• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 948
  • Last Modified:

Group Policy not updating on Windows 2000 client

Hello,

I have one peculiar machine that does not update GP. When I run secedit /refreshpolicy machine_policy and user_policy, no changes are reflected. I have other Windows 2000 clients on the same subnet that update fine. Application log says the following:

Security policy in the Group policy objects are applied successfully.

But when I make particular changes, such as enabling and disabling the Display settings, they are not reflected. Any tips would help.
0
pwslgl
Asked:
pwslgl
  • 7
  • 7
  • 2
  • +3
1 Solution
 
valiconCommented:
Is this client in the same OU as the others?  I have seen policies that take more than one reboot to take effect, even though I have did secedit.  Where did you apply the GPO and was it at the computer or user level?  Are the DNS settings correct on this client?  Is this the only problem that you are experiencing with this client?
0
 
pwslglAuthor Commented:
The policy is applied on the OU which contains these specific users. The actual machines are all on the same GPO as well. The client seems setup correctly, although now that you mention it I've had trouble getting on certain websites in IE, which I believed was due to spyware and adware I found on the system. Our Intranet site works fine, though. I can VNC to the client and it can see all the core servers and clients around itself. DNS for these are handled by the DHCP server so that shouldn't be a problem...
0
 
pwslglAuthor Commented:
I've also rebooted as well.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
valiconCommented:
Okay so let's step through it:

I think we can rule out both disabled policy and blocked inheritance as you say the other clients in the same GPO have no issue with this GPO.  Be sure to check that this client has Read and Apply Group Policy perms or that the user affected is a member of the security group that is affected.  If you apply the GPO at the Computer level, that machine must be in the OU that has the GPO applied.  Same goes if you applied the GPO at the user level. Also make sure that this client is getting a IP from the DHCP server and that DNS is correct.  I have seen clients on my network that were not able to get a IP go into auto config with an AIPA IP and still have internet access but things like GPOs were not getting applied.  Let me know. Good Luck!
0
 
pwslglAuthor Commented:
The GPO is definately applied correctly. The network settings looking correct as well. I checked the DNS records on the DNS server and the DHCP server just to make sure. All the clients at this site are in the same OU with the same policy installed, and the user who I am using is the same user across all the clients, so I'm thinking permissions isn't an issue.

Isn't it strange that it says it applied the policies successfully in the event log?
0
 
valiconCommented:
Isn't it strange that it says it applied the policies successfully in the event log?

That depends on what GPO it is getting and applying.  Do you have access to GPUpdate.exe and can you install it on this machine?  I have seen machines where no matter what I did the policy would not get applied, then after 90 - 120 minutes (which is how long it can take)  the policy was applied :)
0
 
pwslglAuthor Commented:
I'm pretty sure GPUpdate won't run on a 2000 client. This client won't get the new policy regardless of a manual update or waiting the default replication period which is 90 minutes. I'm upping the points for this question. ^_^
0
 
kapesCommented:
if its xp machine... go to....

start > help & support > tools > advanced user information > view group policy applied

it will give details of settings applied from various group policies... it also shows... which group policy WON in applying a setting in case of conflicts ...
0
 
pwslglAuthor Commented:
It's a 2000 machine, hence the topic and category...
0
 
mattisflonesCommented:
Just a tought from my previous experience with more or less the same problem. Could the users profilename have been  changed at any time? That might screw up SID`s and stuff and then deny policy changes..
0
 
gavin_wickensCommented:
Have you checked DNS on the client.  At client run nslookup, you should get:
yourservername.yourdomainname
server ipaddress

If not check the DNS settings on the client.
0
 
valiconCommented:
You are correct on GPUpdate, I had XP on the brain :)
0
 
valiconCommented:
You can enable debug logging to find the cause:

http://support.microsoft.com/kb/221833

Then look at Userenv.log, this is generated in the Winnt\Debug\UserMode folder.  Here is a link:

 http://support.microsoft.com/kb/250842/EN-US/

Hope this helps
0
 
pwslglAuthor Commented:
Valicon, I tried that and I don't see any logs. It never creates the Usermode folder at all...
0
 
valiconCommented:
I am surprised, that is straight from the Microsoft docs.  Just to confirm, is this GPO applied at the Computer configuration level or the User configuration level?  I know that you said the client is in the OU but if this is a user level GPO, is the user in the affected OU as well? Since this is the only machine affected I would also check my TCP/IP settings and compare them to a machine that is known to be getting the GPO's correctly, even though your clients are DHCP.
0
 
pwslglAuthor Commented:
This GPO has configurations under both Computer and User levels. The GPO is applied to an OU with a group of users in them. Basically anywhere this user logs in they should get the same policy on any machine, and they do, except for this one. There is a policy applied on this machine; it is an older version of this same GPO.

Who knows what may have happened. I have Norton Ghost coming soon anyway, so I may just wipe this one clean.
0
 
valiconCommented:
Try placing that user and machine into a different OU so that it gets a different GPO, see if that works.  Then  move the user back in the original OU and see if it gets the policies.  At this point its work a try!  
0
 
kapesCommented:
Try this tool to find the exact policy getting applied on win2000


http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
0
 
gavin_wickensCommented:
Did you check the DNS settings?
0
 
maynardincSysadminCommented:
Did you ever get this figured out?
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 7
  • 7
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now