Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Terminal Server 2008 R2 - problem with group policies being applied to new TS users

Posted on 2013-11-21
4
Medium Priority
?
1,844 Views
Last Modified: 2013-11-30
I have this weird problem with my client's terminal server (running on Windows 2008 R2 Standard):

Whenever a new TS user logs in to it, it doesn't process any of the group policies for that user, and the main group policies they care about are the folder redirection policies. Whenever I do a "gpupdate/force" from the command prompt for that user, it says:

"The processing of Group Policy failed. Windows attempted to read the file \\JS.local\SysVol\JS.local\Policies\{999A1BB5-8445-4971-BD62-869194262288}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this even is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following error were encountered:"

etc. etc.

This happened with a user recently when they first logged on to the TS server, but I got it resolved by disjoining the TS server and rejoining it to the domain. The user logged on after that and all group policies applied just fine and he sees his redirected folders just fine.

Now we put another user in the RDP security group and have logged on to the TS server as that user, and the same issue is happening again. And what is weird is that once this happens, if I try to to "gpupdate/force" as the domain admin, it still gives me the same error - so it seems the error is not user specific.

I ran GPRESULT /H GPReport.html as suggested in the error, and the main issue probably comes from the verbiage that says:

"Group Policy Infrastructure failed due to the error listed below.
The system cannot find the path specified.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 11/19/2013 9:24:32 AM and 11/19/2013 9:24:33 AM."

This error only happens on the TS server with any user I try, including the domain admin. I can run "gpupdate/force" on all other machines and servers just fine with no errors.

Any help is much appreciated! I just can't be disjoining and rejoining the TS server to the domain for every new TS user that comes along.
0
Comment
Question by:jbridgman-qds
  • 3
4 Comments
 

Accepted Solution

by:
jbridgman-qds earned 0 total points
ID: 39666888
Well, tried removing the offending Group Policy referenced above. Ran "gpupdate/force" and gave the same error but with a different Group Policy. Removed THAT GP and now it seems to be working well.

Wonder what could be causing two of my newest GP's to give errors like that?
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 2000 total points
ID: 39670789
First thing I would do is create a new OU, block inheritance on it, and during the off hours, I'd move the server to that OU.  Then create a user and check your policy stuff.  In theory, nothing should happen, since there are no policies.
Next, create a small test policy with only 1 setting in both sections (Computer & User) (something easily visible).  Be sure you turn on Loopback processing [replace mode] and see if you still get an error.

If you do - then you may have an issue with the GP infrastructure, or the GP engine on the RDS box.  
If you do not get an error, then it's likely your GPO is corrupt, and just building a new one should solve it.

If it is the first problem (GP issue), then you can try either rebuilding the existing RDS box, or if you have a virtual environment, put together a quick virtual RDS box, and again, test the policy.   Again, if you have an error, then it's your DC's, if not, then you will definitely have to rebuild the main RDS box.

Ultimately, if you have a DC GP problem, that's going to take some very serious research to resolve.  I'd be looking at calling MS and spending the $249 (or whatever the current price is) to get it fixed.  

Coralon
0
 

Author Comment

by:jbridgman-qds
ID: 39675052
I appreciate the tip! I'll give that a try maybe this week and see how things turn out.
0
 

Author Closing Comment

by:jbridgman-qds
ID: 39686655
Removed offending GPO's and solved the issue (at least temporarily) before any comments were given as possible solutions.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question