Solved

Active Directory GPO

Posted on 2002-05-02
20
280 Views
Last Modified: 2012-05-04
I setup an GPO for the Domain that adds certain links in the favorites menu for each W2k PC. It works great for all of the PCs that are located at the subnets where I have a DC but the remote locations that have no DC are not updating with the GPO changes. Am I missing something?
0
Comment
Question by:timd4273
20 Comments
 

Accepted Solution

by:
Zeawater earned 200 total points
ID: 6987426
Obiously the the machines are not receiving the GPO. Is the GPO set at the Forest level, or have you added it to multiple Objects? Try the following:

(i) Compare results of GPResult from a working and non working machine. Information and download of GPResult can be found here:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

This will give you the clue of what is going on.

(ii) Try creating a new 'test' GPO set at the same levels as the problem one. See if these remote machines can pick this up.
0
 

Author Comment

by:timd4273
ID: 6987438
Only one domain and the GPO is assigned at the root domain level but I also assigned it at the OU where the PCs are located as a test, no change though. I haven't changed too many things since I first setup Active Directory so many of the GPOs are assigned to the PCs only because I setup the PCs at the main office.
0
 
LVL 4

Expert Comment

by:Nevaar
ID: 6988716
Are the GPO files in the remote DC's Sysvol folder?  If they're not found, you need to look at the File Replication Service.  Any message of interest in the remote DC's Event log?

0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6990600
If you run GPResult from the Resource Kit, it will tell you why things are or are not being applied. If you do not have access to this file, please post here and I will post a link.

This is the best way troubleshoot GPO problems.
0
 
LVL 1

Expert Comment

by:cinetto
ID: 7000993
If you set active directory sites for remote locations , you should also link GPO th other sites .
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7002093
Timd,

Have you run GPResult yet?
0
 

Author Comment

by:timd4273
ID: 7009204
I ran the GPResult and it is seeing the GPO and it even said that it was applying the User settings of the GPO but those settings are not there when I open IE. I added the GPO to the Site I added the GPO to the specific OU that the user belongs to, all with no changes. I was under the impression that if you add a GPO to the domain level that all OUs will be affected unless they have a Inheretence block.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7009209
...Or if it is not applied in the permissions.

Can you possibly post the results of GPResult here?
0
 

Author Comment

by:timd4273
ID: 7009232
Yes, I just ran it again and noticed that the computer is still getting GPOs that were removed from the OUs a week ago.
0
 

Author Comment

by:timd4273
ID: 7009291
I condensed these GPOs into 1 and that 1 is not showing up on the GPresult.

===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

     IE Valley Header
     IE Proxy Settings
     IE Header


This should only have one new GPO.


0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 7

Expert Comment

by:jmiller47
ID: 7009298
I don't think that will be enough information to go on. Would it be possible to use GPRESULT /z and post the entire resultset? Please feel free to omit anything that you feel would be sensitive information but try to post as much as possible so that we can better troubleshoot the problem.

Thanks for taking the extra time to try these troubleshooting steps.
0
 

Author Comment

by:timd4273
ID: 7009326
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, May 14, 2002 at 11:02:32 AM


Operating System Information:

Operating System Type:          Professional
Operating System Version:     5.0.2195.Service Pack 2
Terminal Server Mode:          Not supported

###############################################################

  User Group Policy results for:

  CN=User Name,OU=San Diego,DC=domain,DC=com

  Domain Name:          domain
  Domain Type:          Windows 2000
  Site Name:          SanDiego

  Roaming profile:     (None)
  Local profile:     C:\Documents and Settings\Uname

  The user is a member of the following security groups:

     domain\Domain Users
     \Everyone
     BUILTIN\Users
     BUILTIN\Power Users
     NT AUTHORITY\INTERACTIVE
     NT AUTHORITY\Authenticated Users
     \LOCAL
     

###############################################################

Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:42 AM
Group Policy was applied from: server02.domain.com


===============================================================


The user received "Registry" settings from these GPOs:

     Add Logoff to Start Menu


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

     IE Valley Header
     IE Proxy Settings
     IE Header



###############################################################

  Computer Group Policy results for:

  CN=RECEPTIONIST-SD,OU=Win2k,OU=Computers,OU=San Diego,DC=domain,DC=com

  Domain Name:          domain
  Domain Type:          Windows 2000
  Site Name:          SanDiego


  The computer is a member of the following security groups:

     BUILTIN\Administrators
     \Everyone
     BUILTIN\Users
     domain\RECEPTIONIST-SD$
     domain\Domain Computers
     NT AUTHORITY\NETWORK
     NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:55 AM
Group Policy was applied from: valley02.domain.com


===============================================================


The computer received "Registry" settings from these GPOs:

     Local Group Policy
     Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

     Default Domain Policy
     CtrAltDel Disable


===============================================================
The computer received "EFS recovery" settings from these GPOs:

     Local Group Policy
     Default Domain Policy
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7009360
Did you use the switch /z on this command? That gives super verbose information and should tell you a LOT more. It will break everything down for you. I wanted to know because my GPRESULT /z is giving me a LOT more information that yoursw about what policies are being applied and why.

The syntax of the command is as follows:

gpresult /z

Thanks again
0
 

Author Comment

by:timd4273
ID: 7009387
It isn't giving me anything different. Is it /z or something else?
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7009429
I apologize. I was using a special version of GPResult for Windows XP Pro and didn't realize it. I was under the impression that the Windows XP and 2000 GPResult tools were the same. Unfortunately, they are not.

To get a similar effect in Windows 2000, you must use the /v switch. As this dumps a very large amount of information, you may want to dump this to a text file so that your window buffer does not scoll way off. You can do this easily by using the following command:

GPRESULT /v >c:\results.txt

This will dump the results to c:\results.txt. You can then open the text file, and copy and paste the information into a post. I apologize again for the incorrect information.

Thank you!
0
 

Author Comment

by:timd4273
ID: 7009616
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, May 14, 2002 at 1:31:38 PM


Operating System Information:

Operating System Type:            Professional
Operating System Version:      5.0.2195.Service Pack 2
Terminal Server Mode:            Not supported

###############################################################

  User Group Policy results for:

  CN=User Name,OU=San Diego,DC=Domain,DC=com

  Domain Name:            Domain
  Domain Type:            Windows 2000
  Site Name:            SanDiego

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\UName
  The user is a member of the following security groups:

      Domain\Domain Users
      \Everyone
      BUILTIN\Users
      BUILTIN\Power Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      
  The user has the following security privileges:

      Bypass traverse checking
      Change the system time
      Shut down the system
      Profile single process
      Remove computer from docking station


###############################################################

Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:29:21 PM
Group Policy was applied from: server02.Domain.com


===============================================================


The user received "Registry" settings from these GPOs:

      Add Logoff to Start Menu
          Revision Number:      1
          Unique Name:      {3D272D63-1FD8-4276-8ED3-84FD9EE0FC10}
          Domain Name:      vdda.com
          Linked to:            Domain (DC=Domain,DC=com)




      The following settings were applied from: Add Logoff to Start Menu

          KeyName:      Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
          ValueName:      ForceStartMenuLogOff
          ValueType:      REG_DWORD
          Value:      0x00000001


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      IE Valley Header
          Revision Number:      2
          Unique Name:      {0F6075EA-DD3F-4A8F-A4FE-76158AF16030}
          Domain Name:      Domain.com
          Linked to:            Domain (DC=Domain,DC=com)

      IE Proxy Settings
          Revision Number:      7
          Unique Name:      {52C19B3C-CF0A-4883-8FBF-AC9E70DD6C76}
          Domain Name:      Domain.com
          Linked to:            Domain (DC=Domain,DC=com)

      IE Header
          Revision Number:      2
          Unique Name:      {EBD4C74E-1382-4BE9-9C88-15403E0B92DB}
          Domain Name:      Domain.com
          Linked to:            Domain (DC=Domain,DC=com)


      Additional information is not available for this type of policy setting.



###############################################################

  Computer Group Policy results for:

  CN=RECEPTIONIST-SD,OU=Win2k,OU=Computers,OU=San Diego,DC=Domain,DC=com

  Domain Name:            Domain
  Domain Type:            Windows 2000
  Site Name:            SanDiego


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      Domain\RECEPTIONIST-SD$
      Domain\Domain Computers
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:28:06 PM
Group Policy was applied from: server02.Domain.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
          Revision Number:      8
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer

      Default Domain Policy
          Revision Number:      3
          Unique Name:      {31B2F340-016D-11D2-945F-00C04FB984F9}
          Domain Name:      Domain.com
          Linked to:            Domain (DC=Domain,DC=com)




      The following settings were applied from: Local Group Policy

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS
          ValueName:      EFSBlob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\A7DA9BAE9421A975A7FBDB03028AF70F6FEC788D
          ValueName:      Blob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values


      The following settings were applied from: Default Domain Policy

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS
          ValueName:      EFSBlob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\812A1BAF0E6FDFEDBF42E1C568D7680A947062FC
          ValueName:      Blob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values


===============================================================
The computer received "Security" settings from these GPOs:

      Default Domain Policy
          Revision Number:      3
          Unique Name:      {31B2F340-016D-11D2-945F-00C04FB984F9}
          Domain Name:      Domain.COM
          Linked to:            Domain (DC=Domain,DC=com)

      CtrAltDel Disable
          Revision Number:      2
          Unique Name:      {1BC56C5F-D285-4D98-9F60-160957CC79A7}
          Domain Name:      Domain.COM
          Linked to:            Organizational Unit (OU=Computers,OU=San Diego,DC=Domain,DC=com)


      Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
          Revision Number:      8
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer

      Default Domain Policy
          Revision Number:      3
          Unique Name:      {31B2F340-016D-11D2-945F-00C04FB984F9}
          Domain Name:      Domain.com
          Linked to:            Domain (DC=Domain,DC=com)

0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7009764
Well, that really doesnt make sense. I was hoping that a computer p;olicy was overwriting the user policy or something to that effect. There seems to be only one refernce to the IE branding of IE Header which is the setting you are looking for. If I apply that setting then it does set the IE header for me. I will continue looing it over and see if I can find anything for you by possibly trying to emulate a few things.

Thanks again for getting all this info. It is very helpful in trying to find and answer.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7009770
I understand that your IE header is not showing up, but is your IE Proxy settings comings also not being applied? Or are they?
0
 

Author Comment

by:timd4273
ID: 7009785
It appears that everything is working except for proxy settings. The Header and the logo are there. What is puzzling is the 3 GPOs that are coming up on the GPresult no longer exist, I combined them into 1 that is not showing up on the gpresult.
*The user received "Internet Explorer Branding" settings *from these GPOs:
*
*    IE Valley Header
*    IE Proxy Settings
*    IE Header
Those are gone and they are now a GPO named IE Settings. Which by the way work on my PC that XP Pro and on the same site as the DC but are nowhere to be found on the remote site that has no DC and is pulling its domain settings from the same DC as I am. I put the GPO on the site, domain and OU in question, no change.
0
 

Author Comment

by:timd4273
ID: 7422349
I just realized that I never graded this answer since no one knew the answer. You have to disable Slow Link Detection at the PC.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now