Tag Archives: group policy

2008 BPA for AD Group Policy “Access to this computer” Error

When running the AD Best Practices on Server 2008, you may receive the following error:

The AD DS BPA should be able to collect data about Group Policy Results setting “Access this computer from the network” from the domain controller <DCNAME>

Check the XML log file for a more detailed error message.  It can be found by default in ‘Logs\BPA\Reports\Microsoft\Windows\DirectoryServices‘ in your %systemroot% as ‘DirectoryServices_EngineReport.xml‘.  Look for a section called <Error>.  There will be a Message section with a somewhat more useful error.  In this case, it was ‘Some or all identity references could not be translated.’, which would indicate that a deleted account is still referenced somewhere on a GPO.  Unfortunately it doesn’t tell you which GPO has this error.

To find the GPO at fault, open up Group Policy Management Console, and back up your GPOs manually.  Right-click the Group Policy Objects container, and choose Back Up All.  As it is backing up, it will eventually give you an error on whichever GPO has the outdated SID:

GPO: Default Domain Controllers Policy…Succeeded, but note the following issues:

[Warning] The security principal [S-1-5-21-940797813-2055044403-441284377-1536] referenced in extension [Security] cannot be resolved, but the task will continue.

Fix the referenced GPO, and re-run BPA.

Extract MSI files from (some) Microsoft EXEs

Certain files from Microsoft (in particular, things such as PowerPoint Viewer and the Office 2007 Compat. Pack) are provided as .exe files. If you’re looking for something a little easier to roll out via Group Policy, you can extract the archive files to a folder of your choice by adding the /extract or /c command line switches. Which switch to use depends on the package, but you can usually do /? to get an explanation of all the options. The files Microsoft provides usually contain some MSI files you can then add to a Software Policy.