Yashy
asked on
Group policy not working over WAN?!
hi guys,
Slightly worrying issue here. I've deployed some printers via group policy on our domain. All servers are 2008 R2. Locally on the LAN (10.0.0.0/24), they work fine and the printers are added. These are for the Domain admins so far.
We allowed the group policy settings to propagate over the VPN connection between our site and our other site (10.45.191.0/24). It's over a 10/10 vpn so it takes around an hour or so. Anyway, we tried two days later to log in to the terminal services on the other site with the same username and the printers were not added.
Could this be due to a firewall setting at the other site that is blocking the printers being added? Port 445 is open between ourselves and the other site, so is 9100. So I'm just wondering whether this is firewall related or whether it's actually routing related?
Many thanks
Yashy
Slightly worrying issue here. I've deployed some printers via group policy on our domain. All servers are 2008 R2. Locally on the LAN (10.0.0.0/24), they work fine and the printers are added. These are for the Domain admins so far.
We allowed the group policy settings to propagate over the VPN connection between our site and our other site (10.45.191.0/24). It's over a 10/10 vpn so it takes around an hour or so. Anyway, we tried two days later to log in to the terminal services on the other site with the same username and the printers were not added.
Could this be due to a firewall setting at the other site that is blocking the printers being added? Port 445 is open between ourselves and the other site, so is 9100. So I'm just wondering whether this is firewall related or whether it's actually routing related?
Many thanks
Yashy
ASKER
Thanks dude. How do i run the rsop.msc? And from which server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Anything below 512 kbps considered to be slow link, you can reduce the slow link settings. You can use GPOInventory tool to run rsop.msc and other reports to several remote computers.
http://support.microsoft.com/kb/323276
http://support.microsoft.com/kb/323276
Ports required to be opened on the firewall
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
You can also download and use to scan if port block is the issue.
http://support.microsoft.com/kb/310456
http://www.windowsecurity.com/articles/mastering-portqryexe-part1.html
Regards
__________________________ __________ ____
Awinish Vishwakarma
MY BLOG: http://awinish.wordpress.com
http://support.microsoft.com/kb/323276
http://support.microsoft.com/kb/323276
Ports required to be opened on the firewall
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
You can also download and use to scan if port block is the issue.
http://support.microsoft.com/kb/310456
http://www.windowsecurity.com/articles/mastering-portqryexe-part1.html
Regards
__________________________
Awinish Vishwakarma
MY BLOG: http://awinish.wordpress.com
Assuming you have Active Directory Sites and Services setup correctly with that subnet and a domain contoller at the remote site, you can simply force replication.
Otherwise run gpupdate /force from the command prompt on the DC(s) and Workstations
-Eric
Otherwise run gpupdate /force from the command prompt on the DC(s) and Workstations
-Eric
ASKER
Hey guys,
I ran the gpresult /z>c:\gpresult.txt even on the local LAN and it came back with the following:
The following GPOs were not applied because they were filtered out:
Printers for Quantiv Backend - Security denied.
So I must have thought it was working but it wasn't even on our LAN! Apologies for that.
However, I have added 'Authenticated Users' now to the permitted list of users on this GPO and when I re-ran the same command as before, it is now saying the GPO has applied. However, surely the 'authenticated users' will now make add this policy for everybody in the domain?
I ran the gpresult /z>c:\gpresult.txt even on the local LAN and it came back with the following:
The following GPOs were not applied because they were filtered out:
Printers for Quantiv Backend - Security denied.
So I must have thought it was working but it wasn't even on our LAN! Apologies for that.
However, I have added 'Authenticated Users' now to the permitted list of users on this GPO and when I re-ran the same command as before, it is now saying the GPO has applied. However, surely the 'authenticated users' will now make add this policy for everybody in the domain?
Authenticated users should not be removed and you can use group policy filtering instead of removing authenticated users.
http://www.grouppolicy.biz/tag/printer/
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
http://www.grouppolicy.biz/tag/printer/
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
Yes, Authenticated Users group is for every user/computer authenticated in a domain. Then policy applies to each object which resides in an OU or domain (depends on GPO link level).
When this group is removed from GPO's DACL that means GPO Filtering is used and you need to know where and how it is applied.
Good resources for that in Awinish' post above :)
Krzysztof
When this group is removed from GPO's DACL that means GPO Filtering is used and you need to know where and how it is applied.
Good resources for that in Awinish' post above :)
Krzysztof
ASKER
Thanks for that Awinish. Great article.
Well this is the strange thing now, so on our LAN it is saying that the GPO has been applied. However, at the other site when I run it, I still get:
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Printers for Quantiv Backend
Filtering: Denied (Security)
This has been going on for an hour now, the VPN between each site is around 10mb/10mb so it's very fast. I did a gpupdate /force at the other end DC and it came up with:
The processing of Group Policy failed. Windows attempted to read the file \\matc
hes.com\SysVol\matches.com \Policies\ {C3A6F453- 6B4F-4897- 973C-93E82 0789D78}\g pt.i
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
If this is only happening at the remote end, could it be due to VPN?
Well this is the strange thing now, so on our LAN it is saying that the GPO has been applied. However, at the other site when I run it, I still get:
The following GPOs were not applied because they were filtered out
--------------------------
Printers for Quantiv Backend
Filtering: Denied (Security)
This has been going on for an hour now, the VPN between each site is around 10mb/10mb so it's very fast. I did a gpupdate /force at the other end DC and it came up with:
The processing of Group Policy failed. Windows attempted to read the file \\matc
hes.com\SysVol\matches.com
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
If this is only happening at the remote end, could it be due to VPN?
The below error points to either network connectivity issue or firewall settings that system is not able to contact DC to get the GPO from sysvol and apply on its system.
Windows attempted to read the file \\matches.com\SysVol\match es.com\Pol icies\{C3A 6F453-6B4F -4897-973C -93E820789 D78}\gpt.i ni from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved
You can run portquery tool as suggested earlier to check with the firewall blocking the ports. You can also take help of userenv logging tool Syspro to read the userenv log.
Check the GPO has been replicated to sysvol and when you run gpupdate /force on the problem machine, verify the event logs.
http://www.sysprosoft.com/policyreporter.shtml
http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Regards
__________________________ __________ ____
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
Windows attempted to read the file \\matches.com\SysVol\match
You can run portquery tool as suggested earlier to check with the firewall blocking the ports. You can also take help of userenv logging tool Syspro to read the userenv log.
Check the GPO has been replicated to sysvol and when you run gpupdate /force on the problem machine, verify the event logs.
http://www.sysprosoft.com/policyreporter.shtml
http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Regards
__________________________
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
GPOLOG view is also a good tool, give a try.
http://gplogview.codeplex.com/
Regards
__________________________ ____
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
http://gplogview.codeplex.com/
Regards
__________________________
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
ASKER
Awinish, which ports would you query if you used the portqry tool. I've just used it to query TCP 389 from the 10.45.191.0/24 site to our site 10.0.0.0/24 and it's listening. But it fails on the UDP 389.
Any particular ports you would try to see whether it is affecting?
Thanks again for all this information.
Any particular ports you would try to see whether it is affecting?
Thanks again for all this information.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help peeps. The ports on the firewall have now been opened, as some were missing. Much appreciated it.
Check if changing "slow link detection" can help
http://support.microsoft.com/kb/2008977
also run RSoP.msc to check if GPO is being applied on that TS
Regards,
Krzysztof