?
Solved

New Group Policy not being "seen" or applied on Client machine

Posted on 2011-10-18
39
Medium Priority
?
27,292 Views
1 Endorsement
Last Modified: 2015-03-19
Hi Experts,

I have a unique issue on my environment at the moment. I have created a New OU for testing purposes and in it lives a testing user (Test.User).

This User is receiving all the default GPs that are set at domain level, which is fine. However, i have created a new GPO and linked it to the Test OU and it is not showing in gpresult /r. It is a User Policy. I have run gpupdate /force.

There is a back story to all this though. We used to have two other DC's one was 2k3 the other is 2k8. I transferred any FSMO roles they had to my current DC which is also 2k8 and DCPROMO'd them off the domain. The 2k3 box is no longer on the network at all. The 2nd 2k8 machine is now just a member server.

There were replication errors in the event log and i have gone through some MS KB's to get the sysvol tree's setup correctly with the correct permissions as well. This is confirmed by the original GPO's still applying.

The trouble im having as mentioned above is that if I create a NEW policy i can see it in the Policies sysvol folder but cannot see it in GPRESULT on the client.

The policy is applied to the Test OU and assigned to AUTHENTICATED USERS.
1
Comment
Question by:dt3itsteam
  • 18
  • 17
  • 2
  • +2
39 Comments
 
LVL 43

Expert Comment

by:Adam Brown
ID: 36987033
Run RSOP.msc. That will let you get an idea of whether or not the system is "seeing" the GPO and it will give you some information on any errors that are occurring. You may also want to view the system/application log on the machine you're logging in to with that user to see if there are any errors relating to the GPO. With multiple DCs, it's possible that the GPO isn't getting replicated to the second DC and the computer you're logging in to is pulling data from that DC instead of the primary.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 36987208
Thanks acbrown2010,

Few things to note here:

- No negative results are logged in Event viewer.
- There is now only ONE DC in the network.
- I will run with RSOP.msc and report back.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 36987225
update,

RSOP on client confirms my GPO doesnt seem to exist.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 43

Expert Comment

by:Adam Brown
ID: 36987292
Check sysvol on all your DCs to make sure the directory that holds the GPO exists. The GPOs are stored by their GUIDs in windows\sysvol\domain\policies

You can get the GUID of the GPO from GPMC on the Details tab.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 36987317
Have checked and GPO exists in Sysvol.
Also checked that its added when creating a new one, which it does!
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36998569
Can you tell us what is the policy you have applied that is not working,can you attached the screenshot of the gproup policy which you have defined in GPMC.

Also ran dcdiag /q and ran repadmin /replsum on the cmd and post the logs.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 36998728
Hi Sandeshdubey,

ITs not that the policy settings are not being applied, its the whole policy is not showing in gpresult.

Ill post the info you requested anyway.

Thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37002712
Please run RSOP from GPMC, make sure to kill client firewall otherwise it will block.
This will show you why it's not applying or the conflicts.

A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37023304
Hi Guys,

dcdiag /q and ran repadmin /replsum logs are attached with the screen shot of the GPO. All names have been changed for privacy.

I am trying to run RSOP from GPMC but am getting "The RPC Server is unavailable", all firewalls are off as well as Symantec End Point AV.
dcdiag /q

C:\Users\administrator.companyname>dcdiag /q
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=companyname,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=companyname,DC=local
         ......................... DC01 failed test NCSecDesc
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   08:53:06
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   08:53:59
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   08:54:02
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   08:54:52
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   08:59:28
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:00:18
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:00:23
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:01:13
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:05:59
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:06:42
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:06:49
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:07:32
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:12:17
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:13:04
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:13:11
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:13:54
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:18:42
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:19:24
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:19:32
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:20:14
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:25:11
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:25:45
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:26:01
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:26:34
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:31:30
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:32:04
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:32:23
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:32:54
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:37:55
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:38:25
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:38:45
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:39:15
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:44:23
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:44:45
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:45:14
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.1 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:45:20
            Event String:
            Driver CutePDF Writer required for printer CutePDF Writer is unknown
. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:45:22
            Event String:
            Driver Dell 2330dn Laser Printer required for printer Dell 2330dn La
ser Printer DTM is unknown. Contact the administrator to install the driver befo
re you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:45:28
            Event String:
            Driver Kyocera FS-1128MFP KX required for printer FS-1128MFP is unkn
own. Contact the administrator to install the driver before you log in again.
         An Error Event occurred.  EventID: 0xC0002719
            Time Generated: 10/25/2011   09:45:35
            Event String:
            DCOM was unable to communicate with the computer 192.168.16.8 using
any of the configured protocols.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:46:27
            Event String:
            Driver Canon iR C2570 required for printer Canon iR C2570 - APPI is
unknown. Contact the administrator to install the driver before you log in again
.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:46:39
            Event String:
            Driver HP Universal Printing PCL 6 (v5.0) required for printer HP 13
20 is unknown. Contact the administrator to install the driver before you log in
 again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:46:41
            Event String:
            Driver Canon iR C3880/C4080/C4580 required for printer Canon Colour
IRC4080 - CGES is unknown. Contact the administrator to install the driver befor
e you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:46:43
            Event String:
            Driver Send To Microsoft OneNote 2010 Driver required for printer Se
nd To OneNote 2010 is unknown. Contact the administrator to install the driver b
efore you log in again.
         An Error Event occurred.  EventID: 0x00000457
            Time Generated: 10/25/2011   09:46:52
            Event String:
            Driver Microsoft Office Live Meeting 2007 Document Writer Driver req
uired for printer Microsoft Office Live Meeting 2007 Document Writer is unknown.
 Contact the administrator to install the driver before you log in again.
         ......................... DC01 failed test SystemLog

C:\Users\administrator.companyname>

Open in new window

repadmin /replsum:

C:\Users\administrator.companyname>repadmin /replsum
Replication Summary Start Time: 2011-10-25 09:52:42

Beginning data collection for replication summary, this may take awhile:
  ....


Source DSA          largest delta    fails/total %%   error


Destination DSA     largest delta    fails/total %%   error



C:\Users\administrator.companyname>

Open in new window

GPO.JPG
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37030520
Your logs confirm that you have Replication errors:

An Error Event occurred.  EventID: 0xC0002719

Please have a look below:

http://www.experts-exchange.com/OS/Miscellaneous/Q_21768092.html

A

0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37031402
Ackles, that link you provided me is not much help, the forwarding links are all dead too.

Anyway, those events you are talking about are DCOM event logs which i dont believe relate to the issues I am seeing.

I have since run the following on my DC and have attached logs from the output. You will notice that there are DNS errors for servers that no longer exist in the domain.

Any ideas how i go about removing these, as the dont appear anywhere in DNS.mmc.

-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
 -> netdiag.exe /v > c:\netdiag.log (On each dc)
 -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
 -> dnslint /ad /s "ip address of your dc"

Also, as a test i have tried running DCPROMO on a server which used to be a DC on the domain (DR01) but it fails with the following error:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain dt3limited.local:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.dt3limited.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

127.0.0.1
192.168.16.7

- One or more of the following zones do not include delegation to its child zone:

dt3limited.local
local
. (the root zone)

 


dcdiag.log
DNSLint.txt
netdiag.log
repl.txt
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37036649
I have cleared the above error for when i was trying to add another DC to the domain, as a test.

The issue was a rogue DNS entry:

Forward Lookup Zone - domain.local - _msdcs - The NS record was pointing to an old server, I updated the record and the DCPROMO progressed.

I did not complete it tho as i dont want to complicate the issues above any further.

I still have the GPO issue tho.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37036655
Can you reboot the client & check event logs?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043429
Ackles, I have rebooted the client and event logs are clean, no errors and also no GPO based entries?!

See pic below, note the modified date on the highlighted Policy (this is the policy that is not showing), is there any significance with the dates?

 Modified Date
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043559
Also,

Domain Function Level has been set to 2008, but in the gpresult /r report off the client, domain type is 2000??

and, i know i mentioned before that there were no GP events, there is one info event, Below:


USER SETTINGS
--------------
    CN=Test User,OU=Testing Development,OU=Users,OU=DT3 LTD,DC=COlimited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 09:12:00
    Group Policy was applied from:      dt3fs01.COlimited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        COLIMITED
    Domain Type:                        Windows 2000
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)
        Small Business Server - Windows Vista policy
            Filtering:  Not Applied (Empty)
        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)
        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)
        Proxy PAC Update
            Filtering:  Not Applied (Empty)
        Local Group Policy
            Filtering:  Not Applied (Empty)
        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)
        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)
        Engineer GPO
            Filtering:  Not Applied (Empty)
    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        CERTSVC_DCOM_ACCESS
        High Mandatory Level
C:\Users\test.user>

Open in new window

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          28/10/2011 09:18:21
Event ID:      1502
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      DT30004.dt3limited.local
Description:
The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1502</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-28T08:18:21.914480600Z" />
    <EventRecordID>43857</EventRecordID>
    <Correlation ActivityID="{A94C5007-F8F1-490D-8828-43C21F1988E0}" />
    <Execution ProcessID="888" ThreadID="2064" />
    <Channel>System</Channel>
    <Computer>DT30004.dt3limited.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">3163</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">2932</Data>
    <Data Name="DCName">\\dt3fs01.dt3limited.local</Data>
    <Data Name="NumberOfGroupPolicyObjects">8</Data>
  </EventData>
</Event>

Open in new window

0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043725
Can you please tell what is the name of policy?
Also, if it's a Computer Policy then please logon as Administrator & run gpresult /v because your user doesn't have the rights to read computer based policies.

A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043753
Name of the Policy is: Symantec.Cloud

Its not a Computer Policy, its a User Policy.

Test User has been added to local admins so they can read the computer policy.

I will paste it below.
 
C:\Users\test.user>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 28/10/2011 at 10:41:50


RSOP data for DT3LIMITED\test.user on DT30004 : Logging Mode
-------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\test.user
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=DT30004,OU=Engineers,OU=Computer Accounts,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 10:41:28
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Proxy PAC Update
        Engineer GPO
        Small Business Server - Windows Vista policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy
        Small Business Server Domain Password Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        DT30004$
        Domain Computers
        CERTSVC_DCOM_ACCESS
        System Mandatory Level


USER SETTINGS
--------------
    CN=Test User,OU=Testing Development,OU=Users,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 10:41:27
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server - Windows Vista policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

        Proxy PAC Update
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Engineer GPO
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        CERTSVC_DCOM_ACCESS
        High Mandatory Level

C:\Users\test.user>

Open in new window

I have also attached a shot of the Policy

 symantec.cloud
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043757
Settings
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043769
Alright, I explain you what you did, if that's correct then do as I say & tell me the result...
You clicked on Add & then wrote the name of the user, check names & added it?

If this is correct, then follow this procedure:
1) Remove Test user, then click add, once you reach add click on Advanced > Find > click the Test user & then ok till you reach back here.

Run gpupdate /force
& tell if you see it applied.

If you still don't see it then we will have to go Delegation way.

A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043795
Thats how i have done it today, originally i had Authenticated users in there, But i removed that group and just added the user to see if that made a difference.

I will follow your request above and update.

Any reason why the DOMAIN TYPE in the gpresults is 200 when the domain function is 2000?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043796
It's nothing unusual, I don't remember it from the top of my head.

Let me know if it works?

A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043803
Oh, if it doesn't work can you post gpresult /v again?
Also, is the GPO applied directly on the OU where the user is or some level above?

If it's not directly on the OU can you please move it closer, I mean directly on the OU where user is?

A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043804
...domain function is 2008 i meant!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043805
That's ok, it has nothing to do here. This is how gpresult reflects it.
A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043809
GPResult:

 
C:\Users\test.user>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 28/10/2011 at 11:08:39


RSOP data for DT3LIMITED\test.user on DT30004 : Logging Mode
-------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\test.user
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=DT30004,OU=Engineers,OU=Computer Accounts,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 11:04:41
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Proxy PAC Update
        Engineer GPO
        Small Business Server - Windows Vista policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy
        Small Business Server Domain Password Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        DT30004$
        Domain Computers
        CERTSVC_DCOM_ACCESS
        System Mandatory Level


USER SETTINGS
--------------
    CN=Test User,OU=Testing Development,OU=Users,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 11:08:26
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server - Windows Vista policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

        Proxy PAC Update
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Engineer GPO
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        CERTSVC_DCOM_ACCESS
        High Mandatory Level

C:\Users\test.user>

Open in new window


Policy is applied directly to the OU that Test.User is in. Enforced too. See below:

 GPO
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043828

Alright, do three things, if the first doesn't work then do the second & if the second doesn't then third:
1) I assume you ran Gpupdate /force, if yes Reboot the client & see.
2) Remove Test User & add Authenticated Users, I also assume you made no changes in Delegation Tab.
3) Since you have the Screen Shot of the GPO, delete it & recreate it, but don't name it same, for example reverse the name to Cloud Symantec.

I have to go out for an hour, but by the time I am back you should be able to do the above requested...

Damn, sometimes it's so easy if you can just see the screen....

Good Luck,
A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043884
I have done all three already in my troubleshooting, but i will follow your requests :)

1) done about 400 times :P, but done again, no change. Policy not showing in GPresult.

2) Removed Test.User and added Authenticated Users. gpupdate /force on client then reboot. still no policy in gpresult /r

3)Deleted symantec.cloud GPO, recreated cloud.symantec and linked to Test OU. Ran gpupdate /force on client and rebooted. GPresult below:

 
C:\Users\test.user>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 28/10/2011 at 11:30:55


RSOP data for DT3LIMITED\test.user on DT30004 : Logging Mode
-------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\test.user
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=DT30004,OU=Engineers,OU=Computer Accounts,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 11:29:35
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Proxy PAC Update
        Engineer GPO
        Small Business Server - Windows Vista policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy
        Small Business Server Domain Password Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        DT30004$
        Domain Computers
        CERTSVC_DCOM_ACCESS
        System Mandatory Level


USER SETTINGS
--------------
    CN=Test User,OU=Testing Development,OU=Users,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 11:30:42
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server - Windows Vista policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Disabled (GPO)

        Proxy PAC Update
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Engineer GPO
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        CERTSVC_DCOM_ACCESS
        High Mandatory Level

C:\Users\test.user>

Open in new window

0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37043897
Still no luck.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043956
Can you try to run RSOP on Server from GPMC, turn off Firewall on the client.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043958
Can you also check Operational Logs on Client for GroupPolicy?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37043970
Just one thing to try, Block Inheritance on the OU.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37044306
Ackles, Good new and bad news!

Good news is:

USER SETTINGS
--------------
    CN=Test User,OU=Testing Development,OU=Users,OU=DT3 LTD,DC=dt3limited,DC=loc
al
    Last time Group Policy was applied: 28/10/2011 at 13:10:54
    Group Policy was applied from:      dt3fs01.dt3limited.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DT3LIMITED
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Symantec.Cloud
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------


The Bad news is, it wasnt anything to do with your suggestions :P

I am still going to award points to you tho!

The issue was another Computer GPO, Called Engineer GPO, had the GP Loopback Policy enabled:

 GPO
I removed the GPO and forced GP update on the client, rebooted and boom, my GPO appeared and worked!

I have tested this on a number of machines to confirm.

Now im not sure what this GPO means though, i have read the explanation but still dont get it!

"Applies alternate user settings when a user logs on to a computer affected by this setting.

This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

To use this setting, select one of the following modes from the Mode box:

--   "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

--   "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.

Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains."

Does anyone the short/simple explanation?!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37044322
U don't have to award me the points for my participation, however if you see my last comment of blocking the inheritance would have isolated it.
I am Glad your issue is resolved!!!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37044342
It is hard to say it in simple words, but I try:
When you make a User setting and want to apply it to a Computer, the computer doesn't understand user side settings, so make it understand Loopback is user.

When the Replace mode is used, the user side settings are sort of enforced if there is a conflict between User & Computer.

To make it more clear there is a good article below:
http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html

A
0
 
LVL 11

Accepted Solution

by:
Ackles earned 2000 total points
ID: 37044384
In all honesty I actually think, whoever has made the Loopback GPO is not a good practice to just have isolated loopback GPO's floating, they are to be embeded in the particular GPO where they are needed, but this is just my opinion.

A
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 37044402
In the infinite wisdom and words from Snoop Dog......it wasn't me!

:)

thanks for your help Ackles!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37044436
Pleasure & Thanks for the Points!!!
0
 

Expert Comment

by:JD Mills
ID: 40676593
I just want to add that the price of signing up for Experts Exchange was worth this answer alone. Somehow I goofed and a loopback policy snubbed out half of my user policies. What a mess. Thank you for posting the solution!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 40676597
Thanks, means a lot!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Article by: Shawn
IT teams define success as solving problems quickly. To enable ITSM modernization we have to think of adopting the tools and methods that will enable resolution of ITSM issues more quickly.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question