Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy only works when manually initiated from the client.

Posted on 2010-09-07
11
Medium Priority
?
554 Views
Last Modified: 2012-05-10
Hi guys, hope you are all well.
We have a situation in our environment, where group policies are only applying to our workstations when we visit a workstation and manually inititate a gpupdate /force command.
In our Group Policy management console, we have left the default of 90 minutes for a group policy refresh be maintained, so we would have thought that this would kick in after or around this 90 minute interval.
Even after a reboot of client machines, which I thought would have trigged a group policy update, clients dont receive group policy, unless, you manually fire off gpupdate /force.

We would love some help on trying to identify what is going on in our 2003/xp AD environment.

It seems like there is some issue with the domain controllers initiating a push of group policy to our workstations.

This happens on both client and servers in our environment.

We have checked many workstations in our environment, and verified DNS, domain settings etc.

Any help on this greatly appreciated.
0
Comment
Question by:Simon336697
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 1200 total points
ID: 33622505
Do you have the GPO enforced?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33622523
Hi jhil777.
I dont believe we do (but will check), but should we need to do that, since if we do a gpupdate from the client end, it works.
We dont have any of our group polices enforced I believe, but do you enforce ALL your GPOs?
Is this necessary in order for them to work?
We have 30 odd gpos, do we have to enforce them all?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33622569
No, you don't have to do it to all of them but there may be some kind of conflict that is preventing it.  I've seen this problem before and enforcing it fixed it even though it went through fine doing the /force.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:Simon336697
ID: 33623878
Hi jhill,
Is there any impact by enforcing a gpo?
What changes are made by enforcing one, and does it impact any other gpos?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33623880
The thing is, by enforcing it, and even though this might work, it doesnt get to the root cause of why these group policies are not applying in the first place.
0
 
LVL 3

Assisted Solution

by:jarremopoulos
jarremopoulos earned 640 total points
ID: 33625127
Do all workstations have this problem? Can you attach C:\windows\debug\usermode\userenv.log here from one of your workstation?
0
 
LVL 1

Assisted Solution

by:dasaybz
dasaybz earned 160 total points
ID: 33627981
can you do a gpresult before you do a gpupdate/force?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33628399
Enforcing it just changes the order that GPOs run, essentially.  If you enforce one of them, it will put that GPO at the end of the list so that it would be the last thing to run, sort of guaranteeing that its settings get applied.  I would say try it see if it works and then you can play with it and check the resultant of group policies to see if you can see which GPO might have been preventing it from working correctly..
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33631699
Hi jhill777,
Thanks for your advice, I will try this.
The thing that baffles me is:
NO group polices are being applied to the machine.
If I run a gpresult on a workstation, it might say that this user has 5 group policies applied, but in reality, none are. It only works when I run a gpupdate /force on the machine.
This to me indicates that there is a problem a the back end, eg.at the domain controller end, which is not "pushing" out to clients the policies they need at the default interval of 90 minutes.
I would like to know if there is any events at the back end I can check for, or check the health and configuration of the domain controllers in terms of group polices to see if this is the case. Im not sure what mechanisms in terms of services may or may not be required for group polices to work.
0
 
LVL 3

Expert Comment

by:jarremopoulos
ID: 33634352
Take a look that C:\windows\debug\usermode\userenv.log file. It tells what happens in the workstation during logon/startup. There may be errors regarding GPO processing, AD/domain connectivity, etc. Send log here, please.

0
 
LVL 5

Expert Comment

by:jhill777
ID: 33640497
Also, if ever I run into weird problems like this, I just remove the computer from the domain, maybe change the computer name if it's not too big of a deal, and rejoin it.  I just did that the other day and saved myself hours of troubleshooting.  Never found out what the problem was and don't care anymore either. lol
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question