Solved

Group Policy Issues

Posted on 2004-09-23
42
362 Views
Last Modified: 2010-04-12
I have 1 AD Domain, 3 Windows 2000 Adv. Server (domain controllers) with service pack 4 and all latest security updates, and 50 XP Pro Client computers. I have been running group policies for over a year now and everything has been fine. I added 3 new computers to the network and they are not receiving any group policies. I checked other machines an realized that now none of them are receiving any chagnes to any GPO that i creat/link. I checked my DNS settings and service, and everything seems to be working fine. Am I missing something ??

Is this just another Microsoft Moment...???? Appreciate the help
0
Comment
Question by:itly09
  • 21
  • 17
  • 4
42 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134404
Anything on your server event viewer?
0
 

Author Comment

by:itly09
ID: 12134472
2 errrors were listed in there:

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            9/22/2004
Time:            5:07:10 PM
User:            N/A
Computer:      LARODC1
Description:
The DNS server was unable to complete directory service enumeration of zone laro.com.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
Data:
0000: 2a 23 00 00               *#..    

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            9/22/2004
Time:            5:07:10 PM
User:            N/A
Computer:      LARODC1
Description:
The DNS server was unable to complete directory service enumeration of zone 1.168.192.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
Data:
0000: 2a 23 00 00               *#..    
0
 

Author Comment

by:itly09
ID: 12134493
Also under the system events, error 5774 is listed several times

most of them look like this:
Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5774
Date:            9/22/2004
Time:            9:48:03 AM
User:            N/A
Computer:      LARODC1
Description:
Registration of the DNS record '_kerberos._tcp.laro.com. 600 IN SRV 0 100 88 larodc1.laro.com.' failed with the following error:
DNS operation refused.  
Data:
0000: 2d 23 00 00               -#..    
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134586
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134610
about the 5774 event:

"DNS operation refused." - This point out that the operation was attempted against a DNS server that does not perform dynamic updates. Typically I assume this occur when a server or workstation is configured with the Internet provider DNS server instead of the internal, Active Directory-based one.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284963
0
 

Author Comment

by:itly09
ID: 12134716
I have both DNS servers pointing to Themselves listed first then, the other DNS second, Example,

DNS SERVER 1
first DNS server is DC1
second DNS server is DC2

DC2 DNS SERVER 2
first DNS server is DC2
second DNS server is DC1

But why all of a sudden would this happen. Its not liek I changed my DNS Settings which is odd.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12134853
No idea why it would happen suddently.. things like this happens often with M$ softwares..
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12136424
Remove them from the domain.  Delete the computer accounts.  Re-add them to the domain.

I just ran into a similar problem the other day and the remove/delete/add worked for me.

0
 

Author Comment

by:itly09
ID: 12136578
I'm gonna try with those few computers, but its happening to all client machines. In other words, the old policies that are in place on the existing clients are still in place, but if i create a new one policy, it won't update to any of the clients anymore. I've even tried secedit/gpupdate manually and also given it enough time to refresh overnight.
0
 

Author Comment

by:itly09
ID: 12171593
Hoping someone can help me out with this, very urgent...
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12172763
On any of the clients that are not getting a new policy, what happens if you run GPRESULT.  Does it show up in the list at all?  Is it getting filtered out by security?  Or does it not show up?

0
 

Author Comment

by:itly09
ID: 12172824
I never used this command so not really sure how it works.  But when I run it from the client It says:

"getting the SID information..."
INFO: The policy object does not exist.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12172864
See if this helps.  GPRESULT should output some helpful info for us.

http://support.microsoft.com/default.aspx?scid=kb;en-us;322852&Product=winxp

0
 

Author Comment

by:itly09
ID: 12173017
Ok, I ran that with the runas and now I got different results. Now it listed out a ton of stuff and i noticed what you had said earlier... it reads:

The follwing GPO's were not applied because they were being filtered out. and then it lists some of my GPO's but not all. but even the ones that it says were applied. I also was wondering maybe you could help, Is there a way to tell where the GPO's are actually coming from, like which one of my 3 Domain Controllers..?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12173084
Not sure how to tell which domain controller.

There should be 2 sections to this.  A User Section and a Computer Section.  I'm not sure which one, or both, you need to look at.  It depends on what is in the policy(s) that we are talking about.

First you have to see if the policy in question shows up in the list at all.  Then, you need to see if it is filtered out.  If it is, the policy needs some tweaking in the security.  If it doesn't show up at all, it could be the location of the policy compared to the location of the computer/user you want it applied to.  

If it shows up and is not filtered out, AND it doesn't appear to be applied, that is a different story.  Either the policy isn't setup correctly, or the computer is not letting it apply.  

Can you provide more info that would help narrow this down?

0
 

Author Comment

by:itly09
ID: 12173184
Ok, it defintely shows up but saying it is filtered out. I dont understand why this is happening. I understand how to filter certain users out (deny - apply group policy) but i checked that part if thats what you mean by security. Here is an example of the gpresult...Hopefully you can see something that I am missing

COMPUTER SETTINGS
------------------
    CN=JIMJR,OU=XP Computers,DC=laro,DC=com
    Last time Group Policy was applied: 9/28/2004 at 3:00:30 PM
    Group Policy was applied from:      larodc1.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        forcelogoff
        Redirect LI Mydocs
        Turn off offline files
        turn off firewall
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        IE Hi Security
            Filtering:  Not Applied (Empty)

        No Lock computer
            Filtering:  Not Applied (Empty)

        HideNetworkPlaces
            Filtering:  Not Applied (Empty)

        Additional IE Options
            Filtering:  Not Applied (Empty)

        Block Floppy Drive
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        JIMJR$
        Domain Computers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
    CN=jimjr,OU=IT,DC=laro,DC=com
    Last time Group Policy was applied: 9/28/2004 at 2:33:53 PM
    Group Policy was applied from:      larodc1.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

        forcelogoff
            Filtering:  Denied (Security)

        No Policy except LastLoginDisplay
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        is
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12173296
Which policy are you talking about?  I'll probably be able to guide you a bit better knowing which one it is.

It is probably 'filtered out' because it doesn't have rights at all, not because it is 'Deny'ed.  If it shows up in the list, the policy is placed at the correct OU level (I think).

If it is a Comptuer Policy, make sure the computer you are running it on shows up in the Security Tab with Apply and Read rights, or is a member of a group that has Apply and Read rights.  Also, as you stated it cannot have Deny or be in a group that has Deny.

If it is a User Policy, same as computer, but make sure either the User or a group the User is in, is in the list correctly.



0
 

Author Comment

by:itly09
ID: 12173430
I checked everything as far as groups and so on. Just to play it safe I created a new OU right off the domain with 1 user in it and tried applying just 1 group policy. 1 simple example is "hide network places icon". Now we both know this is a user configuration so it should be simple to setup and apply. I have the user and the group he belongs to as "Read - apply" security so thats fine. But the part thats bugging me is that something must have changed or whatever because these have been working fine for over a year now. And aslso you were asking for a better example of which gpo, well the hidenetworkplaces is a good example.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12173526
In your GPRESULT post it doesn't have the hidenetworkplaces under the User Configuration, so in that example, it doesn't look like it is applying correctly.  But lets focus on the test you just setup.

After you logon as the test user you just created, run the GPRESULT and lets see what it thinks it should be getting.  Did this work when you did it, btw?  Or it didn't apply?

You did that in User\Administrative Templates\Control Panel\
Hide Secified Control Panel Applets

right?  Or a diff location?  I'm not sure how to add that one.  
Why don't you try 'remove display in control panel' , it's under Control Panel\Display

0
 

Author Comment

by:itly09
ID: 12173727
Ok, so I created a TEMP OU and put a test user in there. And also made sure he can have apply persmissions apply to that user. I created a GPO taking away the Display. It didn't apply. I even tried it an existing comptuer that has been on the network for a year and also a brand new one. Took off the domain and put back on the domain. Still no good... Everytime something weird like this happens, I'm beginning to think maybe it could be DNS issues...Could that be ??? Also when I run gpresult on any computer with a normal user (not with admin rights) thats when it tells me "the policy object does not exist". the only way I can run gpresult is with admin rights (or runas)
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12173822
What happens when you run it (with runas) logged on as that test user?  Can you post the results?  What is the name of the new policy that I should be looking for?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:itly09
ID: 12173989
Ok the name of the new policy is called "display" and thats removing the display. When I run GPresult from command line, it says : The user laro.com\gptest does not have RSOP data. Then I ran it through the resultant policy through the mmc snap-in and it has all red X through all the policies.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12178693
Run it with the runas so we can get the output like above.
0
 

Author Comment

by:itly09
ID: 12180090
Now correct me if im wrong but if you run it with the "runas", how is it going to act as if the normal user is getting the policy. If i run it as administrator, its showing the policy results as if the administrator would recieve them and not the normal user. So its not really telling us how it is affecting the normal user logged in (domain\gptest) but anyways, here is what the results look like when im logged in as gptest and run it with runas as administrator...  It doesn't show anything about the new gpo i created called "display"

C:\Documents and Settings\barias>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/29/2004 at 10:18:56 AM


RSOP results for BRAULIO\Administrator on BRAULIO : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 LARO_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   laroli
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator.BULLPEN2
Connected over a slow link?: Yes


COMPUTER SETTINGS
------------------
    CN=BRAULIO,CN=Computers,DC=laro,DC=com
    Last time Group Policy was applied: 9/29/2004 at 9:14:37 AM
    Group Policy was applied from:      larodc2.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------

    Last time Group Policy was applied: 9/23/2004 at 5:26:42 PM
    Group Policy was applied from:      nycdc.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        None
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12180259
I had thought that if you run GPRESULT even with the runas, it does the results for the logged on user.  What is strange is that on the most recent post of GPRESULT, it has the username missing.  Compare the output to the GPRESULT you posted earlier, specifically, this section:
USER SETTINGS
--------------
    CN=jimjr,OU=IT,DC=laro,DC=com
    Last time Group Policy was applied: 9/28/2004 at 2:33:53 PM
    Group Policy was applied from:      larodc1.laro.com
    Group Policy slow link threshold:   500 kbps

It shows it was for user 'jimjr' in the IT OU.  In your most recent post, the CN line is missing.....


Anyway, it shows the last time the User settings were applied was on 9/28, which was yesterday, compared to the time the Computer settings were applied, which was this morning:
COMPUTER SETTINGS
------------------
    CN=BRAULIO,CN=Computers,DC=laro,DC=com
    Last time Group Policy was applied: 9/29/2004 at 9:14:37 AM

Try logging off and logging on again, and running it again.  See if the same DC authenticates you, and if any of the other info changes.  Also, when you log on, are you logging on right when the CTRL-ALT-DELETE screen comes up, or are you waiting for it to finish processing the startup a bit?
0
 

Author Comment

by:itly09
ID: 12180572
Yesterday it said jimjr because i was tryin out a few different clients just to make sure it wasn't just 1 client that this was happening. But now the focus is on that one client machine I just sent you...braulio. This is one of the new ones I said I had added to my domain. unlike jimjr and all other client machines, it has never recieved any policies at all, thats why it isn't showing up. This is what made me realize when all these problems started. Im beginning to HATE MICROSOFT

When I log on it doesn't take that long, actaully goes pretty fast -  loading personal settings,  applying personal settings and so on, but doesn't say apply security or anything of that nature.


RSOP results for BRAULIO\Administrator on BRAULIO : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 LARO_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   laroli
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator.BULLPEN2
Connected over a slow link?: Yes


COMPUTER SETTINGS
------------------
    CN=BRAULIO,CN=Computers,DC=laro,DC=com
    Last time Group Policy was applied: 9/29/2004 at 9:14:37 AM
    Group Policy was applied from:      larodc2.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------

    Last time Group Policy was applied: 9/23/2004 at 5:26:42 PM
    Group Policy was applied from:      nycdc.laro.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        None
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
0
 

Author Comment

by:itly09
ID: 12180799
I also noticed an error in the  event log (frs)

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13562
Date:            9/28/2004
Time:            11:18:18 AM
User:            N/A
Computer:      LARODC1
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller larodc1.laro.com for FRS replica set configuration information.
 
 The nTDSConnection object cn=nycdc,cn=ntds settings,cn=larodc1,cn=servers,cn=laroli,cn=sites,cn=configuration,dc=laro,dc=com is conflicting with cn=e5d7efdb-6d82-4a64-a8b7-24a3079da530,cn=ntds settings,cn=larodc1,cn=servers,cn=laroli,cn=sites,cn=configuration,dc=laro,dc=com. Using cn=nycdc,cn=ntds settings,cn=larodc1,cn=servers,cn=laroli,cn=sites,cn=configuration,dc=laro,dc=com

 
 Could this have something to do with this...?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12181550
It's very possible.  Is there a way to contol what DC a computer authenticates with?  So we can try each one and see if you expereicne different results?  What type of link is there between the different DC's and the client machine?  I noticed that it thinks you are connecting over a slow link.

0
 
LVL 16

Expert Comment

by:robrandon
ID: 12181572
Can you narrow down the time that this started happening?  Was it after SP4 on the DC's?

0
 
LVL 16

Expert Comment

by:robrandon
ID: 12181582
Are you running any type of firewall software on your servers?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12181616
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp

Maybe give this a shot and make sure the DC's are ok.
0
 

Author Comment

by:itly09
ID: 12181634
I have 2 DC on my LAN, and one in a remote office connected by a partial T1 in another state. I'm not sure why it thinks it is a slow link. I'm not sure how to (if possible) force it to use one server. Right now I'm trying something a little different. I am transferring all the fsmo roles of 1 server and going to take that one offline for a while. Going to see if that does anything. if I do this I might be able to narrow it down if it is a problem with one of the servers.

 I installed these servers about 1 year ago. Then I insalled SP4 on all of them immediately. So for a year its been working with latest services packs. This started happening about last monday or tuesday (20th - 21st)
0
 

Author Comment

by:itly09
ID: 12181653
No firewall software on the servers, just hardware at the gateway. I'm gonna check out the link u jsut sent me
0
 

Author Comment

by:itly09
ID: 12182960
Ok after running the dcdiag test on my domain controller, I can into some interesting results... they all say pass execept for

Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The active directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.

What can we make form this ?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12183294
Holy cow.  Let me investigate....
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12183314
If you browse to the DC that gave you that error, does it have a SYSVOL share?

You could also do a
NET VIEW \\computername
to see the shares.

0
 

Author Comment

by:itly09
ID: 12183346
Yes both servers have a NETLOGON and SYSVOL folder being shared.
0
 

Author Comment

by:itly09
ID: 12183364
It seems like it has something to do with FRS because those are the different errors that seem to be coming up in the even log. Event ID: 13508 and 13562. both describing about FRS not replicating and so on...
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12183451
0
 

Author Comment

by:itly09
ID: 12183708
WHEW..Ok i read through all that and tried a few things, recreated/checking/sharing the shares etc.... manually replicating, still nothing. This is so crazy, I really do appreciate all your help
0
 
LVL 16

Accepted Solution

by:
robrandon earned 500 total points
ID: 12183952
Take a look at this and see if anything in there helps at all.  

http://www.experts-exchange.com/Networking/WinNT_Networking/Q_20743682.html?query=&clearTAFilter=true

I won't be online until next Monday.  Sorry I couldn't help resolve this.  You may want to post a new question pointing to this one.  Maybe someone else can help you to a solution before then.

-r

0
 

Author Comment

by:itly09
ID: 12184037
Thats OK, I appreciate all your help. And get back to me when you get back, I'll keep you filled in on the status...=)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now