• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

Server 2008 Enterprise R2 Group Policy Intermittant

Setup Server 2008 and a new domain that we are migrating computers (XP Pro SP3) to from a Windows 2000 domain. We did not setup as a BDC/PDC scenario because we didn't have GPO on the old server. We added GPO and now only have 3 student accounts versus 125 accounts that we previously had. We are moving computers from domain back to workgroup and clearing DNS suffix. We reboot and readd to new domain and have no issues. Now in testing we notice that GPO isn't always working such as the accounts can not save to the desktop/c: drive so GPO maps an S drive to the server area but the S drive is not showing up on some clients but does show up on others. We have told it to hot save to desktop. On some clients I can save to desktop and drag to recycle but since right click is disabled cannot empty the recycle bin. Small things that are adding up. The new server is serving as the DHCP/DNS and WINS. All configured and running. We have run IPCONFIG on the clients that are not working and they have all the correct information.
0
sraley
Asked:
sraley
  • 29
  • 16
  • 6
1 Solution
 
NetcraftCommented:
Do you have policies disabling writing to the desktop or C:? Or policies that add users to the local administrators group? Do you have a problem with the same set of computers or account(s) or are they random? Are you using Group Policy Preferences for assigning the S: drive? Do you have problems with PC's that are installed into the new domain as opposed to moved to the new domain?
0
 
sraleyAuthor Commented:
part of the policy says the users can not save to the desktop or c drive they have to use the s drive that is supposed to be mapped by group policy.  there is another policy for another account that gives users local admin rights to the machine. Everything seems to be random. I have not tried the local admin account as much as the account I'm trying now because I won't need it as much.  All PC's are moved to the domain. I don't have any new pcs as of yet. I will have 2 later next week. I'm using the group policy editor in the management console to set all of this.
0
 
NetcraftCommented:
Could you reinstall one computer and see if this has the problem?

On a machine that doesn't map the S: drive, can you check which policies are applied? Use
    GPRESULT /V
and look for the entries for Applied Group Policy Objects (set the Screen Buffer Size of the Command box to 9999 lines, to be sure you don't miss a line). You can also use Group Policy Results from the Group Policy Management Console.

What errors do you get in Event Viewer?

Is this a Local Area Network or are the machines connected using slow network connections, perhaps Dial-In connections?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sraleyAuthor Commented:
what do you mean reinstall one computer? Start windows from scratch? This is a LAN.
0
 
sraleyAuthor Commented:
here is the gpresult /v  this machine has no s drive no matter which login account I use


            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Suggested
 Sites
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Main
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Restricti
ons
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Prog
rams
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Acti
veDesktop
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Security
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Control Panel\International

                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Restricti
ons
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Windows\Personalization
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
rnet Settings
                State:   disabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Control Panel\International

                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Deskt
op
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Deskt
op
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Control Panel\Desktop
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Control Panel\Desktop
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Prog
rams
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Main
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Deskt
op
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Prog
rams
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Outlook Express
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Toolbar\W
ebBrowser
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Main
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Unin
stall
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\SQM
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Main
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\Control P
anel
                State:   Enabled

            GPO: Lab1 GPO
                Setting: Software\Policies\Microsoft\Internet Explorer\PhishingF
ilter
                State:   Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

C:\Documents and Settings\lab1>
0
 
sraleyAuthor Commented:
event viewer
Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7000
Date:            1/14/2010
Time:            9:15:15 AM
User:            N/A
Computer:      153-6
Description:
The DS1410D service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

is the only error I see for today logging in.

Back on 1/1 and 1/2 when we first tried this there were autoenrollment errors and an LSA error when we took it off the old domain coming from the old server address.  Would having the old server/domain/active directory still running on the network have an issue? I could try to put the new server and these computers on its own switch and see if the problem goes away.
0
 
NetcraftCommented:
By reinstalling a computer I mean installing Windows from scratch. Perhaps migrating the XP machines will cause the problem, or maybe there machines already have this problem but you did not notice it. A clean, fresh install could solve this.

Could you run a GPRESULT /V, output it to a file, and attach this file to the question. You command box only has 300 lines, and you probably need more than that. Cutting and pasting 1000 lines would make this question harder to read.

Could you give a short description of the GPO's that you use? Which one is for the mapping of the S: drive?

The error from the Eventlog is not related. If you want to fix this, see EE Q_21027938:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21027938.html
0
 
sraleyAuthor Commented:
Brand new machine out of box added to domain, xp pro, logged into the user account thats supposed to have local admin rights does not have s drive mapped.  How do I send gpresult to a text file? I don't see a command line option for this and the dos window only allows 999 buffer lines.
0
 
sraleyAuthor Commented:
is the workaround right now for at least the drive mapping to put it in a login script? there are other issues with the group policy for example one account you can not write to c drive and it is gone when looking in my computer but allows you to create a txt file on desktop and drag it to desktop but they you can't empty recycle bin, access denied.
0
 
NetcraftCommented:
GPRESULT /V > GP.TXT
Please post GP.TXT here.

You can put the S: drive mapping in the Logon script:
NET USE S: \\<Server>\<Share>

Could you create a policy that only maps the S: drive and nothing else, and apply only this policy on a user. Test with this user if the mapping works correctly. Then add extra options to the policy, one by one, to see when the problem starts?
0
 
sraleyAuthor Commented:
Ran on 2 machines and it is attached.
g.txt
gp.txt
0
 
NetcraftCommented:
Did you have problems using those two PC's? These gpresult logs seem fine to me. Lab1 GPO is applied for the current user lab1. I suppose this is the GPO that disables access to C: and adds the S: drive redirection. Correct?

Could you post the gpresult of a machine what has the issue?
0
 
sraleyAuthor Commented:
Both of these didn't have an S drive in my computer so these have issues.  

The other account Lab3 can't run dos scripts I have to modify it because the C drive is disabled on it and doesn't show in my computer but i'm able to save files to desktop, drag to recycle bin but then can't empty recycle bin since its been disabled my administrator message pops up.
0
 
NetcraftCommented:
Can you check remotely using Group Policy Management Console, Group Policy Results, if the policies have been applied to the PC/User? On the tab Summery, check the Component Status to see if the policies have applied.

How does the out-of-the-box machine work? Any problems using the Lab1 account?

If missing drive S: is a big problem, you can make a logon-script for the users to map the S: drive. Do you need any help? Do you already have a logon-script?
0
 
sraleyAuthor Commented:
out of the box machine has same problems. I do not have a login script yet. What is the command line for group policy management console?
0
 
sraleyAuthor Commented:
I tried the gpupdate /force but that did not succeed. I saw a technet article to run rsop.msc which I did but I see no errors in this console.
0
 
markdmacCommented:
It sounds like you are mapping drives via Group Policy Preferences.  On the machines that are not getting the drive mapping have you verified that the Client Side Extensions are installed?  Without those the GPP settings will not work.

For XP: http://www.microsoft.com/downloads/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&displaylang=en
For Vista: http://www.microsoft.com/downloads/details.aspx?familyid=AB60DC87-884C-46D5-82CD-F3C299DAC7CC&displaylang=en
0
 
sraleyAuthor Commented:
I can check that but mapping drives is not the only issue. If you read, there are issues were the C drive is supposed to be locked so no changes can be made but as I wrote you can save to the desktop and move to recycle bin but recycle bin is locked so it can not be emptied.
0
 
markdmacCommented:
Other things to verify are where in AD are the computer object that are not getting the policy?  Are they in a different location than the other systems?  What security is the GPO using to apply?  Are the users all members of the same groups or are you applying the GPO at an OU level and having it affect Authenticated Users?  Are the users all part of the same group or in the same location?
0
 
sraleyAuthor Commented:
the group policy preference file was installed on 2 xp machines and did not fix the drive mapping issue. I have an OU in AD called Lab Users and have three accounts lab1,lab2 and lab3, then in group policy management I have three GPO, lab1 gpo, lab2 gpo and lab3 gpo. In the console it says lab1 gpo is security filtering lab1 user and its enabled. Same thing is true for other accounts
0
 
markdmacCommented:
Sorry it is not clear to me still on the structure, a picture is worth a thousand words.

The users are in the same OU as the GPO is applied right?  The GPO has to be applied to the same OU or a higher one for it to take affect.  While the GPO will allow you to select a specific user or group to apply to, it won't actually apply unless the account is below the level the GPO is set at.
0
 
sraleyAuthor Commented:
what parts do you want screen shots of?
0
 
sraleyAuthor Commented:
0
 
markdmacCommented:
Looking at the top portion of the screen shot, LABUSers does nto have a plus sign next to it which tells me there are no user objects in that OU.  Therefore the linked OU at that level will not be applied to any users.
0
 
sraleyAuthor Commented:
there are three users in that group. Why would it need a plus sign? I can take a screen shot of that.
0
 
markdmacCommented:
If the users themselves don't exist under the OU then the policy won't apply.  You can create a group anywhere in AD and assign any number of users to that group, and then assign a GPO to that group but the GPO will only apply if the users themselves exist in that OU or a lower OU.  If you link your GPO up at the top level of your AD structure it would apply to the group.
0
 
sraleyAuthor Commented:
attached is screen show showing the lab users group has the three accounts in it.
screen3.png
0
 
markdmacCommented:
Thanks for that, it is odd that the OU didn't offer the ability to expand it out to list the users there.  Anyway can you provide screen shots of the following?

Edit Lab1 GPO.  Right click at the top most level.  Select Properties.  Select the Security tab.  Give me a screen shot of the entire list (will probably take more than one screen shot due to not being able to resize the box).
0
 
sraleyAuthor Commented:
attached and screen 5 I hightlighted the lab1 acount
screen4.png
screen5.png
0
 
markdmacCommented:
OK, that is good, I see you have Lab1 with Apply.  The screen shot can't show me the other users in the list though.  Can you please confirm that none of the other accounts int he list have a DENY selected?

If there is a group that includes LAB1 that is denied then the DENY would take over.

What happens if you use Group Policy Modeling?  Does it say the GPO will apply or not?
0
 
sraleyAuthor Commented:
I ran the gpresult as asked before and it showed all the policies according to the other person being applied to the account. Do I still need to do the modeling? If so I need steps since I haven't done this before.
0
 
markdmacCommented:
Sounds like this will be a good learning experience for you then.  This KB has a walk through.
http://technet.microsoft.com/en-us/library/cc771389.aspx

0
 
sraleyAuthor Commented:
not much of a walk through in that KB. If I did it right it says my 3 GPO's are in denied reason" "Access Denied (Security Filtering)"
0
 
sraleyAuthor Commented:
I must have selected something wrong because I went back and did a model on lab1 user just for the computer smhectest that I took screen shots from and it says that the lab1 gpo was applied and it denied the gpo's for lab2 and lab3 which is correct.
0
 
markdmacCommented:
Your screen shot shows that you have a user object in the OU but not a computer.  If you are setting features under the computer policy then you need to have the computer object be in the same OU.
0
 
sraleyAuthor Commented:
so in my forest under the lab.local  in the lab users folder I need to have the computers in there as well, not in the default computers folder that they are put in when added to the domain?
0
 
sraleyAuthor Commented:
Do I put the accounts back into the default users folder for the domain?
0
 
markdmacCommented:
Each GPO has two sections, computer and user settings.  If you want to use either or both of those settings then the appropriate object needs to be under that GPO.  So for the purpose of testing your GPO out you would want to move the computer objects from the default computers container to the LAB OU.
0
 
sraleyAuthor Commented:
here is a screen shot of what I think you meant but I don't have an S drive but some things are working, for example lab1 on the smhectest computer cannot right click on my computer, says disabled so GPO is working to some degree, but it was doing this before I moved the computer between OU's.
screen6.png
0
 
markdmacCommented:
OK so LAB1 user is logging into the PC you moved in that OU.  Check the security permissions again to verify that the PC in question is either listed directly or that Domain Computers is listed.
0
 
sraleyAuthor Commented:
check the security permissions where? The security filtering tab on the Lab1 GPO says the settings apply to the lab1 login. Do you want me to add domain computers there? The PC itself is not listed there, only the login account.   Or am I to look somewhere else?  Yes smhectest computer, lab1 is logging into it. like you see in the screen shot they are in the same OU.
0
 
sraleyAuthor Commented:
I ran a model and for computers chose the lab users OU since smhectest in is there and ran against lab1 account and results under computer config summary it shows the computer denies the lab1.gpo access denied (security filtering).
0
 
markdmacCommented:
OK, so let's right click on the OU in GPMC and click on Block Inherritance.  Then try the test again.  You may have a policy higher up that is blocking these settings.
0
 
sraleyAuthor Commented:
I did that and ran the modeling wizard and the lab1 gpo was applied on both pc and user account. I have not tried the pc yet.
0
 
markdmacCommented:
Excellent, looks like it should work now then.  Please report back when you are able to test it out.
0
 
sraleyAuthor Commented:
No change on the PC. No S drive mapped yet other things it tells me not allowed due to restrictions enabled. I guess I just need to create a logon script for the S drive and hope for the best on the remaining group policy pieces.
0
 
markdmacCommented:
I personally still prefer to use login scripts since GPP is reliant on the CSE being installed.  Have a look at my Login Script FAQ for some very flexible sample code.

http://www.tek-tips.com/faqs.cfm?fid=5798
0
 
sraleyAuthor Commented:
a question if I use the vbs, the printers section can't go through the 2008 server as shared printers since they are old enough we can't get any HP drivers to install in 2008. Can I map the printer just to its IP or what has to be installed on the local computers?  The drivers exist in XP and its installed as administrator but I don't know that it shows for each account.
0
 
markdmacCommented:
Yes you can do that, but you should still be able to setup the printers on 2008 provided there is an x64 driver available.  You have to manually add the x86 drivers once the x64 part is setup.  I can assist a bit with that if you can get as far as the x64 setup part.
0
 
sraleyAuthor Commented:
haven't even gotten that far yet when I saw group policy wasn't working correctly!
0
 
markdmacCommented:
Seems to me like you might have a combination of issues related to Group Policy and VBScript not being optimized to meet your needs.  You might consider having an AD Audit done and have an external consultant review and analyze your policies.  As you move into 2008 you may encounter some further issues that could be avoided by a fresh set of eyes.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 29
  • 16
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now