Col_Beckwith
asked on
Group policy not being accepted on XP Clients
I have 2 Windows 2000 Domain controllers. Recently I have added 5 new Dell dimension 2350 desktop computers with XP Pro to the domain. For some reason, they are not accepting some group policy updates. I have a policy set to install pc anywhere from a network share, this policy works for all other computers in the company, which include windows2000 and xp pro clients.
I have run GPRESULT from the win2k resource kit on the client boxes in question, and they are getting some policy changes from the domain controller that is assigning them but not others. The credentials appear the be identical to other computers in the domain, so I have ruled out access rights as a possible reason. The only difference I have found is that the boxes in question are Dells that came with the OS pre installed, they are the only ones with this problem. I have deleted networking completely and reinstalled it, I removed them from the domain, renamed them and rejoined them to the domain. I have run gptool on the dcs to validate the policies, which returns no errors. Everything else on the client boxes seems to be working normally, DNS, they are accepting their DHCP assignments, and connecting to the network with no other issues. I have also uninstalled ALL dells preinstalled software. If anyone has any other solutions on this - HELP! Its driving me insane, I cannot alter the clients SUS settings via group policy, and therefore have to install updates and patches manually. Granted its only on 5 boxes, but something has gone wrong. I dont want to have to reinstall the os, but Im getting desparate.
Thanks
I have run GPRESULT from the win2k resource kit on the client boxes in question, and they are getting some policy changes from the domain controller that is assigning them but not others. The credentials appear the be identical to other computers in the domain, so I have ruled out access rights as a possible reason. The only difference I have found is that the boxes in question are Dells that came with the OS pre installed, they are the only ones with this problem. I have deleted networking completely and reinstalled it, I removed them from the domain, renamed them and rejoined them to the domain. I have run gptool on the dcs to validate the policies, which returns no errors. Everything else on the client boxes seems to be working normally, DNS, they are accepting their DHCP assignments, and connecting to the network with no other issues. I have also uninstalled ALL dells preinstalled software. If anyone has any other solutions on this - HELP! Its driving me insane, I cannot alter the clients SUS settings via group policy, and therefore have to install updates and patches manually. Granted its only on 5 boxes, but something has gone wrong. I dont want to have to reinstall the os, but Im getting desparate.
Thanks
on the client machine.. see if there is a security policy(local group policy object) in place and if there is a setting.. that is configured not to inherit the policy from the domain..
Use the following command:
gpupdate /sync
OR
gpupdate /force
then restart PC.
After that Start "Help and support", Click "tools" in the rightside of the window.
Choose "Special system information" then Results of Group policy (I have a Hungarian XP, so I have to translate menus back, sorry)
You can find useful information here.
Finally, check GPO permission. Is it permitted to apply policy to these machenes?
Tamás Lepenye
from Hungary
(Sorry for grammar)
gpupdate /sync
OR
gpupdate /force
then restart PC.
After that Start "Help and support", Click "tools" in the rightside of the window.
Choose "Special system information" then Results of Group policy (I have a Hungarian XP, so I have to translate menus back, sorry)
You can find useful information here.
Finally, check GPO permission. Is it permitted to apply policy to these machenes?
Tamás Lepenye
from Hungary
(Sorry for grammar)
ASKER
Ok, adonis1976 - I couldnt find anything in local gp on the client boxes that would deny group policy updates.
lepenyet, I tried your suggestion and noticed that USER group policies are being accepted on any given box, but COMPUTER policies, which is the case here in this problem are NOT being updated on the client box. Again, this is only happening on these Dells. One other thing worth mentioning is that if I try a net send command to any of these computers, using fqdn or their netbios names, they are not found in the attempt, the "message alias could not be found on the network", and if I run nbtstat -a against the netbios name of the boxes, the current logged on user <03> unique doesnt appear in the in the results even though a current use is logged on. Dunno if this is related. One other thing I noticed using the Help and Support to view GP results on the clients boxes, is that the Site information is blank for the client box, ie what site it belongs to, all the other computers have this info, however, the domain it belongs to is correctly listed. Something is not updating. By the way, thanks for the help and support gp view, I didnt know XP had that, I was used to using GPRESULT on win2k boxes.
lepenyet, I tried your suggestion and noticed that USER group policies are being accepted on any given box, but COMPUTER policies, which is the case here in this problem are NOT being updated on the client box. Again, this is only happening on these Dells. One other thing worth mentioning is that if I try a net send command to any of these computers, using fqdn or their netbios names, they are not found in the attempt, the "message alias could not be found on the network", and if I run nbtstat -a against the netbios name of the boxes, the current logged on user <03> unique doesnt appear in the in the results even though a current use is logged on. Dunno if this is related. One other thing I noticed using the Help and Support to view GP results on the clients boxes, is that the Site information is blank for the client box, ie what site it belongs to, all the other computers have this info, however, the domain it belongs to is correctly listed. Something is not updating. By the way, thanks for the help and support gp view, I didnt know XP had that, I was used to using GPRESULT on win2k boxes.
Hi,
Is it worth trying SECEDIT /REFRESHPOLICY on the XP Clients?
It does sound a bit strange with these clients. Are they showing up in the DNS Snap in on the server? I presume they ping OK?
Are you using WINS as well as DNS? Are these clients using the same settings under IPCONFIG /ALL? LMHOSTS lookup enabled on the clients?
Is it worth trying SECEDIT /REFRESHPOLICY on the XP Clients?
It does sound a bit strange with these clients. Are they showing up in the DNS Snap in on the server? I presume they ping OK?
Are you using WINS as well as DNS? Are these clients using the same settings under IPCONFIG /ALL? LMHOSTS lookup enabled on the clients?
ASKER
all the networking settings are indentical. Ive use secedit /refreshpolicy from the server - machine_policy, I used GPUPDATE as per lepenyets comments to no avail. I assume they do the same thing on the client machines. The client boxes ping fine, the log on to the domain with no problems. They are showing up in the dns snap in on the servers with the correct ip address as assigned by dhcp server.
ASKER
I solved the riddle. Issue was the network adapter - a broadcom 440. I used a registry hack to modify dhcp media sense in hkey_local_machine, system, current control set, services, tcpip, parameters. I added a DWORD value "DisableDHCPMediaSense" and set its value to one. Apparently there is a bug on some adapters where group policies for machines assigned by the DC will not be propagated because of the media sense parameter. Upon reboot, the client boxes accepted the install for the local machine and bingo it all started working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
4/5 Years later and the Dell Vostro 220s still has the same problem
The registry hack worked....I will send an email to Dell and request them to pre-hack the registry on all computers with the Broadcom LAN Card.
The registry hack worked....I will send an email to Dell and request them to pre-hack the registry on all computers with the Broadcom LAN Card.