timd4273
asked on
Active Directory GPO
I setup an GPO for the Domain that adds certain links in the favorites menu for each W2k PC. It works great for all of the PCs that are located at the subnets where I have a DC but the remote locations that have no DC are not updating with the GPO changes. Am I missing something?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are the GPO files in the remote DC's Sysvol folder? If they're not found, you need to look at the File Replication Service. Any message of interest in the remote DC's Event log?
If you run GPResult from the Resource Kit, it will tell you why things are or are not being applied. If you do not have access to this file, please post here and I will post a link.
This is the best way troubleshoot GPO problems.
This is the best way troubleshoot GPO problems.
If you set active directory sites for remote locations , you should also link GPO th other sites .
Timd,
Have you run GPResult yet?
Have you run GPResult yet?
ASKER
I ran the GPResult and it is seeing the GPO and it even said that it was applying the User settings of the GPO but those settings are not there when I open IE. I added the GPO to the Site I added the GPO to the specific OU that the user belongs to, all with no changes. I was under the impression that if you add a GPO to the domain level that all OUs will be affected unless they have a Inheretence block.
...Or if it is not applied in the permissions.
Can you possibly post the results of GPResult here?
Can you possibly post the results of GPResult here?
ASKER
Yes, I just ran it again and noticed that the computer is still getting GPOs that were removed from the OUs a week ago.
ASKER
I condensed these GPOs into 1 and that 1 is not showing up on the GPresult.
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
IE Proxy Settings
IE Header
This should only have one new GPO.
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
IE Proxy Settings
IE Header
This should only have one new GPO.
I don't think that will be enough information to go on. Would it be possible to use GPRESULT /z and post the entire resultset? Please feel free to omit anything that you feel would be sensitive information but try to post as much as possible so that we can better troubleshoot the problem.
Thanks for taking the extra time to try these troubleshooting steps.
Thanks for taking the extra time to try these troubleshooting steps.
ASKER
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Tuesday, May 14, 2002 at 11:02:32 AM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported
########################## ########## ########## ########## #######
User Group Policy results for:
CN=User Name,OU=San Diego,DC=domain,DC=com
Domain Name: domain
Domain Type: Windows 2000
Site Name: SanDiego
Roaming profile: (None)
Local profile: C:\Documents and Settings\Uname
The user is a member of the following security groups:
domain\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Power Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
########################## ########## ########## ########## #######
Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:42 AM
Group Policy was applied from: server02.domain.com
========================== ========== ========== ========== =======
The user received "Registry" settings from these GPOs:
Add Logoff to Start Menu
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
IE Proxy Settings
IE Header
########################## ########## ########## ########## #######
Computer Group Policy results for:
CN=RECEPTIONIST-SD,OU=Win2 k,OU=Compu ters,OU=Sa n Diego,DC=domain,DC=com
Domain Name: domain
Domain Type: Windows 2000
Site Name: SanDiego
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
domain\RECEPTIONIST-SD$
domain\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
########################## ########## ########## ########## #######
Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:55 AM
Group Policy was applied from: valley02.domain.com
========================== ========== ========== ========== =======
The computer received "Registry" settings from these GPOs:
Local Group Policy
Default Domain Policy
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Default Domain Policy
CtrAltDel Disable
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Default Domain Policy
Copyright (C) Microsoft Corp. 1981-1999
Created on Tuesday, May 14, 2002 at 11:02:32 AM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported
##########################
User Group Policy results for:
CN=User Name,OU=San Diego,DC=domain,DC=com
Domain Name: domain
Domain Type: Windows 2000
Site Name: SanDiego
Roaming profile: (None)
Local profile: C:\Documents and Settings\Uname
The user is a member of the following security groups:
domain\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Power Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
##########################
Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:42 AM
Group Policy was applied from: server02.domain.com
==========================
The user received "Registry" settings from these GPOs:
Add Logoff to Start Menu
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
IE Proxy Settings
IE Header
##########################
Computer Group Policy results for:
CN=RECEPTIONIST-SD,OU=Win2
Domain Name: domain
Domain Type: Windows 2000
Site Name: SanDiego
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
domain\RECEPTIONIST-SD$
domain\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
##########################
Last time Group Policy was applied: Tuesday, May 14, 2002 at 10:55:55 AM
Group Policy was applied from: valley02.domain.com
==========================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Default Domain Policy
==========================
The computer received "Security" settings from these GPOs:
Default Domain Policy
CtrAltDel Disable
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Default Domain Policy
Did you use the switch /z on this command? That gives super verbose information and should tell you a LOT more. It will break everything down for you. I wanted to know because my GPRESULT /z is giving me a LOT more information that yoursw about what policies are being applied and why.
The syntax of the command is as follows:
gpresult /z
Thanks again
The syntax of the command is as follows:
gpresult /z
Thanks again
ASKER
It isn't giving me anything different. Is it /z or something else?
I apologize. I was using a special version of GPResult for Windows XP Pro and didn't realize it. I was under the impression that the Windows XP and 2000 GPResult tools were the same. Unfortunately, they are not.
To get a similar effect in Windows 2000, you must use the /v switch. As this dumps a very large amount of information, you may want to dump this to a text file so that your window buffer does not scoll way off. You can do this easily by using the following command:
GPRESULT /v >c:\results.txt
This will dump the results to c:\results.txt. You can then open the text file, and copy and paste the information into a post. I apologize again for the incorrect information.
Thank you!
To get a similar effect in Windows 2000, you must use the /v switch. As this dumps a very large amount of information, you may want to dump this to a text file so that your window buffer does not scoll way off. You can do this easily by using the following command:
GPRESULT /v >c:\results.txt
This will dump the results to c:\results.txt. You can then open the text file, and copy and paste the information into a post. I apologize again for the incorrect information.
Thank you!
ASKER
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Tuesday, May 14, 2002 at 1:31:38 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported
########################## ########## ########## ########## #######
User Group Policy results for:
CN=User Name,OU=San Diego,DC=Domain,DC=com
Domain Name: Domain
Domain Type: Windows 2000
Site Name: SanDiego
Roaming profile: (None)
Local profile: C:\Documents and Settings\UName
The user is a member of the following security groups:
Domain\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Power Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
The user has the following security privileges:
Bypass traverse checking
Change the system time
Shut down the system
Profile single process
Remove computer from docking station
########################## ########## ########## ########## #######
Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:29:21 PM
Group Policy was applied from: server02.Domain.com
========================== ========== ========== ========== =======
The user received "Registry" settings from these GPOs:
Add Logoff to Start Menu
Revision Number: 1
Unique Name: {3D272D63-1FD8-4276-8ED3-8 4FD9EE0FC1 0}
Domain Name: vdda.com
Linked to: Domain (DC=Domain,DC=com)
The following settings were applied from: Add Logoff to Start Menu
KeyName: Software\Microsoft\Windows \CurrentVe rsion\Poli cies\Explo rer
ValueName: ForceStartMenuLogOff
ValueType: REG_DWORD
Value: 0x00000001
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
Revision Number: 2
Unique Name: {0F6075EA-DD3F-4A8F-A4FE-7 6158AF1603 0}
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
IE Proxy Settings
Revision Number: 7
Unique Name: {52C19B3C-CF0A-4883-8FBF-A C9E70DD6C7 6}
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
IE Header
Revision Number: 2
Unique Name: {EBD4C74E-1382-4BE9-9C88-1 5403E0B92D B}
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
Additional information is not available for this type of policy setting.
########################## ########## ########## ########## #######
Computer Group Policy results for:
CN=RECEPTIONIST-SD,OU=Win2 k,OU=Compu ters,OU=Sa n Diego,DC=Domain,DC=com
Domain Name: Domain
Domain Type: Windows 2000
Site Name: SanDiego
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
Domain\RECEPTIONIST-SD$
Domain\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
########################## ########## ########## ########## #######
Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:28:06 PM
Group Policy was applied from: server02.Domain.com
========================== ========== ========== ========== =======
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 8
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\Certi ficates\A7 DA9BAE9421 A975A7FBDB 03028AF70F 6FEC788D
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
The following settings were applied from: Default Domain Policy
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\Certi ficates\81 2A1BAF0E6F DFEDBF42E1 C568D7680A 947062FC
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: Domain.COM
Linked to: Domain (DC=Domain,DC=com)
CtrAltDel Disable
Revision Number: 2
Unique Name: {1BC56C5F-D285-4D98-9F60-1 60957CC79A 7}
Domain Name: Domain.COM
Linked to: Organizational Unit (OU=Computers,OU=San Diego,DC=Domain,DC=com)
Run the Security Configuration Editor for more information.
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 8
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
Copyright (C) Microsoft Corp. 1981-1999
Created on Tuesday, May 14, 2002 at 1:31:38 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported
##########################
User Group Policy results for:
CN=User Name,OU=San Diego,DC=Domain,DC=com
Domain Name: Domain
Domain Type: Windows 2000
Site Name: SanDiego
Roaming profile: (None)
Local profile: C:\Documents and Settings\UName
The user is a member of the following security groups:
Domain\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Power Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
The user has the following security privileges:
Bypass traverse checking
Change the system time
Shut down the system
Profile single process
Remove computer from docking station
##########################
Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:29:21 PM
Group Policy was applied from: server02.Domain.com
==========================
The user received "Registry" settings from these GPOs:
Add Logoff to Start Menu
Revision Number: 1
Unique Name: {3D272D63-1FD8-4276-8ED3-8
Domain Name: vdda.com
Linked to: Domain (DC=Domain,DC=com)
The following settings were applied from: Add Logoff to Start Menu
KeyName: Software\Microsoft\Windows
ValueName: ForceStartMenuLogOff
ValueType: REG_DWORD
Value: 0x00000001
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
IE Valley Header
Revision Number: 2
Unique Name: {0F6075EA-DD3F-4A8F-A4FE-7
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
IE Proxy Settings
Revision Number: 7
Unique Name: {52C19B3C-CF0A-4883-8FBF-A
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
IE Header
Revision Number: 2
Unique Name: {EBD4C74E-1382-4BE9-9C88-1
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
Additional information is not available for this type of policy setting.
##########################
Computer Group Policy results for:
CN=RECEPTIONIST-SD,OU=Win2
Domain Name: Domain
Domain Type: Windows 2000
Site Name: SanDiego
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
Domain\RECEPTIONIST-SD$
Domain\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
##########################
Last time Group Policy was applied: Tuesday, May 14, 2002 at 1:28:06 PM
Group Policy was applied from: server02.Domain.com
==========================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 8
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
The following settings were applied from: Default Domain Policy
KeyName: Software\Policies\Microsof
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
==========================
The computer received "Security" settings from these GPOs:
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: Domain.COM
Linked to: Domain (DC=Domain,DC=com)
CtrAltDel Disable
Revision Number: 2
Unique Name: {1BC56C5F-D285-4D98-9F60-1
Domain Name: Domain.COM
Linked to: Organizational Unit (OU=Computers,OU=San Diego,DC=Domain,DC=com)
Run the Security Configuration Editor for more information.
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 8
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: Domain.com
Linked to: Domain (DC=Domain,DC=com)
Well, that really doesnt make sense. I was hoping that a computer p;olicy was overwriting the user policy or something to that effect. There seems to be only one refernce to the IE branding of IE Header which is the setting you are looking for. If I apply that setting then it does set the IE header for me. I will continue looing it over and see if I can find anything for you by possibly trying to emulate a few things.
Thanks again for getting all this info. It is very helpful in trying to find and answer.
Thanks again for getting all this info. It is very helpful in trying to find and answer.
I understand that your IE header is not showing up, but is your IE Proxy settings comings also not being applied? Or are they?
ASKER
It appears that everything is working except for proxy settings. The Header and the logo are there. What is puzzling is the 3 GPOs that are coming up on the GPresult no longer exist, I combined them into 1 that is not showing up on the gpresult.
*The user received "Internet Explorer Branding" settings *from these GPOs:
*
* IE Valley Header
* IE Proxy Settings
* IE Header
Those are gone and they are now a GPO named IE Settings. Which by the way work on my PC that XP Pro and on the same site as the DC but are nowhere to be found on the remote site that has no DC and is pulling its domain settings from the same DC as I am. I put the GPO on the site, domain and OU in question, no change.
*The user received "Internet Explorer Branding" settings *from these GPOs:
*
* IE Valley Header
* IE Proxy Settings
* IE Header
Those are gone and they are now a GPO named IE Settings. Which by the way work on my PC that XP Pro and on the same site as the DC but are nowhere to be found on the remote site that has no DC and is pulling its domain settings from the same DC as I am. I put the GPO on the site, domain and OU in question, no change.
ASKER
I just realized that I never graded this answer since no one knew the answer. You have to disable Slow Link Detection at the PC.
ASKER