Solved

Group policy settings stop applying completly

Posted on 2003-11-26
15
1,424 Views
Last Modified: 2010-04-14
I have a Windows 2k Domain Controller and 9 XP Pro Workstation computers that are PC Gaming computers. Ther problem I am encountering is that after a few days some group policy settings stop applying and no new policies will apply to any computer(except 1, i'll explain). This is the second time I have encountered this problem and the first time I had to reformat my DC and almost every workstation. I reinstalled on monday and had all the computers running with my policies applying and everything was just great. I come this morning to try to install a new mod for a game and noticed that I could right click on the desktop, which should not be working as I disabled it on monday. The one computer that worked was my workstation, I had never logged in my workstation with the user account before and when I did all policies applied properly.  I also tried running system restore on 1 computer to monday and the policies looked like they applied. Not all policies stop applying though, the task manager is disabled and my folder redirection still works but the policy that stops the user from using the all users start menu items doesnt work. The policies that dont work are within the same GPO as policies that do apply.

I had the same problem last week where I initally applied some policies and then a few days later I tried to lockdown the computers and policies would not apply.

There are no errors logged in either the DC or the workstations. Actually, it says that the security settings have been applied.

0
Comment
Question by:m4a2t0t
  • 9
  • 4
15 Comments
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9829549
At what level did you apply the policies?? I woud suggest to create testing UO and apply policies on it, configure computer policies first, which policies doesnt work exacly?? all users menu? do you mean Start menu?
Take care

Sebo
PS. check if you don't have conflicting GPs, but if they work at the begining then I guess you don't
0
 

Author Comment

by:m4a2t0t
ID: 9829589
I tried setting the disable right click on desktop domain wide and it would not apply to the 8 computers, I didnt check and see if it would apply to my workstation.

I cant see how policies could apply to one computer and not the others, all the computers are in the computers OU and the users are in a OU named gaming.

I have nearly everything checked for the user config, so the things that dont work are: remove common programs from the start menu, remove shutdown from start menu, disable context menu(taskbar and desktop)...now that I think about it the only thing that works is the folder redirection and the taskmanager is disable but both are in different GPO's.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9830412
Windows Domain Group Policy

Configuring Account Policies in Active Directory

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q255/5/50.asp&NoWebContent=1


Troubleshooting

1. Ensure You have created a Domain Security policy, and not a local policy on a domain controller.

2. Ensure The group policy is applied  either to the Root of AD or the OU where the users/machines reside.

3. Right click either the policy or the level at which the policy was applied and select the security tab. Ensure "Apply Group Policy" is ticked.

4. Press Start > Run > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

5. Press Start > Run > SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

6. Are Your Users seeing these Error Messages....

   Your account has been disabled. Please see your system administrator.

   OR

   Unable to log you on because your account has been locked out, please contact your    administrator.

   If so see http://support.microsoft.com/default.aspx?scid=kb;en-us;279227

7. Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;274372

8. Machine Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;260930
http://support.microsoft.com/default.aspx?scid=kb;en-us;817701

9. Policy not being enforced Try http://support.microsoft.com/default.aspx?scid=kb;en-us;254174

10. Account Locking for no reason see
http://support.microsoft.com/default.aspx?scid=kb;en-us;328862

11. Policy not applying to users try
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263693

12. You are only allowed one Domain Security Policy! see
http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

13. Still no Joy! Try the official Microsoft Troubleshooting guide http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp
0
 

Author Comment

by:m4a2t0t
ID: 9832773
I just logged into each of the computers and there is 1 workstation that policies are now applying to. I looked into each of the computers event viewer and there were no errors and it said that security policies were applied properly. The only thing I saw was there 1 thing in the event viewer, Lsasrv - " the security system could not establish a secured connection with the server DNS/prisioner.iana.org. No authentication protocol available."
0
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9833020
I think your lients can't log in to the domain , and they are loging in to the local boxes, if No authentication protocol available
message appears it means that clients can't be authenicated, if they cant be authenticated they will not get GP, they will just use local cashed credential to login.
0
 

Author Comment

by:m4a2t0t
ID: 9838966
all of my workstations are getting this error, even the ones where the policies are applying.

Where should I go from here? I agree that it seems like the workstations can login to the domain. I have looked through eventid.net and didnt see anything that pertained to my issue. I may try to delete the profile and see what happens.

Is there anyway to make it so the computers wont logon if the DC is unavailable.
0
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9839227
If the DC is unavail. then client will log in locally with the cashed credentials, but you can open AD users and computers and see who is loged in by looking at the Computers container and all the computers account that are up there. For me it looks like you are not loged in to the domain, try to create account on DC test123 password test123 and log in from workstatnion to the domain, if DC is available then you will log in if it's not then you wont beacues you don't have that account on the local box.

Take Care
sebo
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:m4a2t0t
ID: 9839274
the test account logged in successfully, all computers show in the computers container.
0
 

Author Comment

by:m4a2t0t
ID: 9839364
I tried deleting the user account on one of the computers that GP wasnt working, rebooted and relogged onto the computer and my policies still are not working. The only thing that works is folder redirection and task manager is disabled. Im going to check and see if I disabled the task manager in the same GPO as folder redirection or the other GPO.
0
 

Author Comment

by:m4a2t0t
ID: 9839520
The folder redirection and disable task manager are in 2 dfferent GPO's. I also noticed that the disable and remove shut down works..well it doesnt remove it from the start menu but it removes the button when you press ctrl+alt+del.
0
 
LVL 6

Accepted Solution

by:
Sebo2000 earned 200 total points
ID: 9850194
In this case the GPo is the problem maybe you didn't set it up propperly or configured properly, sometimes when you have a lot of GPos it's very easy to miss someting ( enable disable not configured) I had simmilar problems when I was setting up aroud 50GPOs just go over and checked for little mistakes. if they log in to the domain, and you have a 1 DC it shoud work flawleslly.
Runn little test, and also enable GPO so help from Start button will disapear, but do not disable but enable that policy and check if it will go off, when you are configuring that policy the policy itself must be enabled to disable help form start:) I know it's a little tricky but thats how MS is naming stuff:)) I think the rest of your policies are configured same way, you disabled them( and they are disabled) instead of enabling them so they are active and eg. task mng is disabled)

Take Care
Sebo
0
 

Author Comment

by:m4a2t0t
ID: 9851939
When I mean I disabled them I meant that they are enabled to be disabled;) There are a total of 2 GPO's in my whole AD. I'll go through and triple check
0
 

Author Comment

by:m4a2t0t
ID: 9908609
well everything was working fine and I noticed that 1 computer lost it again. When I logged off the computer it said it was syncronizing files. It is only 1 computer this time. I turned off the DC today when I moved it but none of the PC's were on when I did this.
0
 

Author Comment

by:m4a2t0t
ID: 9975305
Turns out it is the Cafe program I have installed on the PC's. When I put a PC in maintenance mode it blocks my policies from applying.

Thanks for your help, ill give sebo2000 200 points for helping.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now