What are the known issues in NetIQ Group Policy Adminstrator 6.1? (NETIQKB71801)

  • 7771801
  • 04-Sep-2009
  • 26-Jan-2012

Environment

NetIQ Group Policy Administrator 6.1

Situation

What are the known issues in NetIQ Group Policy Adminstrator 6.1?

Resolution

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support ).

Does Not Connect to Read-Only Domain Controllers

GPA does not allow you to connect to read-only domain controllers. You can only connect to domain controllers that are writeable.

The Links Tab Sometimes Does Not List All GPO Links to the Selected Domain in GP Explorer

When you create and link a GPO to an OU in the parent domain, and then link the same GPO to an OU in the child domain, if you click the Links tab after selecting the parent domain under the GP Explorer node, the Links tab does not list the GPO link to the OU in the child domain. (ENG207311)

The GPR Security Tab on the Properties Window for a Domain, Category, or GPO Displays Deleted User Accounts

If you delete a user account using Active Directory, the GPR Security tab on the Properties window for a domain, category, or GPO displays the deleted user account. For more information about this issue, contact the Microsoft technical support team. (ENG193071)

The Block Inheritance Setting Is Not Imported When You Import a GPO from Active Directory into the GP Repository

If you have a GPO that is linked to an OU in Active Directory that has block inheritance either enabled or disabled and you import this GPO from Active Directory into the GP Repository, the import process does not import the block inheritance setting of the OU. After the import process, the block inheritance setting of the imported GPO remains as Not Defined until you check the GPO out and explicitly change the block inheritance setting. (ENG234673)

Issues with Simultaneously Using Two GPA Consoles

If you have two different GPA Console sessions open at the same time on the same computer, you can see the following issues:

  • If you use the first GPA Console to delete the GPO link of the GPO in the GP Repository and without refreshing the information, you use the second GPA Console to delete the GPO in the GP Repository, the second GPA Console displays a runtime error and shuts down. (ENG219893)
  • If you simultaneously use both the GPA Consoles to connect to the database and then make the following changes: Use the first GPA Console to create a new domain, a new category, and a new GPO inside the category. When you refresh the database information in the second GPA Console, you can see the new domain, category, and GPO you created using the first GPA Console. If you use the first GPA Console to delete the domain, and then use the second GPA Console to select the same domain and category to create a new GPO, GPA displays a runtime error when you refresh the database information and the GPA Console shuts down. (ENG222052)

These are known issues with the MMC snap-in when you simultaneously work with two MMC consoles on the same computer. For more information about this issue, contact the Microsoft technical support team.

Size Limit of Security Descriptors in the Database

If a GPO has a security descriptor that is greater than 7KB in size, it affects many GPA operations. (ENG211221)

Exclude Migration Options Do Not Work When You Have Two GP Repository Connections

Suppose you have two GP Repository connections, and you configure the GPO Properties to Exclude During a Migration/Synchronization settings in one or both of the GP Repository connections to exclude the GPO links, WMI filters, and delegation settings. If one of the GP Repositories has a GPO with GPO links, WMI filters, and delegation settings configured, when you migrate this GPO to a domain in the other GP Repository connection, GPA does not correctly apply the excluded settings. (ENG248613)

GPA Does Not Raise Events or Send Email Notifications When Exporting GPOs with the Export Override Account

If you configure an Export Override account, GPA does not raise GP Repository events or send email notifications when you export a GPO. (ENG204784)

GPA Sometimes Displays an Error When You Try to Export a GPO to Active Directory Using an Export Override Account

Suppose you have a domain configured with an Export Override account and you create a GPO in the GP Repository and link it to an OU in Active Directory. You also create a user who is a member of the Domain Admins and Group Policy Creator Owner groups and is also configured with the Export Override account. If you use GPMC to deny this user Full Control permission on the same OU in Active Directory, when you try to export the GPO to Active Directory, GPA displays an error. (ENG255856)

The GPA Console Does Not Allow You to Create a New GPO in the GP Explorer If You Restore a Previously Backed Up GPO That Has a Link to a Deleted OU

If you try to restore a backed up GPO that has a link to a deleted OU in Active Directory, the GPA Console does not allow you to perform this operation and consequently prevents you from creating a new GPO in the GP Explorer. To avoid this issue, do not restore backed up GPOs that have links to a deleted OU in Active Directory. (ENG238784)

GPA May Not Be Able to Support IP Addresses Using Internet Protocol Version 6 Format

If you have GPOs with IP addresses using the Internet Protocol version 6 (IPv6) format, GPA may not allow you to edit the IPv6 addresses and the GP Repository may not be able to store the IPv6 addresses. If this issue occurs, contact NetIQ Technical Support.

The GPA Console May Require Restarting If You Leave It Inactive over a Period of Time

If you generate an RSoP analysis report, and then leave the GPO Console inactive over a period of time, the GPA Console may not work properly. To avoid this issue, close and open the GPA Console. (ENG250783)

GPA Does Not Automatically Update the Current Status of a GPO after Rolling Back a GPO to a Previous Version

If you roll back an approved GPO to a version where the GPO is unapproved or roll back an unapproved GPO to a version where the GPO is approved, GPA does not automatically display the current status of the GPO. Refresh the GPO to see the current status of the GPO. (ENG241142)

Additional Information

Formerly known as NETIQKB71801

GPA Does Not Display the Current Domain in the Location Text Box on the Select User Window

If you are using the GPA Console on a computer linked to a child domain, when you try to associate the GPA server with the GP Repository, the Location text box on the Select User window displays the parent domain as the default domain. (ENG228156)

Special Permissions Are Required to Add A GPO For Synchronization with the Master GPO

You need to be a member of the GPA_REPOSITORY_MANAGEMENT group to add a GPO for synchronization with the master GPO. (ENG242479)

Issues with GPMC Reporting

GPA reports have the same limitations as Microsoft Group Policy Management Console (GPMC). For more information about these issues, see NetIQ Knowledge Base Article NetIQKB71406 available at https://support.netiq.com/gpa .

Issues with the RSoP Analysis Report Results

We are currently researching some issues related to RSoP Analysis Reports. For more information about these issues, see NetIQ Knowledge Base Article NETIQKB71364, available at https://support.netiq.com/gpa .

Security Filters Section of the Health Check Report Displays Inconsistent Information

When you generate the Health Check report for GPOs in the GP Repository, the information available in the Security Filters section of the Health Check report does not match the information available in the Security Filters section of the Health Check report you generate for the same GPOs in Active Directory. (ENG241193)

GPA Does Not Refresh the General Settings Available in the GPO Settings Report When the GPO is Checked Out

If you check out a GPO and change some settings under the Details, Links, Security Filters, WMI Filtering, or Delegation section, when you refresh the GPO, the GPO Settings report does not reflect the changes made to any of these sections. However, you can see the changes to these settings on the tabs. Also, the GPO Settings report correctly reflects the changes made to the User Configuration and Computer Configuration sections when the GPO is checked out. (ENG240877)

GPA Sometimes Displays a Blank Enterprise Consistency Check Report

When you log on to a GPA Console computer using a domain user account that does not have any GPR Security permissions, if you try to generate the Enterprise Consistency Check report for GPOs in the GP Repository, GPA displays a blank Enterprise Consistency Check report. GPA also displays a blank Enterprise Consistency Check report when you try to compare the Active Directory version and the GP Repository version of each master GPO. To avoid this issue, you need to assign the GPO Editor role to the domain user account. (ENG242925)

GPA Replaces the Synchronization Report With a Page Not Found Error After You Click the Not Consistent Link

If you are using the GPA Console on a computer with Internet Explorer 7 installed, when you generate the Synchronization report, and click the Not Consistent link on the report, GPA opens a new window to display the GPO Settings report of the inconsistent GPO. The window displaying the Synchronization report displays a Page Not Found error in the background. (ENG253006)

The NqGPASyncLinkOrder Tool Does Not Synchronize the Block Inheritance and Link Order Information of GPOs When You Rename or Delete an OU in Active Directory

If you rename or delete one or more OUs in Active Directory, and then run the NqGPASyncLinkOrder tool to synchronize the block inheritance and link order information of GPOs in the GP Repository with the current information in Active Directory, the NqGPASyncLinkOrder tool does not synchronize the block inheritance and link order information of the GPOs linked to these OUs in the GP Repository. To avoid this issue, in the GPA Console, select the domain you want to synchronize under the GP Repository, and then click Sync with AD on the GPO Link Scope tab of the domain Properties dialog box. (ENG244447)

The NqGPASyncLinkOrder Tool Does Not Update the GPO Link Order If a Domain User Runs the Tool

If a domain user runs the NqGPASyncLinkOrder tool, the tool does not update the link order because the user does not have the necessary permissions on the database. To avoid this issue, you need to provide the domain user Execute permission on the GPO_REPOSITORY database and on certain stored procedures in the database. For more information about the stored procedures, see NetIQ Knowledge Base Article NETIQKB71338, available at https://support.netiq.com/gpa . (ENG255524, ENG250848)

The NQCreateOfflinePolicyContainerHierarchy Tool Does Not Validate the Database Server Name

If you manually execute the NQCreateOfflinePolicyContainerHierarchy tool, it does not validate the database server name you provide as a parameter to identify the GP Repository. The tool creates the incorrect GP Repository and informs you that the operation was completed successfully. You can avoid this issue by correctly specifying the database server name you provide as a parameter. (ENG252956)

Note
After upgrading to GPA 6.1, if you log on as a domain user and are unable to run the GPO Settings report or create or check out a GPO, manually execute the NQCreateOfflinePolicyContainerHierarchy tool after getting permission. For more information about permissions, see the User Guide for Group Policy Administrator.

Issues with New Policy Settings in Microsoft Windows Vista Service Pack 1 or 2 or Microsoft Windows Server 2008

We are currently researching some issues related to configuring group policy settings introduced in either Microsoft Windows Vista Service Pack 1 or 2 or Microsoft Windows Server 2008. For more information about these issues, see NetIQ Knowledge Base Article NETIQKB71364, available at https://support.netiq.com/gpa .

Additional Permissions to Check Out a GPO Using a GPA Console Computer Running Microsoft Windows Vista Service Pack 1 or 2

If you use a user account having GPO Editor permissions on a GPA Console computer running Microsoft Windows Vista Service Pack 1 or 2, GPA does not allow you to check out a GPO. To correct this issue, ensure the user account is a member of the local administrators group. (ENG244342)

Automatic Deletion of ADML Files Sometimes Not Occurring in the GP Repository

After synchronizing ADMX and ADML files from the central store to the GP Repository, when you delete an ADML file without deleting the corresponding ADMX file from the central store, and then synchronize the ADMX and ADML files again from the central store to the GP Repository, the GP Repository does not delete the corresponding ADML file from the local folder for the domain, \installDir\Local GPOs\GPAPolicyDefinitions. For more information about the work around to this issue, see the NetIQ Knowledge Base article NETIQKB71198 available at https://support.netiq.com/gpa . (ENG238129)

GPMC on Microsoft Windows Vista Service Pack 1 or 2 and Microsoft Windows Server 2008 Cannot Import Settings of a GPO Backed Up With GPA 6.1

The format of the backup set in GPMC has changed between previous versions of the Microsoft Windows operating system and Microsoft Windows Vista Service Pack 1 or 2 or Microsoft Windows Server 2008. Consequently, if you used GPA 6.1 to back up GPOs on a computer running either Microsoft Windows Server 2003 or Microsoft Windows XP, you cannot import the backup set using GPMC on Microsoft Windows Vista Service Pack 1 or 2 or Microsoft Windows Server 2008. (ENG249387)

Deleting a Domain Using a GPA Console on Microsoft Windows Vista Service Pack 1 or 2 Does Not Delete the Corresponding Policy Definition Folder

If you use the GPA Console on Microsoft Windows Vista Service Pack 1 or 2 to delete a domain from the GP Repository, GPA does not delete the corresponding domain-specific policy definition folder under \installDir\Local GPOs\domain\PolicyDefinitions. When you delete a domain from the GP Repository, delete the domain-specific policy definition folder. (ENG234117)

GPA Does Not Display the Context Menu and Toolbar When You Select a Deployed Printer

If you are using the GPA Console on a computer running Microsoft Windows Vista Service Pack 1 or 2, Microsoft Windows Server 2003 R2, or Microsoft Windows Server 2008, and if you have deployed a printer using either the Computer Configuration/Windows Settings/Deployed Printers settings or the User Configuration/Windows Settings/Deployed Printers settings, when you select the deployed printer in the results pane, GPA does not display the context menu and toolbar. (ENG242129)

Security and Network Path Map Tabs Are Empty if Master GPO has GPOs from Different Domains

If a master GPO has different controlled GPOs from different domains and then you add another controlled GPO and press the Update Domain Map button, the Security Map and Network Path Map tabs are empty for the previously added GPOs. To avoid this issue, clear the Only show mapping for the GPO check box, and then update the Target Security and Network Map information. (ENG274718)

Menus, Policy, and Preference Folders Missing or Not Working Properly on Microsoft Windows Vista x64, Service Pack 1

Microsoft did not include the following Multilingual User Interface files in the %systemroot%\SysWOW64\en-US folder on Microsoft Windows Vista x64, Service Pack 1.

  • gpme.dll.mui
  • AdmTmpl.dll.mui

These missing files caused the following items to be missing or to work improperly in the GPA Console:

  • Some policy folders are missing
  • Action menu items for Administrative templates are empty or not working properly
  • Group Policy Preference Extension folders are missing

To check for a work around to this issue or a fix from Microsoft, see the NetIQ Knowledge Base articles NETIQKB71721 and NETIQKB71722 available at https://support.netiq.com/gpa . (DOC266982,DOC266577, ENG260726)


Feedback service temporarily unavailable. For content questions or problems, please contact Support.