GPO's not being applied correctlt to clients

I have a nice size domain and my GPOs recently stopped working.  If i use the GPO Modeling, it shows what should be the correct GPOs to be supplied to the clients.  Also, if i run a GPUPDATE /force from the domain controller logged on as myself (a domain admin), it shows exactly what is in the GPO Modeling and all looks fine.
HOWEVER, if i run check my GPOs from any other machine and run a GPUPDATE /FORCE, it is getting GPOs that used to be aplpied but are no longer valid.  The GPRESULT on these machines shows that is checked the same domain controller that i did the correct gpresult on earlier and it shows that its results are current.
I cant figure out why the client machines are getting the latest GPOS.
This is happening on all clients.  Some client are in a different vlan, behind a cisco pix, but this is happening even on the same subnet as the servers, so the pix rules are not causing it.
ANY IDEAS?
northbridgesolutionsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sk_raja_rajaCommented:
First run RSOP.msc from the client machines and you will see more in detail the list of policy settings applied from various GPO on that specific client... This will give you a very clear picture of the applied policies.
0
northbridgesolutionsAuthor Commented:
When i Run RSP.MSC it gives me the same information that i get when i run gpresult.  It still looks differetn than what the domain controllers think i should get (and what i believei should get).
0
northbridgesolutionsAuthor Commented:
It seems now that only the USER GPOs arent being applied, but the computer policies are working.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

sk_raja_rajaCommented:
yeah that may be the problem then, it looks like some of the policies are overiding and hence you dont see the computer settings.
Also right the group policy and make sure both the "user configuration" and "computer configuration" are enabled.

I would suggest you to create a new OU,move couple of test machines and test users in this OU,link the policy to this OU through GPMC, then make sure you enforce this policy and then apply gpupdate /force and then run rsop.mscon the clients whether all the desired policy settings are applied...... If not you can block the inheritance on the newly created OU,apply the policy and run rsop.msc on the clients and see the results...this will make you to understand which policies are overriding.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
northbridgesolutionsAuthor Commented:
I don't think it is a matter of overiding.  The problem isnt that the settings aren't there, the problem is that gpresult isnt showing the right policies.  if i log onto the DC and run gpresult, i see totally different user policies.
0
sk_raja_rajaCommented:
come on....are you trying to login with the same user account on DC and the other workstatiom, or all the ad objects,DC,workstion and the users or on the OU...

GPresults will show you the policies that are applied on the workstation,rsop will show the policy settings applied from different gp's

In simple, if you dont see the policy in the gpresult it is being override or blocked .....see in the policy settings properties if the policy in GPMC is applied to all "authenticated users" or to any specific user
0
northbridgesolutionsAuthor Commented:
I have tried one specific user policy both ways against authenticated users and against my specific account.  it is still not showing up in either gpresult or rsop.  

As for your original question -- > the dc and workstation are in different ou's.  i dont expect their computer policies to look the same, but i do expect the user policy to look the same.  am i missing something?
0
northbridgesolutionsAuthor Commented:
Group Policy modeling has me getting a policy that i am not getting.  Does that help at all?
0
sk_raja_rajaCommented:
I guess Group policy modelling is just for server side form gpmc console only, its gonna like designing the policy settings for you..... but the actuall applied policy settings should be seen on rsop.msc and gpresults only.......
0
northbridgesolutionsAuthor Commented:
So what you are saying is that it makes sense that the group policy modeling looks different than what rsop or gpresult have?
I cant find anything that would be blocking these policies.
0
ChiefITCommented:
Check for these events in event logs of the DC and clients:

FRS Event logs: (FRS events will only be on the DC)
Event 13516
Event 13508
Or any other event in 13000's

System Event Logs: (DC and problematic clients)
Event 1030
Event 1058

Let us know if you have any of these events, (especially on the server). If so, run a DCdiag and post the results. Furthermore, let us know if you have a multihomed domain controller.

--Multihomed is simply defined as a server that has two or more IPs. That could mean multiple NICs, or a single NIC with multiple IPs.
________________________________________________________________________________
I think you are in journal wrap and only have a partial replication set. To fix a journal wrap situation, you must fix what is wrong with DNS first and then set the burflags to rebuild the sysvol and netlogon shares. DFS uses netbios to share out the sysvol and netlogon shares but FRS and DNS is used to replicate these shares from one DC to another. When you get a partial replication set, you will see some Group policies missing in the sysvol records.

0
northbridgesolutionsAuthor Commented:
FRS is fine and we had some 1058 and 1030 errors the other day, but since we have been trying to resolve this problem we have stopped seeing them.
0
ChiefITCommented:
Let see where sk_raja_raja is taking you. This currently looks like a good troubleshooting trackline.
0
northbridgesolutionsAuthor Commented:
Well, the problem seemed to be caused by some GPO that had loopback processing  enabled.  Thanks to sk_raja_raja advice of creating new ou's and playing around, I found the problem GPO.
0
northbridgesolutionsAuthor Commented:
Thank you for your troubleshooting tips.
0
sk_raja_rajaCommented:
Glad that it worked, sorry i left from office early and could not reply you to your posts;)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.