Random Group Policy Outage for Site to Zone Assignment

Looking into an issue where a fairly important policy that published trusted sites failed to load on a decent number of client machines (I believe mixture of Win7/XP).  End users were getting errors on internal apps that depended on those trusted sites being in place.  This seems to have happened for about 15-20 minutes but it caused a fairly large ripple.  I am trying to troubleshoot and haven't found much.  A colleague was working on another policy which he originally thought may have been a factor but the settings involved aren't applicable and they tested loopback processing in merge (not replace) mode.
On one DC I found two repeats of a 1085 Group Policy Error that fell into the time frame but  I can't find any info out there on this message: Windows failed to apply the ConfigMgr User State Management Extension. settings. ConfigMgr User State Management Extension
LVL 1
mcburn13Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
mcburn13Connect With a Mentor Author Commented:
My best solution was to:
a) not use wildcards before a subdomain b) not use a slash or anything trailing the .suffix of the URL c) don't use port numbers

Another way to troubleshoot is to import the policy into a lab and remove the URLs one by one, running GPResults each time until it comes up clean- once it does you know the last one you removed was the culprit (tedious but works!)
0
 
amclaughlin01Commented:
If servers were replicating AD and GPOs, it is possible that there might have been a disconnect during that replication.

Are there any computers still experiencing the problem?  If so, you could try running gpresult /r on one of them to verify they are running the correct policies.
0
 
mcburn13Author Commented:
didn't see any replication errors, and this only happened for about 15-20 minutes.  Going to attempt do enable GP diagnostic logging in case this happens again but if anyone knows of any known issues where a policy will just not apply for no good reason please post here...
0
 
mcburn13Author Commented:
Still haven't really found any good info on this; all forum/newsgroup/microsoft documentation points to possible misconfiguration issues with the GPO (or other policies), DNS or Replication

I think the best solution is to do some sort of auditing on your group policies either via 3rd party tool like ManageEngine, along with verbose logging.  Can also implement Microsoft Advanced Group Management which comes with Software Assurance.
0
 
mcburn13Author Commented:
no other acceptable recommendation was given
0
All Courses

From novice to tech pro — start learning today.