Administrative Templates missing in GPO created on 2008 R2 DC

by Thomas Forsmark Sørensen 3. November 2010 13:32

Today I had a strange problem.

I was at a customer who had both 2003 R2 and 2008 R2 DC's in their domain.

If I created a new GPO on a 2003 DC everything was ok, but if I created the GPO on a 2008 DC the "Administrative Templates" was empty.

It turned out to be because there was created an empty folder called "PolicyDefinitions" on the domain.local\sysvol\domaon.local\policies share.

When the GPMC opens a policy it will look for the ADMX files in "C:\Windows\PolicyDefinitions" execpt for if the "domain.local\sysvol\domaon.local\policies\PolicyDefinitions" folder exists. This is a central store for Policies.

If the "domain.local\sysvol\domaon.local\policies\PolicyDefinitions" folder exists it will load the ADMX files from there but if the folder is empty it will not show anything "Administrative Templates".

To solve the problem I just copied all the files from the "C:\Windows\PolicyDefinitions" folder to the "domain.local\sysvol\domaon.local\policies\PolicyDefinitions" folder.

Changing AD users using PowerShell

by Thomas Forsmark Sørensen 28. June 2010 14:57

Yesterday I had to enable a bunch of user accounts and set a default password for the users that I had migrated to a new AD.

The users had to have a new password, to be enabled and have removed the "The user have to change password at next logon".

Normally I would create a VB script to do those things, but I decided to see if this could be done using PowerShell.

First I had to tell PowerShell to use the Active Directory module:

Import-Module ActiveDirectory

Then I could cd "into" the AD by writing


The Get-ADUser cmdlet is used for finding alle the users in the OU and any sub OU and the Set-ADAccountPassword cmdlet to set the password:

Get-ADUser -filter * -SearchBase 'OU=UserAccounts,DC=domain,DC=local' | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword" -Force)

Again the Get-ADUser is used together with the Set-ADUser cmdlet to enable the accounts and remove the "The user have to change password at next logon" option.

Get-ADUser -filter * -SearchBase 'OU=UserAccounts,DC=domain,DC=local' | Set-ADUser -Enable $True -ChangePasswordAtLogon $false

More AD PowerShell Cmdlets can be found here

How to recreate an accidentally deleted AD integrated DNS zone.

by Thomas Forsmark Sørensen 5. May 2010 21:01
Some time ago I had a serious problem at a costumer.
The customer had two AD domains in the same Forrest. One of them was running Windows Server 2008 R2 and the other Windows Server 2003 R2.
In the 2003 domain i went into the DNS console and changed the DNS zone replication from "To all DNS servers running on domain controllers in this domain" to "To all DNS servers running on domain controllers in this Forrest".
After a while I saw that the DNS zone for the domain on the 2003 server was missing.... Frown
I looked in the event log and found the following event: More...

Powered by BlogEngine.NET
Theme by Mads Kristensen | Modified by Mooglegiant

About Me


My name is Thomas Forsmark Sørensen.

I live in Odense in Denmark and work for Globeteam in Virum.

I am working as a Microsoft Infrastructure consultant with main focus on application and Operating System Deployment.

I work mostly with Microsoft System Center Configuration Manager 2012 R2 and MDT 2013, but I also work with other of Microsofts products. 


<<  December 2020  >>

View posts in large calendar