itly09
asked on
Group policy not working
When i run gpresult on XP machines in our domain which
consists of Win2000 domain controllers I get the following output:
Applied Group Policy Objects
-------------------------- ---
Local Group Policy
The following GPOs were not applied because they were
filtered out
Default Domain Policy
Filtering: Denied (Security)
Default Computer Group Policy Object
Filtering: Denied (Security)
Default Domain Policy
Filtering: Denied (Security)
The computer is a part of the following security
groups:
NULL SID
NT AUTHORITY\NETWORK
What is the NULL SID group? is that a builtin group?
why I am not an authenticated user should I be?
2000 machines give gpresult output like:
FINANCE\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Power Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
OURDOMAIN\Domain Admins
Also, i should note in the XP machine's logs , we get a
kerberos PAC verification error, Event ID 7 . the help
center link told me to use nltest to check the secure
channel and I did and it looks fine i think except if
type
nltest /sc_query:ourdomain /server:primarydomaincontr oller
i get I_netlogoncontrol_failed: Status = 1355 0x54b
ERROR_NO_SUCH_DOMAIN.
one more caveat: am I supposed to have kerberos key
distribution center running on all DC's?
thanks. sorry for the long posting.
consists of Win2000 domain controllers I get the following output:
Applied Group Policy Objects
--------------------------
Local Group Policy
The following GPOs were not applied because they were
filtered out
Default Domain Policy
Filtering: Denied (Security)
Default Computer Group Policy Object
Filtering: Denied (Security)
Default Domain Policy
Filtering: Denied (Security)
The computer is a part of the following security
groups:
NULL SID
NT AUTHORITY\NETWORK
What is the NULL SID group? is that a builtin group?
why I am not an authenticated user should I be?
2000 machines give gpresult output like:
FINANCE\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Power Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
OURDOMAIN\Domain Admins
Also, i should note in the XP machine's logs , we get a
kerberos PAC verification error, Event ID 7 . the help
center link told me to use nltest to check the secure
channel and I did and it looks fine i think except if
type
nltest /sc_query:ourdomain /server:primarydomaincontr
i get I_netlogoncontrol_failed: Status = 1355 0x54b
ERROR_NO_SUCH_DOMAIN.
one more caveat: am I supposed to have kerberos key
distribution center running on all DC's?
thanks. sorry for the long posting.
I can't say I've worked too much with these type of things - but are policies set up properly on the domain controller? If these are local policies you're setting, be careful because I believe the DC's policies take precedence over the local grou policies.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But why would it work all along and then stop working? they were working at one time.
any number of reasons, without mantenance a dc can go down hill very quickly. Run through the even log for any applicable errors, then see: www.eventid.net to see what the errors are.
ASKER
Ok, Well the 2 errors that get repeated every 30 Minutes are event id: 1030 and 1058. ALSO I figured this out working late last night. The windows 2000 Clients can receive the Group Policies, But the XP clients can't. Any ideas from there ?
Check the xp clients event log for any indication of the error. I just did a little reading on this error and the most probable issue is DFS, check it's started and set to Auto. Check if there are any other servers running DNS. By chance are there any servers that have been demoted or no longer operational?
ASKER
Ok this problem is changing now. All windows 2000 Still working fine. Xp Clients are getting all group policies except the "default domain policy". For example, I enabled "do no display last name" for logon. My XP Clients still display the last name logged on, but all other policies are working.