Solved

Group Policy only works when manually initiated from the client.

Posted on 2010-09-07
11
518 Views
Last Modified: 2012-05-10
Hi guys, hope you are all well.
We have a situation in our environment, where group policies are only applying to our workstations when we visit a workstation and manually inititate a gpupdate /force command.
In our Group Policy management console, we have left the default of 90 minutes for a group policy refresh be maintained, so we would have thought that this would kick in after or around this 90 minute interval.
Even after a reboot of client machines, which I thought would have trigged a group policy update, clients dont receive group policy, unless, you manually fire off gpupdate /force.

We would love some help on trying to identify what is going on in our 2003/xp AD environment.

It seems like there is some issue with the domain controllers initiating a push of group policy to our workstations.

This happens on both client and servers in our environment.

We have checked many workstations in our environment, and verified DNS, domain settings etc.

Any help on this greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 300 total points
Comment Utility
Do you have the GPO enforced?
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi jhil777.
I dont believe we do (but will check), but should we need to do that, since if we do a gpupdate from the client end, it works.
We dont have any of our group polices enforced I believe, but do you enforce ALL your GPOs?
Is this necessary in order for them to work?
We have 30 odd gpos, do we have to enforce them all?
0
 
LVL 5

Expert Comment

by:jhill777
Comment Utility
No, you don't have to do it to all of them but there may be some kind of conflict that is preventing it.  I've seen this problem before and enforcing it fixed it even though it went through fine doing the /force.
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi jhill,
Is there any impact by enforcing a gpo?
What changes are made by enforcing one, and does it impact any other gpos?
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
The thing is, by enforcing it, and even though this might work, it doesnt get to the root cause of why these group policies are not applying in the first place.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Assisted Solution

by:jarremopoulos
jarremopoulos earned 160 total points
Comment Utility
Do all workstations have this problem? Can you attach C:\windows\debug\usermode\userenv.log here from one of your workstation?
0
 
LVL 1

Assisted Solution

by:dasaybz
dasaybz earned 40 total points
Comment Utility
can you do a gpresult before you do a gpupdate/force?
0
 
LVL 5

Expert Comment

by:jhill777
Comment Utility
Enforcing it just changes the order that GPOs run, essentially.  If you enforce one of them, it will put that GPO at the end of the list so that it would be the last thing to run, sort of guaranteeing that its settings get applied.  I would say try it see if it works and then you can play with it and check the resultant of group policies to see if you can see which GPO might have been preventing it from working correctly..
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Hi jhill777,
Thanks for your advice, I will try this.
The thing that baffles me is:
NO group polices are being applied to the machine.
If I run a gpresult on a workstation, it might say that this user has 5 group policies applied, but in reality, none are. It only works when I run a gpupdate /force on the machine.
This to me indicates that there is a problem a the back end, eg.at the domain controller end, which is not "pushing" out to clients the policies they need at the default interval of 90 minutes.
I would like to know if there is any events at the back end I can check for, or check the health and configuration of the domain controllers in terms of group polices to see if this is the case. Im not sure what mechanisms in terms of services may or may not be required for group polices to work.
0
 
LVL 3

Expert Comment

by:jarremopoulos
Comment Utility
Take a look that C:\windows\debug\usermode\userenv.log file. It tells what happens in the workstation during logon/startup. There may be errors regarding GPO processing, AD/domain connectivity, etc. Send log here, please.

0
 
LVL 5

Expert Comment

by:jhill777
Comment Utility
Also, if ever I run into weird problems like this, I just remove the computer from the domain, maybe change the computer name if it's not too big of a deal, and rejoin it.  I just did that the other day and saved myself hours of troubleshooting.  Never found out what the problem was and don't care anymore either. lol
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now