Solved

Terminal Server 2008 R2 - problem with group policies being applied to new TS users

Posted on 2013-11-21
4
1,691 Views
Last Modified: 2013-11-30
I have this weird problem with my client's terminal server (running on Windows 2008 R2 Standard):

Whenever a new TS user logs in to it, it doesn't process any of the group policies for that user, and the main group policies they care about are the folder redirection policies. Whenever I do a "gpupdate/force" from the command prompt for that user, it says:

"The processing of Group Policy failed. Windows attempted to read the file \\JS.local\SysVol\JS.local\Policies\{999A1BB5-8445-4971-BD62-869194262288}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this even is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following error were encountered:"

etc. etc.

This happened with a user recently when they first logged on to the TS server, but I got it resolved by disjoining the TS server and rejoining it to the domain. The user logged on after that and all group policies applied just fine and he sees his redirected folders just fine.

Now we put another user in the RDP security group and have logged on to the TS server as that user, and the same issue is happening again. And what is weird is that once this happens, if I try to to "gpupdate/force" as the domain admin, it still gives me the same error - so it seems the error is not user specific.

I ran GPRESULT /H GPReport.html as suggested in the error, and the main issue probably comes from the verbiage that says:

"Group Policy Infrastructure failed due to the error listed below.
The system cannot find the path specified.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 11/19/2013 9:24:32 AM and 11/19/2013 9:24:33 AM."

This error only happens on the TS server with any user I try, including the domain admin. I can run "gpupdate/force" on all other machines and servers just fine with no errors.

Any help is much appreciated! I just can't be disjoining and rejoining the TS server to the domain for every new TS user that comes along.
0
Comment
Question by:jbridgman-qds
  • 3
4 Comments
 

Accepted Solution

by:
jbridgman-qds earned 0 total points
ID: 39666888
Well, tried removing the offending Group Policy referenced above. Ran "gpupdate/force" and gave the same error but with a different Group Policy. Removed THAT GP and now it seems to be working well.

Wonder what could be causing two of my newest GP's to give errors like that?
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 500 total points
ID: 39670789
First thing I would do is create a new OU, block inheritance on it, and during the off hours, I'd move the server to that OU.  Then create a user and check your policy stuff.  In theory, nothing should happen, since there are no policies.
Next, create a small test policy with only 1 setting in both sections (Computer & User) (something easily visible).  Be sure you turn on Loopback processing [replace mode] and see if you still get an error.

If you do - then you may have an issue with the GP infrastructure, or the GP engine on the RDS box.  
If you do not get an error, then it's likely your GPO is corrupt, and just building a new one should solve it.

If it is the first problem (GP issue), then you can try either rebuilding the existing RDS box, or if you have a virtual environment, put together a quick virtual RDS box, and again, test the policy.   Again, if you have an error, then it's your DC's, if not, then you will definitely have to rebuild the main RDS box.

Ultimately, if you have a DC GP problem, that's going to take some very serious research to resolve.  I'd be looking at calling MS and spending the $249 (or whatever the current price is) to get it fixed.  

Coralon
0
 

Author Comment

by:jbridgman-qds
ID: 39675052
I appreciate the tip! I'll give that a try maybe this week and see how things turn out.
0
 

Author Closing Comment

by:jbridgman-qds
ID: 39686655
Removed offending GPO's and solved the issue (at least temporarily) before any comments were given as possible solutions.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now