If not done correctly, moving a user or computer in Active Directory can result in subsequent changes to the user/computer's merged policy not being applied. This article examines how this happens, and how it can be avoided and resolved.
This document describes the effect on policy distribution of moving a user or computer in Active Directory (AD), and how to repair problems that arise from this.
Before you proceed
This document assumes the following knowledge:
- You are familiar with terms and concepts associated with Active Directory (AD)
- You are familiar with Microsoft SQL Server 7 or 2000, or MSDE
This support note relates to the following products:
- ManageSoft 6.1 onwards
How does policy distribution work?
When a group policy object (GPO) is announced using the ManageSoft distribution wizard or command line distributor, ManageSoft performs two distinct operations:
- Policy merging
- Policy distribution.
Policy merging involves generating a merged policy file (.npl) for each user and computer impacted by a group policy object, that is, in an organizational unit (OU) to which the GPO is linked or a child of that OU.
Each merged policy file contains links to policy profile files for each GPO that applies to that user or computer. A policy profile contains links to all ManageSoft packages contained in the GPO that it defines.
When policy merging is complete, ManageSoft prepares the merged policy files for distribution.
There are potentially thousands of merged policy files. Because of this, ManageSoft generates compressed archives containing multiple merged policy files, one per OU. One further compressed archive is generated to contain all policy profiles in the system.
At this point, the merged policy files (.npl) are ready to be distributed. ManageSoft creates a single meta-package to facilitate the distribution of all merged policies. This meta-package contains all compressed archives generated during this policy distribution and all previous policy distributions, using dynamic byte-level differencing to ensure that the large quantity of data being distributed does not impact the size of network transfer.
The meta-package is used for distributions to active distribution servers, and the compressed archives are expanded on the active distribution servers for transfer to passive distribution servers, which utilizes smart distribution.
How does moving a user or computer in Active Directory effect policy distribution?
Each policy distribution incorporates all compressed archives, not just those for the current distribution. This is ensures a consistent set of data for each distribution, and provides the benefit of dynamic byte-level differencing.
Because of this, merged policy files for a single user or computer may reside in multiple compressed archives.
A computer, MyComputer, resides in organizational unit OU1. Group policy object Policy1 is linked to OU1. Another group policy object Policy2 is linked to organizational unit OU2.
- Policy1 is distributed. During distribution, a compressed archive is generated for OU1, containing the merged policy files for all users and computers in OU1 including MyComputer.
- MyComputer is moved to OU2.
- Policy2 is distributed. During distribution, a compressed archive is generated for OU2, containing the merged policy files for all users and computers in OU2 including MyComputer.
- The compressed archives for OU1 and OU2 both contain a merged policy file for MyComputer. Both are distributed in step 3, but only OU2s copy is up to date. Chance determines which file will reside on the distribution servers when distribution is complete.
Moving a user or computer in Active Directory effects policy distribution by enabling a single user or computer to reside in multiple compressed archives. The result is that the merged policy files distributed to the distribution servers may not reflect the user or computer's current policy.
How can problems be avoided?
In standard ManageSoft implementations, this problem will not present itself. Typically, each group policy object is linked to the domain or at another level that parents both the source and destination organizations units of a move operation.
In such environments, when a policy is distributed, it will regenerate the compressed archives for both the source and destination OUs, the result being that the source compressed archive will no longer contain a merged policy file for the user or computer that has been moved.
It is critical that the compressed archives for both the source and destination OUs are always kept up to date. This can be done in one of the following ways:
- Target policies at the domain level, and grant Apply permissions only to those users and computers that should receive the policy. Each policy distribution will refresh all merged policies in all OUs.
Create a scheduled task that runs the command-line distributor to distribute merged policies for the entire domain in the following way:nddistrb.exe -t Policy -a DC=MyDomain,DC=com -d <destination> -o UseDistHierarchy=True
- In the absence of a single policy that impacts both OUs, distribute one policy for the source OU and another for the destination OU.
Realistically, it may not be possible to keep track of all movements, and ensure that all organizational units are kept up to date. For this reason, having a scheduled task that runs nightly to process the entire domain is recommended.
How can problems be resolved?
Resolving the problem utilizes the same principle as avoiding the problem - the source and destination compressed archives both must be refreshed.
Once the problem has presented itself, it may not be immediately clear which organizational units need to be reprocessed. Reprocessing the entire domain will resolve most problems, and is the advised approach.
Where the scale of the directory is not suitable to reprocessing the entire domain, it must be determined which OUs compressed archives carries the offending merged policy file.
For a small number of OUs, this can be done via manual inspection, however in general it is expected that movements within the directory are well managed and an audit trail exists for determining past movements of a given user or computer.
Once the offending OU is established, any of the methods described in the How can problems be avoided? section can be utilized to resolve the problem.
Removing an organizational unit
The resolutions provided in this document function by reprocessing offending organizational units such that users and computers no longer in these OUs are removed from their compressed archives.
However, when an organizational unit is removed from Active Directory, its compressed archive containing the merged policy files for that OU is not automatically removed. Any merged policy files in this archive will continue to be distributed.
In this special case, the resolutions described above will not resolve the problem. This is because it is not possible to target an organizational unit that does not exist for policy distribution.
There are two resolutions to this problem:
- Using Windows Explorer, browse to:
and remove all filenames that begin with the distinguished name of the organizational unit that has been removed.
- Before removing the organization unit from Active Directory, move all users and computers to their destination OUs. Reprocess the OU before removing it, such that the compressed archive for that OU contains no merged policy files.
The preferred approach is to manually remove the archive files. The alternate approach maintains unnecessary empty archives for each organizational unit that has been removed.