Solved

AD, policy does not apply...

Posted on 2004-05-03
42
2,096 Views
Last Modified: 2010-04-13
Hi fellow experts..

I have a problem.
My users are set up in AD to route the my documents folder to \\server\%username%, that doesnt always work..
No problem while the user use the same computer every day, but often when they change seats.. This also goes for other policyobjects like settings for desktop and so on..

How to work around and be sure that the policy is effective?
Would a line in the startupscript for reapplying the policy have any effect?
or is there any way to set the folders path in my startupscript directly?

Thanx

Mattis
0
Comment
Question by:mattisflones
  • 15
  • 14
  • 5
  • +3
42 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Ensure The group policy is applied  either to the Root of AD or the OU where the users/machines reside.

Right click either the policy or the level at which the policy was applied and select the security tab. Ensure "Apply Group Policy" is ticked.

Press Start > Run > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE  (see note below)

Press Start > Run > SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE (see note below)

Policy not being enforced Try http://support.microsoft.com/default.aspx?scid=kb;en-us;254174

Policy not applying to users try
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263693

Still no Joy! Try the official Microsoft Troubleshooting guide http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

*****NOTE*****

SECEDIT has been replaced in windows XP and Server 2003 with gpupdate (for syntax see below)
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Hi Pete.
The links you provided does not apply.. there is an extremely simple architecture of this site so no possibilities for problems with that.
I suspect that this is a flaw with AD in general on the W2K platform as i have experienced the same on several sites..

Do you think that running SECEDIT in the startupscript will force the policy anyway? I havent explored that and dont know if it has any effect as long as the policy is not effectively applied automatically...
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
>>Do you think that running SECEDIT

Unsure, Ive never personally had to do this, as far as Im aware this would happen by default anyway? How big are the folders? just wondering? if they were VERY big the client might be struggling to pul them over the network?

Pete
www.petenetlive.com
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Are you using MS Word for your Docs..??   In smaller firms, I manually configure the default location within Word to push docs to a file server...  You can do this with most MS Office applications such as Excel, etc...

Open Word > Tools > Options > File Locations tab...  then modify the default location...

This is not the best way for organizations larger than say 50 clients, but it may work in your case..

FE
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Pete, The folders are in general about 5 Mb. So i dont think that should be a problem. No other problems with the network performance at all...
Its typical that it works for some users, then not for others.. and its not any differences that i can find in computer setup and so on..

Ill try out the SECEDIT in script, and let y`all know how it goes..

Fatal, To do this at each PC is no option.. Its all going to be set up and controlled remotely with no support personell on site. Way to much work..
 ;-) (got others tings to not do..)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
>>;-) (got others tings to not do..)

Man, I know that feeling

**Afternoon Bill**

I know that AD is designed for you to set home drives on the user object, but have you tried ececuting a LOCAL login script for an offending user? with a good ole net use statement? then at least you can eliminate the client PC?

Pete
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yea..  like I mentioned, I only do this in the smaller domains..  and I also know that feeling..  :)
0
 
LVL 7

Assisted Solution

by:rhrowson
rhrowson earned 250 total points
Comment Utility
Are your users in an OU or in the default Users container. In the latetr, GPO does not process correctly. I have certainly seen folder redirtection not working correctly.

To help to troubleshoot tis on a W2K platform. USe the Reskit tool GPresult (comes with XP), to see what policies are being applied and from what
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Actually, I like the RSOP tool myself...   XP also comes with this and it can be run from the Start > Run > rsop.msc (OK)...   It is not native to W2K Pro though...

FE
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
rrhowson, thanx.. didnt know of that tool... does it run under W2K to? and the same for RSOP Fatal..?!

Seems like all settings are applied correctly, but i will try this on a usermachine on next failure.. Thnx..

The settings are set on top level in the domain, the only OU that has otherwise is the IT support staff OU witch has no override and works perfect!
0
 
LVL 1

Expert Comment

by:jon_godwin
Comment Utility
Are your client machines Windows XP, I have ran into occasions were XP machines will simulate network connections, before actually applying group policy in order to speed up logon.  Possibly a logon script with gpupdate /force will help you.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Suggest you grab this Doc from MS on Troubleshooting Group Policy..  It covers gpresult.exe, gpotool.exe, ReplMon.exe and other items that you may find worth the read...

Troubleshooting Group Policy in Windows 2000

http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Found another TS link from Technet..  Note the following when dealing with SlowLink connections:

Be careful when applying Group Policies over slow WAN links. Remember that the order of settings that are applied is not equal for every component. For example:

• Registry and Security settings are always applied.
 
• EFS and IP Security Settings are applied by default.
 
• Application Deployment, Scripts, Folder Redirection, and Disk Quotas are Not applied by default over slow links.
 
http://www.microsoft.com/technet/community/columns/profwin/pw0502.mspx
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
jon godwin, no my clients run W2K.

Thanx Fatal, ill look at the links you gave, i got an idea on the slow wan link thingey, wonder if the five machines i`ve seen this on maybe is on a failing HUB.. I`m going to set up an extensive NW monitoring tomorrow and check if this happends on many simultaneous logins or something..

0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
Comment Utility
Are your clients running XP or 2K..??  If you open up your Domain Default GPO, you will find various places to turn off the slow link detection, or configure it appropriately...  i.e. Computer Config > Admin Templates > System > Logon > Do not detect slow link...

Additionally, ck this out:  Computer Config > Admin Templates > System > Group Policy > Folder Redirection Policy Processing

You may play with some of these settings to try to fix your problem...
0
 
LVL 7

Expert Comment

by:rhrowson
Comment Utility
Gpresult I first saw in the W2K Reskit. It is native to XP. Never knoew about RSOP.msc, so thanks Fatal Exception.

Gpresult is great, but it almost give too much information
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
If you have XP running on your network, I suggest you look into downloading the GPMC..  This is a wonderful tool that MS decided to give us to use, but can only be run on W2K3 or XP...   It has really brought together the ADUC and GPO interface into one very nice GUI...   But even though it must be installed on XP, it can be used to manage GPO's on a W2K server..   :)

Group Policy Management Console with Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=C355B04F-50CE-42C7-A401-30BE1EF647EA&displaylang=en

Administering Group Policy with the GPMC

http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Hmm.. lots of good stuff..!
Even though we are thinking of XP clients we are not there yet.. We have W2K servers and workstations.
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Fatal and rhowson, i havent got my solution yet, but your efforts is a good step in the right direction.
So thanx! Ill award you the points..
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Wish we could have nailed it, but thanks..

FE
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
I`ll post back if i get to the core of it! Promise...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Btw, the problem is a little on and of now after a switch was exchanged.. Might be a slow networklink thingey...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
:)  Luck to you..!!
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Thnx!
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0
 
LVL 1

Expert Comment

by:rgilbert
Comment Utility
I have this same exact problem on my network running AD Windows 2000 Servers and both Windows 2000 and Windows XP clients.  Most computers have no problem getting the policy and applying the folder redirect.  However, you could be sitting next to a applied GPO computer, login, and the policy will not be applied, yet you try again later on that same computer and the redirection may work, vise versa, and any variation thereof……..  

There is no pattern between OSs, computers, rooms, etc....  The users reside in an OU with the applied policy with no existing hierarchical policies.   I’ve utilized the folder redirection policy processing and the tools mentioned above, yet I cannot find a cause to this sporadic issue.  I've never experienced anything quite like this, but after reading this I know I'm not the only one!
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Hmm.. Strange isnt`t it??!!
I got around by puting a secedit command in the startupscript.. But that causes XP to run a infodialog about the fact that XP dont use secedit but gpedit.. lol!!

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Interesting fix Matt...  Want to share that secedit command..??   (I know, I am lazy..  :)
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Sure:
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

I believe its the same for XP with gpupdate instead of secedit...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
*grin*  I recognize that command..!!   Now I see what you are doing..  Thanks...
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
:-) LOL! And you know what... its friday!
0
 
LVL 1

Expert Comment

by:rgilbert
Comment Utility
so refreshing the policy running a startup script works for you?
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Yup...
0
 
LVL 1

Expert Comment

by:rgilbert
Comment Utility
Interesing......

There has to be a logical excuse for this mess!  Nonetheless, I'm going to utilize this script.  Great feedback guys, thanks!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
This is the EE is supposed to work...   :)
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
Fatal:
"This is the EE it ts supposed to work", or "This is EE, i`m supposed to work" ???

:-)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
This is the WAY EE is supposed to work..!!   LOL, eh.. that four letter word..!!

And you know, if we got points on grammer, I would be lucky if I broke 100....  :)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
My fingers dont seem to be able to process the commands sent to them either :( must be a techhy thing
0
 
LVL 15

Author Comment

by:mattisflones
Comment Utility
LOL!
0
 
LVL 1

Expert Comment

by:rgilbert
Comment Utility
I have found that on the computers that randomly fail to apply the GPO, they get one of the following error in the Application Event Log (Windows XP):

Event ID: 1085
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I've checked EventID.net, Microsoft Knowledge Base, but none of their solutions apply to the problem I'm having with Group Policies...........

Any ideas?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
rg..  you really need to open another thread for you question...  that way you will get the help you need...

FE
0
 
LVL 1

Expert Comment

by:rgilbert
Comment Utility
Make sure the File Replication Service is not in an error state....
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now