Link to home
Start Free TrialLog in
Avatar of m4a2t0t
m4a2t0t

asked on

Group policy settings stop applying completly

I have a Windows 2k Domain Controller and 9 XP Pro Workstation computers that are PC Gaming computers. Ther problem I am encountering is that after a few days some group policy settings stop applying and no new policies will apply to any computer(except 1, i'll explain). This is the second time I have encountered this problem and the first time I had to reformat my DC and almost every workstation. I reinstalled on monday and had all the computers running with my policies applying and everything was just great. I come this morning to try to install a new mod for a game and noticed that I could right click on the desktop, which should not be working as I disabled it on monday. The one computer that worked was my workstation, I had never logged in my workstation with the user account before and when I did all policies applied properly.  I also tried running system restore on 1 computer to monday and the policies looked like they applied. Not all policies stop applying though, the task manager is disabled and my folder redirection still works but the policy that stops the user from using the all users start menu items doesnt work. The policies that dont work are within the same GPO as policies that do apply.

I had the same problem last week where I initally applied some policies and then a few days later I tried to lockdown the computers and policies would not apply.

There are no errors logged in either the DC or the workstations. Actually, it says that the security settings have been applied.

Avatar of Sebo2000
Sebo2000
At what level did you apply the policies?? I woud suggest to create testing UO and apply policies on it, configure computer policies first, which policies doesnt work exacly?? all users menu? do you mean Start menu?
Take care

Sebo
PS. check if you don't have conflicting GPs, but if they work at the begining then I guess you don't
Avatar of m4a2t0t
m4a2t0t

ASKER

I tried setting the disable right click on desktop domain wide and it would not apply to the 8 computers, I didnt check and see if it would apply to my workstation.

I cant see how policies could apply to one computer and not the others, all the computers are in the computers OU and the users are in a OU named gaming.

I have nearly everything checked for the user config, so the things that dont work are: remove common programs from the start menu, remove shutdown from start menu, disable context menu(taskbar and desktop)...now that I think about it the only thing that works is the folder redirection and the taskmanager is disable but both are in different GPO's.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
Windows Domain Group Policy

Configuring Account Policies in Active Directory

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q255/5/50.asp&NoWebContent=1


Troubleshooting

1. Ensure You have created a Domain Security policy, and not a local policy on a domain controller.

2. Ensure The group policy is applied  either to the Root of AD or the OU where the users/machines reside.

3. Right click either the policy or the level at which the policy was applied and select the security tab. Ensure "Apply Group Policy" is ticked.

4. Press Start > Run > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

5. Press Start > Run > SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

6. Are Your Users seeing these Error Messages....

   Your account has been disabled. Please see your system administrator.

   OR

   Unable to log you on because your account has been locked out, please contact your    administrator.

   If so see http://support.microsoft.com/default.aspx?scid=kb;en-us;279227

7. Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;274372

8. Machine Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;260930
http://support.microsoft.com/default.aspx?scid=kb;en-us;817701

9. Policy not being enforced Try http://support.microsoft.com/default.aspx?scid=kb;en-us;254174

10. Account Locking for no reason see
http://support.microsoft.com/default.aspx?scid=kb;en-us;328862

11. Policy not applying to users try
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263693

12. You are only allowed one Domain Security Policy! see
http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

13. Still no Joy! Try the official Microsoft Troubleshooting guide http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp
Avatar of m4a2t0t
m4a2t0t

ASKER

I just logged into each of the computers and there is 1 workstation that policies are now applying to. I looked into each of the computers event viewer and there were no errors and it said that security policies were applied properly. The only thing I saw was there 1 thing in the event viewer, Lsasrv - " the security system could not establish a secured connection with the server DNS/prisioner.iana.org. No authentication protocol available."
Avatar of Sebo2000
Sebo2000
I think your lients can't log in to the domain , and they are loging in to the local boxes, if No authentication protocol available
message appears it means that clients can't be authenicated, if they cant be authenticated they will not get GP, they will just use local cashed credential to login.
Avatar of m4a2t0t
m4a2t0t

ASKER

all of my workstations are getting this error, even the ones where the policies are applying.

Where should I go from here? I agree that it seems like the workstations can login to the domain. I have looked through eventid.net and didnt see anything that pertained to my issue. I may try to delete the profile and see what happens.

Is there anyway to make it so the computers wont logon if the DC is unavailable.
Avatar of Sebo2000
Sebo2000
If the DC is unavail. then client will log in locally with the cashed credentials, but you can open AD users and computers and see who is loged in by looking at the Computers container and all the computers account that are up there. For me it looks like you are not loged in to the domain, try to create account on DC test123 password test123 and log in from workstatnion to the domain, if DC is available then you will log in if it's not then you wont beacues you don't have that account on the local box.

Take Care
sebo
Avatar of m4a2t0t
m4a2t0t

ASKER

the test account logged in successfully, all computers show in the computers container.
Avatar of m4a2t0t
m4a2t0t

ASKER

I tried deleting the user account on one of the computers that GP wasnt working, rebooted and relogged onto the computer and my policies still are not working. The only thing that works is folder redirection and task manager is disabled. Im going to check and see if I disabled the task manager in the same GPO as folder redirection or the other GPO.
Avatar of m4a2t0t
m4a2t0t

ASKER

The folder redirection and disable task manager are in 2 dfferent GPO's. I also noticed that the disable and remove shut down works..well it doesnt remove it from the start menu but it removes the button when you press ctrl+alt+del.
ASKER CERTIFIED SOLUTION
Avatar of Sebo2000
Sebo2000
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of m4a2t0t
m4a2t0t

ASKER

When I mean I disabled them I meant that they are enabled to be disabled;) There are a total of 2 GPO's in my whole AD. I'll go through and triple check
Avatar of m4a2t0t
m4a2t0t

ASKER

well everything was working fine and I noticed that 1 computer lost it again. When I logged off the computer it said it was syncronizing files. It is only 1 computer this time. I turned off the DC today when I moved it but none of the PC's were on when I did this.
Avatar of m4a2t0t
m4a2t0t

ASKER

Turns out it is the Cafe program I have installed on the PC's. When I put a PC in maintenance mode it blocks my policies from applying.

Thanks for your help, ill give sebo2000 200 points for helping.