Environment
NetIQ Group Policy Administrator 6.9.0.x
NetIQ Group Policy Administrator 6.9.1.x
Windows 2016
NetIQ Group Policy Administrator 6.9.1.x
Windows 2016
Situation
When the NetIQ Group Policy Administrator console is installed on Windows Server 2016, there is an error when editing the GPO settings for Windows Firewall with Advanced Security. The NQGpeEditor will display an error code 43.
Resolution
Once a GPO has been checked out within GPA, it is possible to manually edit the path stored within the GPCSysfiles attribute. Each time a GPO is checked out, a new temporary GPO object is created, with a new value for the GPCSysfiles attribute. The GPO object is created on the DC selected within the GPA Repository. However the Microsoft Group Policy Management (GPMC) Application Programing
Interface (API), used by GPA is only able to view the GPO object located on the Windows DC hosting the Primary Domain Controller (PDC) Flexible Server Mode Operations (FSMO) role. Any changes to the temporary GPO object must be made to the copy of that object on the PDC.
To manually edit the temporary GPO object created by GPA:
To manually edit the temporary GPO object created by GPA:
- Check out and edit the GPO within the GPA repository
- Navigate to the following section
- Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Windows Firewall with advanced Security --> Windows Firewall with advanced Security
- Hover over the child Windows Firewall with advanced Security node to see the LDAP path for the GPO object.
- The start of this path will list the Object GUID for the temporary GPO object
- Open a Microsoft AD editor console.
- This can be Microsoft Directory Services Administration (DSA.MSC) console with advanced features enabled.
- This can be Microsoft Active Directory Services Interface editor (ADSIEdit.msc)
- Once in the console, connect to the Windows DC hosting the PDC Role
- Edit the AD Object of Group Policy Container (GPO) class within the following AD Distinguished Name (DN) path:
- CN=POLICIES,CN=System,CN=<GPA Repository Server>,CN=FAZAM GP REPOSITORY SERVERS,CN=FULLARMOR,<distinguished name of your manged domain>
- Change the value stored within the GPCSysfiles attribute
- Failing value format:
- \\<GPA Console OS Name>\GPOsManagedByGPA$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
- Correct value format
- \\<GPA Console OS Name>\SysVol\FQDN of Managed Domain>\NetIQ\GPOsManagedByGPA-<GPA Console Name>$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
- Save the changes using the MS AD console
- Close and re-open the GPA NqGPeditor, without changing the GPO checkout status of the Repository GPO
Cause
This issue is caused by a defect within the GPA Console code. When
checking out a GPO, GPA will create a new Active Directory (AD) object
of GroupPolicyContainer (GPO) class. This object will be created on the AD Domain Controller (DC) listed within the GPA Managed Domain. The GPA Console is setting an incorrect value on the GPCSysfiles attribute of the AD GPO. This attribute is used by the Microsoft Group Policy Management (GPMC) Application Programing
Interface (API). The NQGPEditor will report an error 43 if the path listed within GPCSysfiles points to an invalid location.
This object is created under the following AD path:
CN=POLICIES,CN=System,CN=<GPA Repository Server>,CN=FAZAM GP REPOSITORY SERVERS,CN=FULLARMOR,<distinguished name of your manged domain>
\\<GPA Console OS Name>\GPOsManagedByGPA$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
The correct path should read
\\<GPA Console OS Name>\SysVol\FQDN of Managed Domain>\NetIQ\GPOsManagedByGPA-<GPA Console Name>$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
This object is created under the following AD path:
CN=POLICIES,CN=System,CN=<GPA Repository Server>,CN=FAZAM GP REPOSITORY SERVERS,CN=FULLARMOR,<distinguished name of your manged domain>
\\<GPA Console OS Name>\GPOsManagedByGPA$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
The correct path should read
\\<GPA Console OS Name>\SysVol\FQDN of Managed Domain>\NetIQ\GPOsManagedByGPA-<GPA Console Name>$\<FQDN of Managed Domain>\<Random GUID assigned to the GPO object on GPO Checkout operation>\<single digit integer>
Additional Information
The term GPA Repository Server refers to the Windows OS host name of the SQL Sever hosting the GP_REPOSITORY database
The term GPA Console Name refers to the Windows OS host name used to host the NetIQ GPA Console software
When the GPA Console is set to use any DC other than the PDC, AD replication must occur; before the PDC will see the temporary GPO created by GPA.
This KB only applies to the specific error message listed above.
This KB only applies to the GPA Console Versions listed above.
This KB only applies when the GPA Console is hosted on Windows Server 2016
The term GPA Console Name refers to the Windows OS host name used to host the NetIQ GPA Console software
When the GPA Console is set to use any DC other than the PDC, AD replication must occur; before the PDC will see the temporary GPO created by GPA.
This KB only applies to the specific error message listed above.
This KB only applies to the GPA Console Versions listed above.
This KB only applies when the GPA Console is hosted on Windows Server 2016