OU (GPO not pushing across VPN connection?)

Issue with GPO not pushing to some workstations that link via a VPN connection.
If I place the users or computers in the OU at this location then it all works fine. But for some reason the systems that are on the other side of the VPN are not receiving that new GPO policy.
I tried a GPUPDATE /Force with no difference, I checked the server on that end and seems to be receiving the policy fine but the local policy's on the workstations are not changing.  What is really strange is I thought I would just manually change the local policy as it's only a few workstations and even then it didn't work.  I racked my head on this for a while but no luck yet...
Not sure where to go with this... Would it be the Firewall blocking something I wonder??

Thanks for the help guys....
KC
LVL 1
KCDeanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tdukie13Commented:
Hi,
What is the configuration for the computers connecting via VPN? Are they members of the domain? Are you pushing User and Computer based policies?

Third-party firewalls can cause issues, but it is unlikely that the Windows firewall is causing the issue.

Best,
T
0
mikeleebrlaCommented:
It is a site to site VPN or a client VPN connecting the PCs in question to the main AD site?

0
KCDeanAuthor Commented:
Answers for Tdukie.

All systems are connected to the domain. (Yes)
Pushing User and Computer based policies. (Yes)

Answers for mikelee

VPN is site to site systems are pingable.
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

tdukie13Commented:
KC,
Can you run an RSOP on a remote workstation? Do you get any security errors (or other errors)? To run RSOP you will want to have the Windows Firewall disabled.

Best,
T
0
tdukie13Commented:
RSOP = Resultant Set of Policy (Just in case you haven't used the tool before)

T
0
mikeleebrlaCommented:
Not sure if this will solve your problem or not but it certainly won't hurt. I assume the PCs on the remote end of the VPN have a seperate IP range from your other networks correct? If so, then you need to create a new site and subnet inside of "AD sites and services" since you have a new site.

0
KCDeanAuthor Commented:
Just for kicks guys I dropped my own user account and computer account into that locked OU and I would say with in 20 mins my computer was locked down to that OU specifications. I was quite surprised to see how fast that kicked in. I changed it and then went on doing my own work and then 20 mins later I look for my run command and it's gone. Clicked in right away that the GPO is working great on the local subnet.

Mikelee correct the VPN's are setup as diffent ranges, the AD Sites and services is something I setup  years ago, it's always worked fine. Not sure if that's the correct tree to bark up!

Tdukie I ran the RSOP last week sometime I don't recall any errors, but what should I look for when its finished loading?
0
KCDeanAuthor Commented:
I ran the RSOP and I received an denied access error. I adjusted some of the local permisions and its rebooting as I type.....
0
tdukie13Commented:
You were denied from running the RSOP? The Windows Firewall can block that...
0
KCDeanAuthor Commented:
Checked the windows firewall its off..
0
tdukie13Commented:
Can you RDP to an affected workstation? From a command line you can run "gpresult" which is a basic version of RSOP. If you can mark/copy/paste it up I will take a look.

Best,
T
0
KCDeanAuthor Commented:

C:\Documents and Settings\RDCounter2\Desktop>gpresult >gp.txt
INFO: The user "%$%$\RDCounter2" does not have RSOP data.

hmmm under that user this is what I get when I run the gpresult command.
0
tdukie13Commented:
Is the domain server listed as the primary DNS at the remote location?
0
KCDeanAuthor Commented:
No it is not, its pulling the active directory structure fine including OU's and GPO's.  The main DNS server is located at the central office.
0
KCDeanAuthor Commented:
I figured out how to make the local policy work, I just created a local account identical to the Active Directory account.   Then I can lock it down that way but man defeats the purpose of the whole system. Sure would be nice to make it work the way it suppose to... I have a feeling that firewall/Router is blocking it...
0
mikeleebrlaCommented:
Are you saying that an Active Directory DNS server is NOT listed first as the DNS server on the client machine in question? If so, then that it your issue. AD DNS sservers should be the ONLY DNS servers that any domain member should be pointed to.




0
KCDeanAuthor Commented:
Ok well I'm going to try that then I'll point the clients DNS to the local server at that location and see it it pulls it then.... I'll let you know.
0
KCDeanAuthor Commented:
MikeLee I was thinking that was the issue but it turns out it still not pulling the GPO when using that account.

Both Primary and Secondary DNS entries are set static now to both local and central server. No changes...
0
KCDeanAuthor Commented:
Well I setup the local policy and local account its now lock down so much that it can only be used for work purposes.

This is the error message I get when I attempt to log the RSOP.... For interest sake.. I have done a flushdns just in case, it's caching something stale.

The latest versions of the ADM files below are not available. The can be due to insufficient permissions or unavailable network resources. The local copy of ADM Files will be used.
Then it gives exact location errors of the ADM files stating.
Error - The system cannot find the path specified
0
tdukie13Commented:
Can you ping names of other workstations/servers from the affected machines by FQDN?
0
KCDeanAuthor Commented:
Tdukie

Yep I can ping machines on that side with no problems.
0
KCDeanAuthor Commented:
flush/register did nothing as well.
0
tdukie13Commented:
KC,
This is a tough one. I am running out of ideas However, I do remember an issue I had similar to this with group policy applying. I had to do somethng with this folder: C:\WINDOWS\security\Database, and the .edb files that are in there. I believe I copied the contents from that folder on a working machine to an affected machine and gave the computer a reboot. Could have corrupted local policies....

Good luck,
T
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KCDeanAuthor Commented:
Interesting I'm on holidays but when I get back I will take a look at that, for now I have adjusted the local policy as it's only two machines that needed adjusting...
0
tdukie13Commented:
Fair enough. If it is just two then it may be a local corruption, let me know either way - I am curious.

Best,
T
0
KCDeanAuthor Commented:
Could never find a resolution but everyone tried there best I ended up seting each computer individually as there was only 2 systems that needed this adjustment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.