What is the purpose of the FULLARMOR container in Active Directory? (NETIQKB53898)

  • 7753898
  • 02-Feb-2007
  • 28-Jun-2007

Resolution

Goal

What is the purpose of the FULLARMOR container in Active Directory?

Why was a container called FULLARMOR automatically created when I installed Group Policy Administrator?

Do I need to grant access to the FULLARMOR container?

Fact

NetIQ Group Policy Administrator 3.x
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.x

Fix

The FULLARMOR container allows NetIQ Group Policy Administrator (GPA) to edit GPOs by simulating the AD portion of a GPO that is normally held in the System | Policies container.  The FULLARMOR container can be seen using ADU&C and is installed under the managed domain.

The SYSVOL portion of GPOs is held in the Local_GPOs share while a GPO is checked out and edited. When a user checks out a GPO, the SYSVOL portion of the GPO is copied to the Local_GPOs share on their local workstation and the AD portion is held under a GUID in the FULLARMOR container. This is necessary because of the way the native Microsoft Group Policy editor (GPMC) is encapsulated within the GPA interface. This "tricks" the GP editor into thinking it is working with a live GPO in AD.

The setup process normally creates this container automatically unless the account running the setup program does not have rights to create containers or there is some other issue occurring. If the setup program does not create the FULLARMOR container, you can manually create it.  Be sure to grant full access for the container to all user accounts that will be editing GPOs since they will need to be able to create sub containers below the FULLARMOR container.



Additional Information

Formerly known as NETIQKB53898