We help IT Professionals succeed at work.

GPO policies not being enforced correctly.

centium asked
Last Modified: 2010-04-14
I have a single domain which is running in replication between 2 DC's.  We upgraded one of the DC's to new hardware so we had to remove the current one and add a new DC's to the directory (this was a complete fresh install not just a hardware update).  Since this has happened GPO's are not being enforced to the workstations.

The GPO's are being applied.  I've checked on Windows 2000/XP machines and can see it enforced on the local system via gpresult and rsop.msc both show them.

I'm applying this GPO directly to an OU which has 2 objects for testing at this point.  The setting in the GPO i'm trying to have work are for SUS.  So I've loaded the wuau template for Administrative Templates.  I know the settings are correct due to the fact it has worked the months prior to this DC change.  I've checked on both DC's and the GPO is applied in the OU correctly with the right settings.

I've seen a problem with FRS (File Rep Service) not replicating correctly between the two DC's.  Here's a posting of the even log:

Event ID: 13516
Source: NtFrs  
Type: Information  
Description: The File Replication Service is no longer preventing the computer DESCARTES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

Type "net share" to check for the SYSVOL share.

I checked on Eventid.net for information about this and showed that this may not be something to worry about.  The SYSVOL shares are up on both DC's and working.

I'm just covering all angle's here to make sure I'm not missing anything.
Watch Question

The event you are listing is not a problem.  Every DC should show that after each boot up.
you mention that you are seeing that the policies are applying, but the clients do not seem to see your new settings.  Is that correct?
Check your application log for userenv and scecli events.

If your new DC has a different name, make sure you have removed the DNS entries for the old DC, as well as the old DC objects.
Let me know if you need more info on this.


I've done some further testing.  

What I can see is that the GPO's are being applied and working for some GPO's for the same OU.  The GPO I'm still having trouble with is for SUS, the settings are being applied but the machines are not attempting to run an update.  I've looked at the IIS logs on the SUS server and see no errors being generated.  I've also checked on the client machines I'm using for testing and the local machines WindowsUpdate.log is showing no problems but it's also not even trying to run the update.

There are no records of the old DC in DNS anywhere.
When you run RSOP on the clients, can you see the SUS settings as being applied?

Does a GPRESULT include your SUS policy in the list of policies applied to the machine?

Do your clients show any GPO application errors (look in the application log for userenv and scecli events)?

Open automatic updates on one of the clients, and you should see your settings applied and potentially greyed out.


The RSOP shows the SUS GPO tree there with the correct settings.

For GPRESULT the SUS GPO is there and applied.

The Scecli even has only and information entry for it correctly applying.

Yes, the automatic updates are greyed out.
I'm guessing that all your 2k clients are at least sp3 so they have the updater software installed.
verify that the 'automatic updates' service is started.
Also make sure the 'background intelligent transfer service' or BITS is started.
Unless the server you rebuilt was also your SUS server, patches should already be downloaded and approved, so that should not be the issue.

here is a way you can force a detection cycle:


I've updated the GPO for just the intranet server to be enforced.  On the local machine in the Windows Update.log there is this line which appears whenever it attemps to connect to the local SUS server:

2004-02-24 15:56:09  23:56:09   Error     IUENGINE       Library download error. Will retry. (Error 0x80072EFD)

On the SUS server running IIS there are not hits from the client machine.

Here's a forum discussing this type of a problem:
I saw that too...did not want to yet tell you to start it over from scratch...  have you checked the setting they mentioned at the end:
User Configuration/Administrative Templates/Windows Components/Windows Update set "Remove access to use all Windows Update featues" to Disabled.

Verify that the sus server allows at least authenticated users on:
computer config\windows settings\local policies\user rights\access this computer from the network


I've disabled WU for a test machine I've used and what happens is nothing because I'd assume the client machine can't even see if it's in need of any updates.  Also when this happens there are no entries within the IIS server web logs or local machine errors in the Windows Update.log

For the GPO Sec Pol it is aloud access via the network.
Did you see any changes after unsetting the AU, and then resetting them?


No changes,

I looked further into the SUS problems and found that the BITS service was not starting on boot.  I've started the service and rebooted the server, which has caused a problem with SUS and IIS.  I'm going to reinstall SUS and see if that helps.
This one is on us!
(Get your first solution completely free - no credit card required)
anything new centium?


Nothing new is happened and at my office we're just going to delay the SUS rollout until WUS is released.

Sorry guys.


To contiune my last post, I have tested SUS and have had it kinda start to work again from reinstalling SUS and the GPMC did help alot thanks!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.