[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

GPO's not being applied correctlt to clients

Posted on 2008-11-19
16
Medium Priority
?
344 Views
Last Modified: 2012-05-05
I have a nice size domain and my GPOs recently stopped working.  If i use the GPO Modeling, it shows what should be the correct GPOs to be supplied to the clients.  Also, if i run a GPUPDATE /force from the domain controller logged on as myself (a domain admin), it shows exactly what is in the GPO Modeling and all looks fine.
HOWEVER, if i run check my GPOs from any other machine and run a GPUPDATE /FORCE, it is getting GPOs that used to be aplpied but are no longer valid.  The GPRESULT on these machines shows that is checked the same domain controller that i did the correct gpresult on earlier and it shows that its results are current.
I cant figure out why the client machines are getting the latest GPOS.
This is happening on all clients.  Some client are in a different vlan, behind a cisco pix, but this is happening even on the same subnet as the servers, so the pix rules are not causing it.
ANY IDEAS?
0
Comment
Question by:northbridgesolutions
  • 9
  • 5
  • 2
16 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22999825
First run RSOP.msc from the client machines and you will see more in detail the list of policy settings applied from various GPO on that specific client... This will give you a very clear picture of the applied policies.
0
 

Author Comment

by:northbridgesolutions
ID: 23004699
When i Run RSP.MSC it gives me the same information that i get when i run gpresult.  It still looks differetn than what the domain controllers think i should get (and what i believei should get).
0
 

Author Comment

by:northbridgesolutions
ID: 23005375
It seems now that only the USER GPOs arent being applied, but the computer policies are working.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 2000 total points
ID: 23005422
yeah that may be the problem then, it looks like some of the policies are overiding and hence you dont see the computer settings.
Also right the group policy and make sure both the "user configuration" and "computer configuration" are enabled.

I would suggest you to create a new OU,move couple of test machines and test users in this OU,link the policy to this OU through GPMC, then make sure you enforce this policy and then apply gpupdate /force and then run rsop.mscon the clients whether all the desired policy settings are applied...... If not you can block the inheritance on the newly created OU,apply the policy and run rsop.msc on the clients and see the results...this will make you to understand which policies are overriding.
0
 

Author Comment

by:northbridgesolutions
ID: 23005554
I don't think it is a matter of overiding.  The problem isnt that the settings aren't there, the problem is that gpresult isnt showing the right policies.  if i log onto the DC and run gpresult, i see totally different user policies.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 23005663
come on....are you trying to login with the same user account on DC and the other workstatiom, or all the ad objects,DC,workstion and the users or on the OU...

GPresults will show you the policies that are applied on the workstation,rsop will show the policy settings applied from different gp's

In simple, if you dont see the policy in the gpresult it is being override or blocked .....see in the policy settings properties if the policy in GPMC is applied to all "authenticated users" or to any specific user
0
 

Author Comment

by:northbridgesolutions
ID: 23005950
I have tried one specific user policy both ways against authenticated users and against my specific account.  it is still not showing up in either gpresult or rsop.  

As for your original question -- > the dc and workstation are in different ou's.  i dont expect their computer policies to look the same, but i do expect the user policy to look the same.  am i missing something?
0
 

Author Comment

by:northbridgesolutions
ID: 23006025
Group Policy modeling has me getting a policy that i am not getting.  Does that help at all?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 23006128
I guess Group policy modelling is just for server side form gpmc console only, its gonna like designing the policy settings for you..... but the actuall applied policy settings should be seen on rsop.msc and gpresults only.......
0
 

Author Comment

by:northbridgesolutions
ID: 23006578
So what you are saying is that it makes sense that the group policy modeling looks different than what rsop or gpresult have?
I cant find anything that would be blocking these policies.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23008773
Check for these events in event logs of the DC and clients:

FRS Event logs: (FRS events will only be on the DC)
Event 13516
Event 13508
Or any other event in 13000's

System Event Logs: (DC and problematic clients)
Event 1030
Event 1058

Let us know if you have any of these events, (especially on the server). If so, run a DCdiag and post the results. Furthermore, let us know if you have a multihomed domain controller.

--Multihomed is simply defined as a server that has two or more IPs. That could mean multiple NICs, or a single NIC with multiple IPs.
________________________________________________________________________________
I think you are in journal wrap and only have a partial replication set. To fix a journal wrap situation, you must fix what is wrong with DNS first and then set the burflags to rebuild the sysvol and netlogon shares. DFS uses netbios to share out the sysvol and netlogon shares but FRS and DNS is used to replicate these shares from one DC to another. When you get a partial replication set, you will see some Group policies missing in the sysvol records.

0
 

Author Comment

by:northbridgesolutions
ID: 23008984
FRS is fine and we had some 1058 and 1030 errors the other day, but since we have been trying to resolve this problem we have stopped seeing them.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23009197
Let see where sk_raja_raja is taking you. This currently looks like a good troubleshooting trackline.
0
 

Author Comment

by:northbridgesolutions
ID: 23009481
Well, the problem seemed to be caused by some GPO that had loopback processing  enabled.  Thanks to sk_raja_raja advice of creating new ou's and playing around, I found the problem GPO.
0
 

Author Closing Comment

by:northbridgesolutions
ID: 31518526
Thank you for your troubleshooting tips.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 23010011
Glad that it worked, sorry i left from office early and could not reply you to your posts;)
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question