Solved

!!Group Policies!! Once again, I am having an GP problem!!!!!!!!

Posted on 2004-08-09
32
516 Views
Last Modified: 2008-02-01
Okay let me explain everything...

My Local Computer has 2 accounts on it.... One of which is under my computer domain and the other is the one set on my servers domain. The domain is the one I want the GP on which is "EDWARDSLABEL/SHANEC". Now what I have done to test the GP settings is I went into active directory and removed all the "MEMBERS OF" from my account except "USERS". I made a new OU named "TEST FOR POLICIES" and gave it something simple (I set IE's homepage to "http://www.hotmail.com"). I moved my account from the Built-In "USERS" folder into the new "TEST FOR POLICIES" folder. I also moved my COMPUTER from the "COMPUTERS" folder over to "TEST FOR POLICIES". Now, any policies I set... do NOT work on this machine. I have tried a lot of different things.

All of you should know... My local machine that I am setting the policies for is running "Windows XP PRO" and our server is running "Windows 2000 Server". The server is up to date with all of its critical updates.

By the way, last time, the problem was that my DNS from my local machine was not pointing to the server but now it is so I don't know exactly what is happening. It seems like when I am logging into my computer that it ignores all the policies it's trying to set and just boots up normally as it would. The problem may be that I have an account on my local machine set as the administrator... basically:

I login using this info:
user: shanec
domain: EDWARDSLABEL

That is perfect. When you look in my computer when it logs in, this is what you see:

Control Panel=>User Accounts=>

::Account 1::
user: Shane
domain: SHANEC
(Administrator)

::Account 2::
user: shanec
domain: EDWARDSLABEL
(Administrator)

The reason why I have an administrative account is kind of temporary because the conflicts I was having when I would log onto the server is that I did not have the correct permissions for anything because I didn't have the account set up on the Local Machine. This is what I think the problem is. I think that if I remove this account from my local machine and just log on through the server, it will start up with the policies and all but the bad thing is, I can't control Norton AntiVirus and other programs.

This is extremely important and worth 500 points. Thank you.
0
Comment
Question by:Waynebebay
  • 15
  • 11
  • 6
32 Comments
 

Author Comment

by:Waynebebay
Comment Utility
www.twistedchain.com/gpsecurity.bmp  ====> GP Properties
0
 

Author Comment

by:Waynebebay
Comment Utility
Thats how all of the names are for the properties of the Group Policy. Read and Apply Group Policy checked.
0
 

Expert Comment

by:Frente69
Comment Utility
Hello,
If you log onto the the XP machine
First thing to do is look in event log to see if anything is logged.
right click on my computer and click manage.
then double left click on event viewer. From memory i think faults with group policy normally show up under application log. Have a browse though the error and warning messages and see if any are related to group policy. Also keep an eye out for messages with scecli. Double click on message. It should hopefully read "Security policy in the Group policy objects has been applied successfully." Take a note of the date it last happened on and think of any changes that were made to the system on that day.

Next thing to check is if your getting group policy at all.
click on the start button
click on run
type in cmd
in the window that pops up type in gpresult
it will give you alot of information.
under user settings and computer settings you should see a heading that reads:

Applied Group Policy Objects
-----------------------------

See if your policies show up under there.
either way type in 'gpupdate /force' (without quotes)
this will make the pc goto the server and grab the latest group policy regardless of if it has been changed or not.

if you see your policy under:
 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------

then it means that something is wrong with the policy. In my experience its either a permissions thing (which looks fine from the pic you posted), the policy is empty or else it is corrupt.

Feel free to paste any of the results you get from gpresult if you need help understanding what it means.
0
 

Expert Comment

by:Frente69
Comment Utility
Sorry i may have been a bit vague in some of that,.. its first thing in the morning here,..still waking up.
where i said "Also keep an eye out for messages with scecli. Double click on message."  it "should" have read
Keep an eye out for messages where the source is SceCli. You can double click on the messages to view a more detailed description of what is within the message.
Just felt i should make that a bit clear as i have no idea of your it background :-)

Feel free to post any questions

Cheers
Frente
0
 

Author Comment

by:Waynebebay
Comment Utility
What the command prompt and the event log are saying is that there is no domain to get the policy from:

"Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

and this :

"Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
"
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
0
 

Author Comment

by:Waynebebay
Comment Utility
How is that possible... I log into windows using the domain... I also have my dns pointed to the domain.
0
 

Expert Comment

by:Frente69
Comment Utility
WinXP "caches" (in a round about way) your username and password. Go back into the command prompt again and type ping servername(servername being the name of your server) just to check and make sure that you can actually contact it. Are you running more then 1 pc on your domain? do any of them have the problem or is it just the one?
0
 

Author Comment

by:Waynebebay
Comment Utility
I can ping it, there are about 10 to 30 comps running on this domain.

I believe I am the only one with this problem.
0
 

Expert Comment

by:Frente69
Comment Utility
What message did it give when you did gpupdate /force from the command promt?
0
 

Author Comment

by:Waynebebay
Comment Utility
Whats weird is that when I delete my computer off of the active directory, it will not let me log into the server. Usually it would just create a new one and store it under the "COMPUTERS" folder but nope.

I just restarted and logged on and I think Im gonna try to log on under someone elses account to just test....

I will be back tomorrow early in the morning... after this test... I gott leave, need to go home =)
0
 

Author Comment

by:Waynebebay
Comment Utility
the force message was successful but when I did gpresult, it said no domain
0
 

Assisted Solution

by:Frente69
Frente69 earned 200 total points
Comment Utility
Yep when you test with another user account,.. try and make sure its one that has never been used on your computer before.
I don't think thats weird that your computer account is not automatically created,. thats normal behavior. If you delete your computers account from AD then AD will deny access to the domain. Its a Security thing. Otherwise anyone off the street could walk in ,. plug their computer in and be on your domain without authorisation. What its now sounding like you need to do is remove your computer from the domain(on the actual computer itself) by:
right clicking on My Computer
click properties
click the computer name tab
click change
under where it says "member of" click workgroup
type in a workgroup name(it can be anything)
restart the pc,.. log in as local admin account
repeat process except this time click domain instead of workgroup and type in the domain name. You will need to enter a user account with "add computer to domain" privileges to add the computer to domain.
restart
You can't just delete and create the computer account in AD because the Security ID on the computer and in AD need to match up.

0
 
LVL 6

Accepted Solution

by:
vand earned 300 total points
Comment Utility
Have you checked for a disjoint namespace?

Confirm that a disjoint namespace exists using either the System control panel applet, or the Netdiag tool. Right-click My Computer, select Properties, and click the Computer Name tab. If the DNS suffix of the computer name doesn’t match what is listed for the domain name, there is a disjoint namespace. Three examples of a disjoint namespace as displayed in the Computer Name tab of System Properties:

Full computer name: dc01.fabrikam.com
Domain: contoso.com

Full computer name: dc01.corp.contoso.com
Domain: contoso.com

Full computer name: dc01
Domain: contoso.com

In Netdiag, if the DNS suffix on the DNS Host Name does not match the DNS Domain Name, there is a disjoint namespace. The following are three examples of a disjoint namespace.

DNS Host Name: dc01.fabrikam.com DNS
Domain Name: contoso.com

DNS Host Name: dc01.corp.contoso.com
DNS Domain Name: contoso.com

DNS Host Name: dc01
DNS Domain Name: contoso.com

If for example the domain name is “contoso” and not “contoso.com” it is a single label DNS name and the AllowSingleLabelDnsDomain must be used on 2000 SP4 and XP/2003 machines.

Netbios Domain name. . . . . . : FABRIKAM
Dns domain name. . . . . . . . : contoso.com

0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Another test, verify that your SID's are being translated.

You could also try deleteing the PC from DNS and recreating it.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Are you geting a 1030 error in the event log?

An  error 1030  and group policy problems, the client may be having
problems getting to the sysvol share on a DC in your domain.  yoou should be
able to access \\dcname\sysvol from any client, they connect to that share
to obtain group policy info.  Try connecting to it manually to see what
happens.  You should also verify that the sysvol share exists on all DCs,
check permissions of the directory. Check DNS to make sure that the client
is configured to point to a win2k DNS server or one that supports SRV
recortds and dynamic updates.

This happens if a user right in a policy is being applied to a user or group
that doesnt exist.  When the policy  is refreshed it
looks for the account and generates the error because it fails to find or
map to the account.
You can enable group policy processing to find out which account is doing
this.  There is a registry value that creates a log file during policy
propagation. The log file is located in
systemroot\Security\Logs\Winlogon.log. You can examine this log file to
identify specific errors that occur during policy propagation to the
computer.

The registry key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}

For the new registry value, type: ExtensionDebugLevel

For the registry data type, click: REG_DWORD

For the registry data, type: 2
0
 

Author Comment

by:Waynebebay
Comment Utility
Ok I am back....

What I have done is recreated the account on my local computer and it seems to connect to the domain now but when I type in 'gpresult' in the command prompt it gives me this error:

INFO: The user "EDWARDSLABEL/Shanec" does not have RSOP data.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:Waynebebay
Comment Utility
I know it recognized my computer because it added it into the Active Directory with all the comp info.... What the hell?
0
 

Expert Comment

by:Frente69
Comment Utility
I hate giving urls to read,.. but i had the same problem once,..
http://www.experts-exchange.com/Networking/Q_20728335.html
My problem seemed to be a replication problem,..from the sounds of it your only running 1 server(correct me if i am wrong)
Just take a read through that and see if any of it seems like it might help.

Cheers
F

0
 
LVL 6

Expert Comment

by:vand
Comment Utility
If you run rsop against the XP machine (start | run | rsop.msc),
what does it show you? If the "Computer Configuration" or "User
Configuration" node has a yellow bang or red x on it, right-click on the
node and choose properties - then click the Error Information tab to see
where exactly the failure is happening (GP Core, a particular policy
extension, etc.)

0
 

Author Comment

by:Waynebebay
Comment Utility
Vand:

"Wednesday, August 11, 2004 9:08:32 AM

Group Policy Infrastructure failed due to the error listed below.
The specified domain either does not exist or could not be contacted.

Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available."
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Everything seems to be pointing at a DNS failure of some kind.

Just to be sure, your not trying to apply xp policies right. The .adm files for group policy are different on 2000 then xp, if you want to administer xp policies from a 2000 server you will have to update the .adms.

This normally will not cause errors like your seeing though.

Try the steps below to see if the query works
13. type nslookup and hit enter
14. type set type=srv and enter
15. type _ldap._tcp.domainname.com and hit enter
16. you should see something like this if it works.

_ldap._tcp.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = computername.domainname.com
computername.domainname.com  internet address = 192.168.0.1
computername.domainname.com internet address = 25.65.3.81

If that fails then it is definately a dns problem.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Also verify that you srv records are there on the 2000 server.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
You could try this to

Go to Domain Controller policy drill down to:
Computer Configuration
 Windows Settings
   Security Settings
    Local Policies
     Security Options
find Domain member: Digitally encrypt or sign secure channel data (always)
and set to Disabled
find Microsoft network server: Digitally sign communications (always) and
set to Disabled
0
 

Author Comment

by:Waynebebay
Comment Utility
We are getting closer dude.

_ldap told me that I am trying to reach a non existant domain

And all the others stuff you are talking about, kinda walk me through it because I am still a lil new with the backroads to 2000 Server. Thanks Vand..
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Just so I'm going in the right direction, for the nslookup type _ldap._tcp.domainname.com you did type your FQDN right for example _ldap._tcp.waynebebay.local correct, the .com is also just part of the example.

If you did,

For the SRV records, take a look at the 2000 server DNS and make sure that you have all of the folders (_msdcs, _sites, -tcp) etc.

For the policy, you will need to go into AD and modify the Default Domain Controller Policy.

Did you ever check on the disjointed name space I mentioned in my previous post?

0
 

Author Comment

by:Waynebebay
Comment Utility
**************************1**************************************
I typed in:

_ldap._tcp.edwardslabel.com

That is the correct domain name... I know that. It then tells me

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

*****************************************************************
**************************2**************************************
I looked at the DNS configuration in the 2000 server and I have the files _msdcs, _sites, _tcp, and _udp then I have a bunch of hosts, then a name server and a start of autority.

www.twistedchain.com/dns.bmp

*****************************************************************
**************************3**************************************
I have no clue what you are saying about the policies but here is my AD:

www.twistedchain.com/AD.bmp

*****************************************************************

Thanks Vand
0
 

Author Comment

by:Waynebebay
Comment Utility
Yes I read about the disjointed name space and here is what mine says...

www.twistedchain.com/namespace.bmp
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
when you ping edwardslabel.com does it resolve to the correct Internal, private address?
This should resolve to 192.168.1.50
A ping to www.edwardslabel.com should resolve 216.251.43.98

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

NS1.megapath.net should not be trying to find your domain, this indicates an external lookup.

Also, from the dns screen shot, I did not see the shanec host file.

Remove any local hosts and lmhosts entries you may have, and make sure 192.168.1.50 is your primary DNS on the problem machine and the server.

What's the deal with the 169.254.9.41 parent?  You may want to remove this from this location as well as the gc folder.

After you do all this reboot the problem PC, if this does not add an entry in the DNS hosts, manually add one.
0
 

Author Comment

by:Waynebebay
Comment Utility
When I go into the command prompt and ping edwardslabel.com it looks for 216.251.43.98.

I added the shanecz host manually.. (it's shanecz now... I was having too many problems on this computer with the Shanec profile)
Since I did change a new profile thats prolly why it didn't add me.

I also removed the 169.254.9.41 parent host.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
I'm surprised any of your Windows 2000 machines work if this is the case!
Yur machines have to resolve the domain name to the local, private address.  I assume the 216.251.43.98 public address is the address of your router.

Usually, to ensure proper 2000 DNS you can do 2 things.

1. Microsoft recommends> Name your FQDN for your local domain a non registered extension edwardslabel.local or edwardslabel.main for example. This will prevent the errors you are seeing.

2. If have to maintain the registered .com name for internal and external you will have to configure a firewall to redirect local requests and prevent the external resolution.

As a test, try to add edwardslabel.com  192.168.1.50 to your local hosts file, reboot and try the ping again to see if it resolves the address to 192.168.1.50. This is the lynch pin, you have to resolve your domain correctly for windows 2000 to work!
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
Thanks for the points, so what was the solution?
0
 

Author Comment

by:Waynebebay
Comment Utility
Didn't find a solution yet.... Im just going to reinstall Windows =) But you did teach me a lot, I appreciate the help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now