• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Group Policy only works when manually initiated from the client.

Hi guys, hope you are all well.
We have a situation in our environment, where group policies are only applying to our workstations when we visit a workstation and manually inititate a gpupdate /force command.
In our Group Policy management console, we have left the default of 90 minutes for a group policy refresh be maintained, so we would have thought that this would kick in after or around this 90 minute interval.
Even after a reboot of client machines, which I thought would have trigged a group policy update, clients dont receive group policy, unless, you manually fire off gpupdate /force.

We would love some help on trying to identify what is going on in our 2003/xp AD environment.

It seems like there is some issue with the domain controllers initiating a push of group policy to our workstations.

This happens on both client and servers in our environment.

We have checked many workstations in our environment, and verified DNS, domain settings etc.

Any help on this greatly appreciated.
0
Simon336697
Asked:
Simon336697
  • 4
  • 4
  • 2
  • +1
3 Solutions
 
jhill777Commented:
Do you have the GPO enforced?
0
 
Simon336697Author Commented:
Hi jhil777.
I dont believe we do (but will check), but should we need to do that, since if we do a gpupdate from the client end, it works.
We dont have any of our group polices enforced I believe, but do you enforce ALL your GPOs?
Is this necessary in order for them to work?
We have 30 odd gpos, do we have to enforce them all?
0
 
jhill777Commented:
No, you don't have to do it to all of them but there may be some kind of conflict that is preventing it.  I've seen this problem before and enforcing it fixed it even though it went through fine doing the /force.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Simon336697Author Commented:
Hi jhill,
Is there any impact by enforcing a gpo?
What changes are made by enforcing one, and does it impact any other gpos?
0
 
Simon336697Author Commented:
The thing is, by enforcing it, and even though this might work, it doesnt get to the root cause of why these group policies are not applying in the first place.
0
 
jarremopoulosCommented:
Do all workstations have this problem? Can you attach C:\windows\debug\usermode\userenv.log here from one of your workstation?
0
 
dasaybzCommented:
can you do a gpresult before you do a gpupdate/force?
0
 
jhill777Commented:
Enforcing it just changes the order that GPOs run, essentially.  If you enforce one of them, it will put that GPO at the end of the list so that it would be the last thing to run, sort of guaranteeing that its settings get applied.  I would say try it see if it works and then you can play with it and check the resultant of group policies to see if you can see which GPO might have been preventing it from working correctly..
0
 
Simon336697Author Commented:
Hi jhill777,
Thanks for your advice, I will try this.
The thing that baffles me is:
NO group polices are being applied to the machine.
If I run a gpresult on a workstation, it might say that this user has 5 group policies applied, but in reality, none are. It only works when I run a gpupdate /force on the machine.
This to me indicates that there is a problem a the back end, eg.at the domain controller end, which is not "pushing" out to clients the policies they need at the default interval of 90 minutes.
I would like to know if there is any events at the back end I can check for, or check the health and configuration of the domain controllers in terms of group polices to see if this is the case. Im not sure what mechanisms in terms of services may or may not be required for group polices to work.
0
 
jarremopoulosCommented:
Take a look that C:\windows\debug\usermode\userenv.log file. It tells what happens in the workstation during logon/startup. There may be errors regarding GPO processing, AD/domain connectivity, etc. Send log here, please.

0
 
jhill777Commented:
Also, if ever I run into weird problems like this, I just remove the computer from the domain, maybe change the computer name if it's not too big of a deal, and rejoin it.  I just did that the other day and saved myself hours of troubleshooting.  Never found out what the problem was and don't care anymore either. lol
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now