Solved

computer not receiving group policies

Posted on 2010-08-26
7
786 Views
Last Modified: 2013-12-04
I have a windows 2003 domain with workstations all running windows xp SP3. One of these workstations I recently took off of the domain. When I did so, I did NOT delete the computer accound from Active directory. Shortly afterward, I added it back to the domain with the same computer name. Ever since then, it has not been receiving computer group policy settings. When I do an RSOP, I get a red X on computer configuration with an error stating that group policy infrastructure failed to the error listed below: Access denied. I took the computer back off the domain, deleted the computer account from AD, and re-added it. The computer account appeared back in AD, but the problem still exists. I'm guessing permissions for this computer account got broke somewhere, but I don't know where to go to fix it. I'm hoping someone could lend me some insight. Thank you.
0
Comment
Question by:rsturtevant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 8

Accepted Solution

by:
ZombieAutopsy earned 250 total points
ID: 33534464
Can you add a static DNS entry, i seen tha being an issue once in a while. Also are there any other errors in the event log of the pc that is not pulling the GPO.
0
 

Author Comment

by:rsturtevant
ID: 33535053
There was a DNS record already there for the machine. I deleted it and manually added a new one. I did a gpupdate with a force. That did not reboot the computer, which tells me it still wasn't getting the computer configuration. I manually rebooted, and got the same error in RSOP.

There are a couple of events in the event log. They are both Userenv errors. One is event 1058 and states the following:

Description:
Windows cannot access the file gpt.ini for GPO cn={76E4A539-C0E0-4A2A-90DB-B0D68489BB2A},cn=policies,cn=system,DC=domain,DC=domain,DC=org. The file must be present at the location <\\domain.domain.org\SysVol\domain.domain.org\Policies\{76E4A539-C0E0-4A2A-90DB-B0D68489BB2A}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The other is event 1030 and states the following:

Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I replaced the name of our actual domain in those descriptions.

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33537285
see if you have those 1030 and 1058 events on the other servers. This may be a domain problem, not a single workstation problem.

Diagnosing and fixing events 1030 and 1058:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_1073-Diagnosing-and-repairing-Events-1030-and-1058.html
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rsturtevant
ID: 33541149
This doesn't seem to be a server issue. It's only happeneing on this one workstation, and only since I removed it from the domain and re-added it. I don't see any abnormal events on the domain controller itself. Permissions on the Sysvol folder are correct.  I'm thinking that I should just try removing the workstation from the domain, re-naming it, and then adding it back to see what happens.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 33543376
The article states that Group policies are saved on the domain controller, replicated to all other DCs on that domain, and then passed out to the clients using netbios....

Since this ONE client is not getting Group policy, it appears that ONE client is having netbios problems.

Windows firewall will prevent netbios to the client unless specifically told not to. You can make an exception to """"""FILE and PRINT sharing""""""" on the firewall for the client. File and print sharing are the SMB and NETBIOS ports used to file and print share. Those would be:

NETBIOS:
Port 137 WINS and Netbios TCP
Port 138 Netbios datagram port UDP
Port 139 Netbios datagram port UDP

SMB: (Server Message Block)
Port 137 WINS Netbios port
Port 445 Server message Block port UDP

Bottom line:
1) Go to the NIC card TCP/IP properties>>WINS tab and make sure Netbios over TCP/IP is activated.
2) Go to START>>RUN>> and type services.msc to make sure the ((browser service, Workstation service are both working)
3) Make sure your firewall is not blocking the ports listed above.


When all the stars and planets are aligned, then go to the command prompt and type:
GPUPDATE /force
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33543385
If all the above fails. Try this:
1) NBTSTAT -RR  (this refreshes the netbios cache)
0
 

Author Closing Comment

by:rsturtevant
ID: 33560925
I just took the computer off the domain and re-named it. That seemed to solve the issue. Thanks for everyone's time
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Testrail - Active Directory integration. 4 35
Exchange, OWA, PROXY 7 64
Making an existing Domain a Child of another Domain 4 32
Unable to start workstation service 12 398
A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question