• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 568
  • Last Modified:

!!Group Policies!! Once again, I am having an GP problem!!!!!!!!

Okay let me explain everything...

My Local Computer has 2 accounts on it.... One of which is under my computer domain and the other is the one set on my servers domain. The domain is the one I want the GP on which is "EDWARDSLABEL/SHANEC". Now what I have done to test the GP settings is I went into active directory and removed all the "MEMBERS OF" from my account except "USERS". I made a new OU named "TEST FOR POLICIES" and gave it something simple (I set IE's homepage to "http://www.hotmail.com"). I moved my account from the Built-In "USERS" folder into the new "TEST FOR POLICIES" folder. I also moved my COMPUTER from the "COMPUTERS" folder over to "TEST FOR POLICIES". Now, any policies I set... do NOT work on this machine. I have tried a lot of different things.

All of you should know... My local machine that I am setting the policies for is running "Windows XP PRO" and our server is running "Windows 2000 Server". The server is up to date with all of its critical updates.

By the way, last time, the problem was that my DNS from my local machine was not pointing to the server but now it is so I don't know exactly what is happening. It seems like when I am logging into my computer that it ignores all the policies it's trying to set and just boots up normally as it would. The problem may be that I have an account on my local machine set as the administrator... basically:

I login using this info:
user: shanec

That is perfect. When you look in my computer when it logs in, this is what you see:

Control Panel=>User Accounts=>

::Account 1::
user: Shane
domain: SHANEC

::Account 2::
user: shanec

The reason why I have an administrative account is kind of temporary because the conflicts I was having when I would log onto the server is that I did not have the correct permissions for anything because I didn't have the account set up on the Local Machine. This is what I think the problem is. I think that if I remove this account from my local machine and just log on through the server, it will start up with the policies and all but the bad thing is, I can't control Norton AntiVirus and other programs.

This is extremely important and worth 500 points. Thank you.
  • 15
  • 11
  • 6
2 Solutions
WaynebebayAuthor Commented:
www.twistedchain.com/gpsecurity.bmp  ====> GP Properties
WaynebebayAuthor Commented:
Thats how all of the names are for the properties of the Group Policy. Read and Apply Group Policy checked.
If you log onto the the XP machine
First thing to do is look in event log to see if anything is logged.
right click on my computer and click manage.
then double left click on event viewer. From memory i think faults with group policy normally show up under application log. Have a browse though the error and warning messages and see if any are related to group policy. Also keep an eye out for messages with scecli. Double click on message. It should hopefully read "Security policy in the Group policy objects has been applied successfully." Take a note of the date it last happened on and think of any changes that were made to the system on that day.

Next thing to check is if your getting group policy at all.
click on the start button
click on run
type in cmd
in the window that pops up type in gpresult
it will give you alot of information.
under user settings and computer settings you should see a heading that reads:

Applied Group Policy Objects

See if your policies show up under there.
either way type in 'gpupdate /force' (without quotes)
this will make the pc goto the server and grab the latest group policy regardless of if it has been changed or not.

if you see your policy under:
 The following GPOs were not applied because they were filtered out

then it means that something is wrong with the policy. In my experience its either a permissions thing (which looks fine from the pic you posted), the policy is empty or else it is corrupt.

Feel free to paste any of the results you get from gpresult if you need help understanding what it means.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Sorry i may have been a bit vague in some of that,.. its first thing in the morning here,..still waking up.
where i said "Also keep an eye out for messages with scecli. Double click on message."  it "should" have read
Keep an eye out for messages where the source is SceCli. You can double click on the messages to view a more detailed description of what is within the message.
Just felt i should make that a bit clear as i have no idea of your it background :-)

Feel free to post any questions

WaynebebayAuthor Commented:
What the command prompt and the event log are saying is that there is no domain to get the policy from:

"Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

and this :

"Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
WaynebebayAuthor Commented:
How is that possible... I log into windows using the domain... I also have my dns pointed to the domain.
WinXP "caches" (in a round about way) your username and password. Go back into the command prompt again and type ping servername(servername being the name of your server) just to check and make sure that you can actually contact it. Are you running more then 1 pc on your domain? do any of them have the problem or is it just the one?
WaynebebayAuthor Commented:
I can ping it, there are about 10 to 30 comps running on this domain.

I believe I am the only one with this problem.
What message did it give when you did gpupdate /force from the command promt?
WaynebebayAuthor Commented:
Whats weird is that when I delete my computer off of the active directory, it will not let me log into the server. Usually it would just create a new one and store it under the "COMPUTERS" folder but nope.

I just restarted and logged on and I think Im gonna try to log on under someone elses account to just test....

I will be back tomorrow early in the morning... after this test... I gott leave, need to go home =)
WaynebebayAuthor Commented:
the force message was successful but when I did gpresult, it said no domain
Yep when you test with another user account,.. try and make sure its one that has never been used on your computer before.
I don't think thats weird that your computer account is not automatically created,. thats normal behavior. If you delete your computers account from AD then AD will deny access to the domain. Its a Security thing. Otherwise anyone off the street could walk in ,. plug their computer in and be on your domain without authorisation. What its now sounding like you need to do is remove your computer from the domain(on the actual computer itself) by:
right clicking on My Computer
click properties
click the computer name tab
click change
under where it says "member of" click workgroup
type in a workgroup name(it can be anything)
restart the pc,.. log in as local admin account
repeat process except this time click domain instead of workgroup and type in the domain name. You will need to enter a user account with "add computer to domain" privileges to add the computer to domain.
You can't just delete and create the computer account in AD because the Security ID on the computer and in AD need to match up.

Have you checked for a disjoint namespace?

Confirm that a disjoint namespace exists using either the System control panel applet, or the Netdiag tool. Right-click My Computer, select Properties, and click the Computer Name tab. If the DNS suffix of the computer name doesn’t match what is listed for the domain name, there is a disjoint namespace. Three examples of a disjoint namespace as displayed in the Computer Name tab of System Properties:

Full computer name: dc01.fabrikam.com
Domain: contoso.com

Full computer name: dc01.corp.contoso.com
Domain: contoso.com

Full computer name: dc01
Domain: contoso.com

In Netdiag, if the DNS suffix on the DNS Host Name does not match the DNS Domain Name, there is a disjoint namespace. The following are three examples of a disjoint namespace.

DNS Host Name: dc01.fabrikam.com DNS
Domain Name: contoso.com

DNS Host Name: dc01.corp.contoso.com
DNS Domain Name: contoso.com

DNS Host Name: dc01
DNS Domain Name: contoso.com

If for example the domain name is “contoso” and not “contoso.com” it is a single label DNS name and the AllowSingleLabelDnsDomain must be used on 2000 SP4 and XP/2003 machines.

Netbios Domain name. . . . . . : FABRIKAM
Dns domain name. . . . . . . . : contoso.com

Another test, verify that your SID's are being translated.

You could also try deleteing the PC from DNS and recreating it.
Are you geting a 1030 error in the event log?

An  error 1030  and group policy problems, the client may be having
problems getting to the sysvol share on a DC in your domain.  yoou should be
able to access \\dcname\sysvol from any client, they connect to that share
to obtain group policy info.  Try connecting to it manually to see what
happens.  You should also verify that the sysvol share exists on all DCs,
check permissions of the directory. Check DNS to make sure that the client
is configured to point to a win2k DNS server or one that supports SRV
recortds and dynamic updates.

This happens if a user right in a policy is being applied to a user or group
that doesnt exist.  When the policy  is refreshed it
looks for the account and generates the error because it fails to find or
map to the account.
You can enable group policy processing to find out which account is doing
this.  There is a registry value that creates a log file during policy
propagation. The log file is located in
systemroot\Security\Logs\Winlogon.log. You can examine this log file to
identify specific errors that occur during policy propagation to the

The registry key is:


For the new registry value, type: ExtensionDebugLevel

For the registry data type, click: REG_DWORD

For the registry data, type: 2
WaynebebayAuthor Commented:
Ok I am back....

What I have done is recreated the account on my local computer and it seems to connect to the domain now but when I type in 'gpresult' in the command prompt it gives me this error:

INFO: The user "EDWARDSLABEL/Shanec" does not have RSOP data.
WaynebebayAuthor Commented:
I know it recognized my computer because it added it into the Active Directory with all the comp info.... What the hell?
I hate giving urls to read,.. but i had the same problem once,..
My problem seemed to be a replication problem,..from the sounds of it your only running 1 server(correct me if i am wrong)
Just take a read through that and see if any of it seems like it might help.


If you run rsop against the XP machine (start | run | rsop.msc),
what does it show you? If the "Computer Configuration" or "User
Configuration" node has a yellow bang or red x on it, right-click on the
node and choose properties - then click the Error Information tab to see
where exactly the failure is happening (GP Core, a particular policy
extension, etc.)

WaynebebayAuthor Commented:

"Wednesday, August 11, 2004 9:08:32 AM

Group Policy Infrastructure failed due to the error listed below.
The specified domain either does not exist or could not be contacted.

Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available."
Everything seems to be pointing at a DNS failure of some kind.

Just to be sure, your not trying to apply xp policies right. The .adm files for group policy are different on 2000 then xp, if you want to administer xp policies from a 2000 server you will have to update the .adms.

This normally will not cause errors like your seeing though.

Try the steps below to see if the query works
13. type nslookup and hit enter
14. type set type=srv and enter
15. type _ldap._tcp.domainname.com and hit enter
16. you should see something like this if it works.

_ldap._tcp.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = computername.domainname.com
computername.domainname.com  internet address =
computername.domainname.com internet address =

If that fails then it is definately a dns problem.
Also verify that you srv records are there on the 2000 server.
You could try this to

Go to Domain Controller policy drill down to:
Computer Configuration
 Windows Settings
   Security Settings
    Local Policies
     Security Options
find Domain member: Digitally encrypt or sign secure channel data (always)
and set to Disabled
find Microsoft network server: Digitally sign communications (always) and
set to Disabled
WaynebebayAuthor Commented:
We are getting closer dude.

_ldap told me that I am trying to reach a non existant domain

And all the others stuff you are talking about, kinda walk me through it because I am still a lil new with the backroads to 2000 Server. Thanks Vand..
Just so I'm going in the right direction, for the nslookup type _ldap._tcp.domainname.com you did type your FQDN right for example _ldap._tcp.waynebebay.local correct, the .com is also just part of the example.

If you did,

For the SRV records, take a look at the 2000 server DNS and make sure that you have all of the folders (_msdcs, _sites, -tcp) etc.

For the policy, you will need to go into AD and modify the Default Domain Controller Policy.

Did you ever check on the disjointed name space I mentioned in my previous post?

WaynebebayAuthor Commented:
I typed in:


That is the correct domain name... I know that. It then tells me

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

I looked at the DNS configuration in the 2000 server and I have the files _msdcs, _sites, _tcp, and _udp then I have a bunch of hosts, then a name server and a start of autority.


I have no clue what you are saying about the policies but here is my AD:



Thanks Vand
WaynebebayAuthor Commented:
Yes I read about the disjointed name space and here is what mine says...

when you ping edwardslabel.com does it resolve to the correct Internal, private address?
This should resolve to
A ping to www.edwardslabel.com should resolve

"*** ns1.megapath.net can not find _ldap._tcp.edwardslabel.com: Non-Existing Domain"

NS1.megapath.net should not be trying to find your domain, this indicates an external lookup.

Also, from the dns screen shot, I did not see the shanec host file.

Remove any local hosts and lmhosts entries you may have, and make sure is your primary DNS on the problem machine and the server.

What's the deal with the parent?  You may want to remove this from this location as well as the gc folder.

After you do all this reboot the problem PC, if this does not add an entry in the DNS hosts, manually add one.
WaynebebayAuthor Commented:
When I go into the command prompt and ping edwardslabel.com it looks for

I added the shanecz host manually.. (it's shanecz now... I was having too many problems on this computer with the Shanec profile)
Since I did change a new profile thats prolly why it didn't add me.

I also removed the parent host.
I'm surprised any of your Windows 2000 machines work if this is the case!
Yur machines have to resolve the domain name to the local, private address.  I assume the public address is the address of your router.

Usually, to ensure proper 2000 DNS you can do 2 things.

1. Microsoft recommends> Name your FQDN for your local domain a non registered extension edwardslabel.local or edwardslabel.main for example. This will prevent the errors you are seeing.

2. If have to maintain the registered .com name for internal and external you will have to configure a firewall to redirect local requests and prevent the external resolution.

As a test, try to add edwardslabel.com to your local hosts file, reboot and try the ping again to see if it resolves the address to This is the lynch pin, you have to resolve your domain correctly for windows 2000 to work!
Thanks for the points, so what was the solution?
WaynebebayAuthor Commented:
Didn't find a solution yet.... Im just going to reinstall Windows =) But you did teach me a lot, I appreciate the help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 15
  • 11
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now