System Volume (SYSVOL) and Active Directory. Both locations require an update of the permissions for existing GPOs, in order to take advantage of the preceding functionality.

If the Active Directory domain already contains custom or delegated permissions, Group Policy preparation kicks off the replication of all Group Policy files in the SYSVOL, and may deny the functionality of RSoP to delegated admins until their permissions are recreated.

Group Policy preparation does not need to be run with every upgrade. Admins need to run Group Policy preparation only once, and they only need to run it if an Active Directory domain has run on Windows 2000 Server-based domain controllers at one point in its existence. If an environment was created with domain controllers running Windows Server 2003, or newer versions of Windows Server, the Group Policy preparation step can be skipped.

To fix up Group Policy permissions, run the following command:

adprep.exe /domainprep /gpprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the Group Policy Object (GPO) information.