Link to home
Start Free TrialLog in
Avatar of DeNzMoR
DeNzMoR

asked on

Dont want to load GPOs on AD server

Ok,

I have a problem with some GPOs and im not able to find where the problem is from. I have an error in event viewer every 10min

Userenv
Description :
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

I would like to know if theres a way to not load any gpos on my server. Is it possible or I will screw my only ad server.

Is there any tools that debug gpos, so I can find whats the problem.

Because since I have this message, my server is really slow

Do you think a repair from the cd would fix this problem? I've looked on the internet and tried mostly all solutions and im kinda desperate.

Any help will be appreciated.
Avatar of AnthonyP9618
AnthonyP9618
Flag of United States of America image

Do this...

Run gpresult > C:\gpresult.txt from a command prompt window.  Once complete, open up the gpresult.txt file in the root of C.  This should show the list of applied and filtered Group Policies for this server.  We're going to focus on the list of applied Group Policies.

Create a new Global Security Group in AD called MemberServer-NoGPO (or whatever you want).  Open up Group Policy and find the Group Policies that we found were applying to the server we ran gpresult on.  In each of these policies we want to add the MemberServer-NoGPO into the Security of Group policy.  Once added, check DENY for Apply Group Policy (should be the last entry).  Repeat this process for each Group Policy that is being applied to our target server.  Once complete, add the server into this group.  Ensure that you force or wait for repliaction occur for all DCs in the site.

On the target server, perform a GP force.. type gpupdate /force from a command prompt on the target server to force group policy updates.

Re-run the gpresult command above and compare the output to the previously generated file.  If the securities took, there should be no group policies applying to this server.  In fact, you should see that group policies that once were applying to the server have now been filtered out by Security.

From there you should be able to enable a single GPO at a time by removing the security group in the GP, forcing replication amoung the DCs and forcing a GPupdate on the target server.  

Hope that helps.
Avatar of life_j
life_j

Avatar of DeNzMoR

ASKER

life_j I tried that and its not working.

Thanks Anthony, I will try this asap and keep you in touch.
Avatar of Bradley Fox
If you do not want the GPOs applied to a specific server just edit the security of the GPOs and add the servername (you will have to select types and check off computers) then check the Deny box next to apply Policy for the server.
ASKER CERTIFIED SOLUTION
Avatar of Stephen Manderson
Stephen Manderson
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DeNzMoR

ASKER

I tried the gpresult and it tooks like 5 min and after that I got this error messager

server execution failed.....
Avatar of DeNzMoR

ASKER

MrManderson
Ive seen this page and nothing is working....
Avatar of DeNzMoR

ASKER

I have several dcom errors in event viewer also

The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

The server {BA126AE5-2166-11D1-B1D0-00805FC1270E} did not register with DCOM within the required timeout.
The First GUID is an error with the Microsoft Installer.
http://support.microsoft.com/kb/309282/en-us

The Second has to do with the RPC
http://support.microsoft.com/kb/839880/en-us

The thirds one I cant seem to find any info on

This may help fix some of you're com issues
http://support.microsoft.com/kb/910730/

I will look into you're RSoP error more

Avatar of DeNzMoR

ASKER

I re-register msiintaller and now Im able to uninstall programs.

Is this server running Terminal Services?
http://support.microsoft.com/?kbid=873375

This is probably stupid but did you try a gpupdate /force ?
Im not a big fan of posting links to other experts answers but this may be of use to help you solve it quicker.

https://www.experts-exchange.com/questions/21126829/EVENT-ID-1030-1090-USERENV.html?query=1090+userenv&clearTAFilter=true

Everything always seems to come back to DNS so I would try just for the heck of it.

Make sure primary DNS on the offending DC is pointing at itself and it's running DNS with a AD integrated zone hosting your domain.

Stop and start the netlogon service.
Avatar of DeNzMoR

ASKER

yeah I had ts server running but I uninstall it and even the ts server licensing. I tried gpupdate /force many times
when I was runnign the mof-thing command line
You should consult with microsoft they may have non published tools that may sort this problem.

Regards
Steve
I would suggest calling Microsoft to obtain the hotfix that is explained in the link from my previous post.
Avatar of DeNzMoR

ASKER

theres no way it can be a dns problem.
I was referring to the hotfix from this post:

Is this server running Terminal Services?
http://support.microsoft.com/?kbid=873375
Avatar of DeNzMoR

ASKER

ive noticed theres some memory leak with svchost.exe (SYSTEM)
its taking 800mb atm.. Ill try uninstall my antivirus program.
Avatar of DeNzMoR

ASKER

Only repairing windows 2003 solved the problem. But im going to give the points to MrAnderson since he helped me the most.