Solved

Computer GPO Applying... But not....

Posted on 2009-05-19
10
474 Views
Last Modified: 2013-11-21
Hello All

I'm attempting to apply a GPO to an OU containing users and computers, and specifically I'm attempting to enable "Offer Remote Assistance". I've created the GP, enabled the link and enforced it. On the test client machine (xp pro) I've run gpresult and confirmed that the policy is being applied to the Computer Settings. Problem is that when I run gpedit.msc the GP does not appear to have been applied, as remote assitance still shows as not configured. Also, remote assistance is not working. Any suggestions please?
0
Comment
Question by:jostafew
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Expert Comment

by:fuzzer123456
ID: 24427351
Try running a gpupdate /force comand on it.

If not that , have you got a local policy setup on the machine? this will over rule the domain one.
0
 
LVL 3

Author Comment

by:jostafew
ID: 24427466
Ok, ran that cmd but no change. I haven't applied a local policy to the machine, but I can't say for sure that it hasn't been done by other means. How can I confirm if there are any policies in place?
0
 
LVL 2

Assisted Solution

by:fuzzer123456
fuzzer123456 earned 100 total points
ID: 24427566
gpresult will give you a definitive list of applies policies on the computer. Running GPEDIT.msc will open the local policy . This doesnt change when the GP is being applied to the computer.

gpresult is the only real way to see what is and what isnt being applied. Have you tried to do something else with the GP? I would also try adding a user based GP too such as remove the clock to see if its working for user and not computer.
0
 
LVL 20

Accepted Solution

by:
EndureKona earned 400 total points
ID: 24427664
Run RSOP.MSC which is Resultant Set of Policy that is query engine that polls existing policies and planned policies for the workstation or servers
0
 
LVL 3

Author Comment

by:jostafew
ID: 24436126
It appears that my original question is taking a bit of a turn. I've confirmed that my policies are being applied using RSOP and I can successfully offer and begin providing remote assistance to one of several test machines. That being said it's still failing on a couple others. I'm trying to determine why I'm not getting anywhere on those machines, but in the meantime I will welcome any suggestions.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 20

Expert Comment

by:EndureKona
ID: 24437940
Beyond saying that the GPO is failing are you getting any error messages in the event logs.   Or when you run rsop on a workstation that failed to apply getting any warnings there.    The workstations are talking to the DCs without issue via DNS?    I have also seen various switch configurations caused GPO issues but that is mainly when applying software.    Lock down the ports so there is no auto negotiation will fix that.   Turn off spanning tree protocol.
0
 
LVL 3

Author Comment

by:jostafew
ID: 24444376
Sorry, maybe my wording wasn't the best. On all machines I've confirmed that the GPO is being applied properly, but the remote assistance etc. fails.  The workstations have good connectivity to the DC, I don't see any issues there. I'm now using a handy gadget for Vista found here: http://www.scriptingpod.com/rcf-gadget.asp that allows me to quickly initiate a help session or do other tasks like check basic machine info. On the failing machines, if I attempt to check basic info I get an error; RPC server unnavailable. If I attempt to offer RA it fails with an error about computer name and permissions. I've created GPOs to allow RA, added the administrators group and my regular account as approved accounts, enabled ping (ICMP), and enabled remote desktop. I'll keep working at it but I'm starting to run out of ideas.
0
 
LVL 3

Author Comment

by:jostafew
ID: 24444388
I forgot to add that on a problem machine I can initiate RA through an emailed invitation, but cannot initiate it remotely.
0
 
LVL 2

Expert Comment

by:fuzzer123456
ID: 24453965
How about just using VNC ? would be much easier in the long term.
0
 
LVL 3

Author Comment

by:jostafew
ID: 24455597
VNC would be a considerable investment... RA is free ;-) I think I should really start this thread over in another topic as my original question was answered.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now