Solved

Group Policy only works when manually initiated from the client.

Posted on 2010-09-07
11
527 Views
Last Modified: 2012-05-10
Hi guys, hope you are all well.
We have a situation in our environment, where group policies are only applying to our workstations when we visit a workstation and manually inititate a gpupdate /force command.
In our Group Policy management console, we have left the default of 90 minutes for a group policy refresh be maintained, so we would have thought that this would kick in after or around this 90 minute interval.
Even after a reboot of client machines, which I thought would have trigged a group policy update, clients dont receive group policy, unless, you manually fire off gpupdate /force.

We would love some help on trying to identify what is going on in our 2003/xp AD environment.

It seems like there is some issue with the domain controllers initiating a push of group policy to our workstations.

This happens on both client and servers in our environment.

We have checked many workstations in our environment, and verified DNS, domain settings etc.

Any help on this greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 300 total points
ID: 33622505
Do you have the GPO enforced?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33622523
Hi jhil777.
I dont believe we do (but will check), but should we need to do that, since if we do a gpupdate from the client end, it works.
We dont have any of our group polices enforced I believe, but do you enforce ALL your GPOs?
Is this necessary in order for them to work?
We have 30 odd gpos, do we have to enforce them all?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33622569
No, you don't have to do it to all of them but there may be some kind of conflict that is preventing it.  I've seen this problem before and enforcing it fixed it even though it went through fine doing the /force.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Simon336697
ID: 33623878
Hi jhill,
Is there any impact by enforcing a gpo?
What changes are made by enforcing one, and does it impact any other gpos?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33623880
The thing is, by enforcing it, and even though this might work, it doesnt get to the root cause of why these group policies are not applying in the first place.
0
 
LVL 3

Assisted Solution

by:jarremopoulos
jarremopoulos earned 160 total points
ID: 33625127
Do all workstations have this problem? Can you attach C:\windows\debug\usermode\userenv.log here from one of your workstation?
0
 
LVL 1

Assisted Solution

by:dasaybz
dasaybz earned 40 total points
ID: 33627981
can you do a gpresult before you do a gpupdate/force?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33628399
Enforcing it just changes the order that GPOs run, essentially.  If you enforce one of them, it will put that GPO at the end of the list so that it would be the last thing to run, sort of guaranteeing that its settings get applied.  I would say try it see if it works and then you can play with it and check the resultant of group policies to see if you can see which GPO might have been preventing it from working correctly..
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33631699
Hi jhill777,
Thanks for your advice, I will try this.
The thing that baffles me is:
NO group polices are being applied to the machine.
If I run a gpresult on a workstation, it might say that this user has 5 group policies applied, but in reality, none are. It only works when I run a gpupdate /force on the machine.
This to me indicates that there is a problem a the back end, eg.at the domain controller end, which is not "pushing" out to clients the policies they need at the default interval of 90 minutes.
I would like to know if there is any events at the back end I can check for, or check the health and configuration of the domain controllers in terms of group polices to see if this is the case. Im not sure what mechanisms in terms of services may or may not be required for group polices to work.
0
 
LVL 3

Expert Comment

by:jarremopoulos
ID: 33634352
Take a look that C:\windows\debug\usermode\userenv.log file. It tells what happens in the workstation during logon/startup. There may be errors regarding GPO processing, AD/domain connectivity, etc. Send log here, please.

0
 
LVL 5

Expert Comment

by:jhill777
ID: 33640497
Also, if ever I run into weird problems like this, I just remove the computer from the domain, maybe change the computer name if it's not too big of a deal, and rejoin it.  I just did that the other day and saved myself hours of troubleshooting.  Never found out what the problem was and don't care anymore either. lol
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question