Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy only works when manually initiated from the client.

Posted on 2010-09-07
11
Medium Priority
?
546 Views
Last Modified: 2012-05-10
Hi guys, hope you are all well.
We have a situation in our environment, where group policies are only applying to our workstations when we visit a workstation and manually inititate a gpupdate /force command.
In our Group Policy management console, we have left the default of 90 minutes for a group policy refresh be maintained, so we would have thought that this would kick in after or around this 90 minute interval.
Even after a reboot of client machines, which I thought would have trigged a group policy update, clients dont receive group policy, unless, you manually fire off gpupdate /force.

We would love some help on trying to identify what is going on in our 2003/xp AD environment.

It seems like there is some issue with the domain controllers initiating a push of group policy to our workstations.

This happens on both client and servers in our environment.

We have checked many workstations in our environment, and verified DNS, domain settings etc.

Any help on this greatly appreciated.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 1200 total points
ID: 33622505
Do you have the GPO enforced?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33622523
Hi jhil777.
I dont believe we do (but will check), but should we need to do that, since if we do a gpupdate from the client end, it works.
We dont have any of our group polices enforced I believe, but do you enforce ALL your GPOs?
Is this necessary in order for them to work?
We have 30 odd gpos, do we have to enforce them all?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33622569
No, you don't have to do it to all of them but there may be some kind of conflict that is preventing it.  I've seen this problem before and enforcing it fixed it even though it went through fine doing the /force.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:Simon336697
ID: 33623878
Hi jhill,
Is there any impact by enforcing a gpo?
What changes are made by enforcing one, and does it impact any other gpos?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33623880
The thing is, by enforcing it, and even though this might work, it doesnt get to the root cause of why these group policies are not applying in the first place.
0
 
LVL 3

Assisted Solution

by:jarremopoulos
jarremopoulos earned 640 total points
ID: 33625127
Do all workstations have this problem? Can you attach C:\windows\debug\usermode\userenv.log here from one of your workstation?
0
 
LVL 1

Assisted Solution

by:dasaybz
dasaybz earned 160 total points
ID: 33627981
can you do a gpresult before you do a gpupdate/force?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33628399
Enforcing it just changes the order that GPOs run, essentially.  If you enforce one of them, it will put that GPO at the end of the list so that it would be the last thing to run, sort of guaranteeing that its settings get applied.  I would say try it see if it works and then you can play with it and check the resultant of group policies to see if you can see which GPO might have been preventing it from working correctly..
0
 
LVL 1

Author Comment

by:Simon336697
ID: 33631699
Hi jhill777,
Thanks for your advice, I will try this.
The thing that baffles me is:
NO group polices are being applied to the machine.
If I run a gpresult on a workstation, it might say that this user has 5 group policies applied, but in reality, none are. It only works when I run a gpupdate /force on the machine.
This to me indicates that there is a problem a the back end, eg.at the domain controller end, which is not "pushing" out to clients the policies they need at the default interval of 90 minutes.
I would like to know if there is any events at the back end I can check for, or check the health and configuration of the domain controllers in terms of group polices to see if this is the case. Im not sure what mechanisms in terms of services may or may not be required for group polices to work.
0
 
LVL 3

Expert Comment

by:jarremopoulos
ID: 33634352
Take a look that C:\windows\debug\usermode\userenv.log file. It tells what happens in the workstation during logon/startup. There may be errors regarding GPO processing, AD/domain connectivity, etc. Send log here, please.

0
 
LVL 5

Expert Comment

by:jhill777
ID: 33640497
Also, if ever I run into weird problems like this, I just remove the computer from the domain, maybe change the computer name if it's not too big of a deal, and rejoin it.  I just did that the other day and saved myself hours of troubleshooting.  Never found out what the problem was and don't care anymore either. lol
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question