Solved

!!Group Policies!! Once again, I am having an GP problem!!!!!!!!

Posted on 2004-08-09
32
530 Views
Last Modified: 2008-02-01
Okay let me explain everything...

My Local Computer has 2 accounts on it.... One of which is under my computer domain and the other is the one set on my servers domain. The domain is the one I want the GP on which is "EDWARDSLABEL/SHANEC". Now what I have done to test the GP settings is I went into active directory and removed all the "MEMBERS OF" from my account except "USERS". I made a new OU named "TEST FOR POLICIES" and gave it something simple (I set IE's homepage to "http://www.hotmail.com"). I moved my account from the Built-In "USERS" folder into the new "TEST FOR POLICIES" folder. I also moved my COMPUTER from the "COMPUTERS" folder over to "TEST FOR POLICIES". Now, any policies I set... do NOT work on this machine. I have tried a lot of different things.

All of you should know... My local machine that I am setting the policies for is running "Windows XP PRO" and our server is running "Windows 2000 Server". The server is up to date with all of its critical updates.

By the way, last time, the problem was that my DNS from my local machine was not pointing to the server but now it is so I don't know exactly what is happening. It seems like when I am logging into my computer that it ignores all the policies it's trying to set and just boots up normally as it would. The problem may be that I have an account on my local machine set as the administrator... basically:

I login using this info:
user: shanec
domain: EDWARDSLABEL

That is perfect. When you look in my computer when it logs in, this is what you see:

Control Panel=>User Accounts=>

::Account 1::
user: Shane
domain: SHANEC
(Administrator)

::Account 2::
user: shanec
domain: EDWARDSLABEL
(Administrator)

The reason why I have an administrative account is kind of temporary because the conflicts I was having when I would log onto the server is that I did not have the correct permissions for anything because I didn't have the account set up on the Local Machine. This is what I think the problem is. I think that if I remove this account from my local machine and just log on through the server, it will start up with the policies and all but the bad thing is, I can't control Norton AntiVirus and other programs.

This is extremely important and worth 500 points. Thank you.
0
Comment
Question by:Waynebebay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 11
  • 6
32 Comments
 

Author Comment

by:Waynebebay
ID: 11757977
www.twistedchain.com/gpsecurity.bmp  ====> GP Properties
0
 

Author Comment

by:Waynebebay
ID: 11757986
Thats how all of the names are for the properties of the Group Policy. Read and Apply Group Policy checked.
0
 

Expert Comment

by:Frente69
ID: 11758239
Hello,
If you log onto the the XP machine
First thing to do is look in event log to see if anything is logged.
right click on my computer and click manage.
then double left click on event viewer. From memory i think faults with group policy normally show up under application log. Have a browse though the error and warning messages and see if any are related to group policy. Also keep an eye out for messages with scecli. Double click on message. It should hopefully read "Security policy in the Group policy objects has been applied successfully." Take a note of the date it last happened on and think of any changes that were made to the system on that day.

Next thing to check is if your getting group policy at all.
click on the start button
click on run
type in cmd
in the window that pops up type in gpresult
it will give you alot of information.
under user settings and computer settings you should see a heading that reads:

Applied Group Policy Objects
-----------------------------

See if your policies show up under there.
either way type in 'gpupdate /force' (without quotes)
this will make the pc goto the server and grab the latest group policy regardless of if it has been changed or not.

if you see your policy under:
 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------

then it means that something is wrong with the policy. In my experience its either a permissions thing (which looks fine from the pic you posted), the policy is empty or else it is corrupt.

Feel free to paste any of the results you get from gpresult if you need help understanding what it means.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Expert Comment

by:Frente69
ID: 11758276
Sorry i may have been a bit vague in some of that,.. its first thing in the morning here,..still waking up.
where i said "Also keep an eye out for messages with scecli. Double click on message."  it "should" have read
Keep an eye out for messages where the source is SceCli. You can double click on the messages to view a more detailed description of what is within the message.
Just felt i should make that a bit clear as i have no idea of your it background :-)

Feel free to post any questions

Cheers
Frente
0
 

Author Comment

by:Waynebebay
ID: 11758308
What the command prompt and the event log are saying is that there is no domain to get the policy from:

"Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

and this :

"Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
"
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
0
 

Author Comment

by:Waynebebay
ID: 11758326
How is that possible... I log into windows using the domain... I also have my dns pointed to the domain.
0
 

Expert Comment

by:Frente69
ID: 11758441
WinXP "caches" (in a round about way) your username and password. Go back into the command prompt again and type ping servername(servername being the name of your server) just to check and make sure that you can actually contact it. Are you running more then 1 pc on your domain? do any of them have the problem or is it just the one?
0
 

Author Comment

by:Waynebebay
ID: 11758465
I can ping it, there are about 10 to 30 comps running on this domain.

I believe I am the only one with this problem.
0
 

Expert Comment

by:Frente69
ID: 11758508
What message did it give when you did gpupdate /force from the command promt?
0
 

Author Comment

by:Waynebebay
ID: 11758511
Whats weird is that when I delete my computer off of the active directory, it will not let me log into the server. Usually it would just create a new one and store it under the "COMPUTERS" folder but nope.

I just restarted and logged on and I think Im gonna try to log on under someone elses account to just test....

I will be back tomorrow early in the morning... after this test... I gott leave, need to go home =)
0
 

Author Comment

by:Waynebebay
ID: 11758516
the force message was successful but when I did gpresult, it said no domain
0
 

Assisted Solution

by:Frente69
Frente69 earned 200 total points
ID: 11758577
Yep when you test with another user account,.. try and make sure its one that has never been used on your computer before.
I don't think thats weird that your computer account is not automatically created,. thats normal behavior. If you delete your computers account from AD then AD will deny access to the domain. Its a Security thing. Otherwise anyone off the street could walk in ,. plug their computer in and be on your domain without authorisation. What its now sounding like you need to do is remove your computer from the domain(on the actual computer itself) by:
right clicking on My Computer
click properties
click the computer name tab
click change
under where it says "member of" click workgroup
type in a workgroup name(it can be anything)
restart the pc,.. log in as local admin account
repeat process except this time click domain instead of workgroup and type in the domain name. You will need to enter a user account with "add computer to domain" privileges to add the computer to domain.
restart
You can't just delete and create the computer account in AD because the Security ID on the computer and in AD need to match up.

0
 
LVL 6

Accepted Solution

by:
vand earned 300 total points
ID: 11762997
Have you checked for a disjoint namespace?

Confirm that a disjoint namespace exists using either the System control panel applet, or the Netdiag tool. Right-click My Computer, select Properties, and click the Computer Name tab. If the DNS suffix of the computer name doesn’t match what is listed for the domain name, there is a disjoint namespace. Three examples of a disjoint namespace as displayed in the Computer Name tab of System Properties:

Full computer name: dc01.fabrikam.com
Domain: contoso.com

Full computer name: dc01.corp.contoso.com
Domain: contoso.com

Full computer name: dc01
Domain: contoso.com

In Netdiag, if the DNS suffix on the DNS Host Name does not match the DNS Domain Name, there is a disjoint namespace. The following are three examples of a disjoint namespace.

DNS Host Name: dc01.fabrikam.com DNS
Domain Name: contoso.com

DNS Host Name: dc01.corp.contoso.com
DNS Domain Name: contoso.com

DNS Host Name: dc01
DNS Domain Name: contoso.com

If for example the domain name is “contoso” and not “contoso.com” it is a single label DNS name and the AllowSingleLabelDnsDomain must be used on 2000 SP4 and XP/2003 machines.

Netbios Domain name. . . . . . : FABRIKAM
Dns domain name. . . . . . . . : contoso.com

0
 
LVL 6

Expert Comment

by:vand
ID: 11763243
Another test, verify that your SID's are being translated.

You could also try deleteing the PC from DNS and recreating it.
0
 
LVL 6

Expert Comment

by:vand
ID: 11763263
Are you geting a 1030 error in the event log?

An  error 1030  and group policy problems, the client may be having
problems getting to the sysvol share on a DC in your domain.  yoou should be
able to access \\dcname\sysvol from any client, they connect to that share
to obtain group policy info.  Try connecting to it manually to see what
happens.  You should also verify that the sysvol share exists on all DCs,
check permissions of the directory. Check DNS to make sure that the client
is configured to point to a win2k DNS server or one that supports SRV
recortds and dynamic updates.

This happens if a user right in a policy is being applied to a user or group
that doesnt exist.  When the policy  is refreshed it
looks for the account and generates the error because it fails to find or
map to the account.
You can enable group policy processing to find out which account is doing
this.  There is a registry value that creates a log file during policy
propagation. The log file is located in
systemroot\Security\Logs\Winlogon.log. You can examine this log file to
identify specific errors that occur during policy propagation to the
computer.

The registry key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}

For the new registry value, type: ExtensionDebugLevel

For the registry data type, click: REG_DWORD

For the registry data, type: 2
0
 

Author Comment

by:Waynebebay
ID: 11764425
Ok I am back....

What I have done is recreated the account on my local computer and it seems to connect to the domain now but when I type in 'gpresult' in the command prompt it gives me this error:

INFO: The user "EDWARDSLABEL/Shanec" does not have RSOP data.
0
 

Author Comment

by:Waynebebay
ID: 11768400
I know it recognized my computer because it added it into the Active Directory with all the comp info.... What the hell?
0
 

Expert Comment

by:Frente69
ID: 11768441
I hate giving urls to read,.. but i had the same problem once,..
http://www.experts-exchange.com/Networking/Q_20728335.html
My problem seemed to be a replication problem,..from the sounds of it your only running 1 server(correct me if i am wrong)
Just take a read through that and see if any of it seems like it might help.

Cheers
F

0
 
LVL 6

Expert Comment

by:vand
ID: 11774971
If you run rsop against the XP machine (start | run | rsop.msc),
what does it show you? If the "Computer Configuration" or "User
Configuration" node has a yellow bang or red x on it, right-click on the
node and choose properties - then click the Error Information tab to see
where exactly the failure is happening (GP Core, a particular policy
extension, etc.)

0
 

Author Comment

by:Waynebebay
ID: 11775088
Vand:

"Wednesday, August 11, 2004 9:08:32 AM

Group Policy Infrastructure failed due to the error listed below.
The specified domain either does not exist or could not be contacted.

Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available."
0
 
LVL 6

Expert Comment

by:vand
ID: 11783800
Everything seems to be pointing at a DNS failure of some kind.

Just to be sure, your not trying to apply xp policies right. The .adm files for group policy are different on 2000 then xp, if you want to administer xp policies from a 2000 server you will have to update the .adms.

This normally will not cause errors like your seeing though.

Try the steps below to see if the query works
13. type nslookup and hit enter
14. type set type=srv and enter
15. type _ldap._tcp.domainname.com and hit enter
16. you should see something like this if it works.

_ldap._tcp.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = computername.domainname.com
computername.domainname.com  internet address = 192.168.0.1
computername.domainname.com internet address = 25.65.3.81

If that fails then it is definately a dns problem.
0
 
LVL 6

Expert Comment

by:vand
ID: 11783810
Also verify that you srv records are there on the 2000 server.
0
 
LVL 6

Expert Comment

by:vand
ID: 11783881
You could try this to

Go to Domain Controller policy drill down to:
Computer Configuration
 Windows Settings
   Security Settings
    Local Policies
     Security Options
find Domain member: Digitally encrypt or sign secure channel data (always)
and set to Disabled
find Microsoft network server: Digitally sign communications (always) and
set to Disabled
0
 

Author Comment

by:Waynebebay
ID: 11785738
We are getting closer dude.

_ldap told me that I am trying to reach a non existant domain

And all the others stuff you are talking about, kinda walk me through it because I am still a lil new with the backroads to 2000 Server. Thanks Vand..
0
 
LVL 6

Expert Comment

by:vand
ID: 11788324
Just so I'm going in the right direction, for the nslookup type _ldap._tcp.domainname.com you did type your FQDN right for example _ldap._tcp.waynebebay.local correct, the .com is also just part of the example.

If you did,

For the SRV records, take a look at the 2000 server DNS and make sure that you have all of the folders (_msdcs, _sites, -tcp) etc.

For the policy, you will need to go into AD and modify the Default Domain Controller Policy.

Did you ever check on the disjointed name space I mentioned in my previous post?

0
 

Author Comment

by:Waynebebay
ID: 11788736
**************************1**************************************
I typed in:

_ldap._tcp.edwardslabel.com

That is the correct domain name... I know that. It then tells me

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

*****************************************************************
**************************2**************************************
I looked at the DNS configuration in the 2000 server and I have the files _msdcs, _sites, _tcp, and _udp then I have a bunch of hosts, then a name server and a start of autority.

www.twistedchain.com/dns.bmp

*****************************************************************
**************************3**************************************
I have no clue what you are saying about the policies but here is my AD:

www.twistedchain.com/AD.bmp

*****************************************************************

Thanks Vand
0
 

Author Comment

by:Waynebebay
ID: 11788769
Yes I read about the disjointed name space and here is what mine says...

www.twistedchain.com/namespace.bmp
0
 
LVL 6

Expert Comment

by:vand
ID: 11794755
when you ping edwardslabel.com does it resolve to the correct Internal, private address?
This should resolve to 192.168.1.50
A ping to www.edwardslabel.com should resolve 216.251.43.98

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

NS1.megapath.net should not be trying to find your domain, this indicates an external lookup.

Also, from the dns screen shot, I did not see the shanec host file.

Remove any local hosts and lmhosts entries you may have, and make sure 192.168.1.50 is your primary DNS on the problem machine and the server.

What's the deal with the 169.254.9.41 parent?  You may want to remove this from this location as well as the gc folder.

After you do all this reboot the problem PC, if this does not add an entry in the DNS hosts, manually add one.
0
 

Author Comment

by:Waynebebay
ID: 11794871
When I go into the command prompt and ping edwardslabel.com it looks for 216.251.43.98.

I added the shanecz host manually.. (it's shanecz now... I was having too many problems on this computer with the Shanec profile)
Since I did change a new profile thats prolly why it didn't add me.

I also removed the 169.254.9.41 parent host.
0
 
LVL 6

Expert Comment

by:vand
ID: 11796662
I'm surprised any of your Windows 2000 machines work if this is the case!
Yur machines have to resolve the domain name to the local, private address.  I assume the 216.251.43.98 public address is the address of your router.

Usually, to ensure proper 2000 DNS you can do 2 things.

1. Microsoft recommends> Name your FQDN for your local domain a non registered extension edwardslabel.local or edwardslabel.main for example. This will prevent the errors you are seeing.

2. If have to maintain the registered .com name for internal and external you will have to configure a firewall to redirect local requests and prevent the external resolution.

As a test, try to add edwardslabel.com  192.168.1.50 to your local hosts file, reboot and try the ping again to see if it resolves the address to 192.168.1.50. This is the lynch pin, you have to resolve your domain correctly for windows 2000 to work!
0
 
LVL 6

Expert Comment

by:vand
ID: 11840567
Thanks for the points, so what was the solution?
0
 

Author Comment

by:Waynebebay
ID: 11842702
Didn't find a solution yet.... Im just going to reinstall Windows =) But you did teach me a lot, I appreciate the help.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network latency question 9 83
Connecting via HTTP / HTTPS 10 80
Locally Hosted Website DNS cannot be found 7 65
Cisco 3650 switch 1G port to 10G port 6 44
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question