Solved

Group Policy not applying correctly?

Posted on 2014-02-16
17
1,217 Views
Last Modified: 2014-04-03
I'm having some trouble with a group policy that I want to apply. It doesn't look like the computer is even trying to update the computer policy? It also appears that the user policy is not applying correctly, but I could be wrong.

C:\Users\itworks>gpupdate /force
Updating Policy...

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Folder Redirection was unable to apply on
e or more settings because the changes must be processed before system startup o
r user logon. The system will wait for Group Policy processing to finish complet
ely before the next startup or logon for this user, and this may result in slow
startup and boot performance.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not determine the site asso
ciated for this computer, which is required for Group Policy processing.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

C:\Users\itworks>

Open in new window


C:\Users\itworks>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/16/2014 at 9:07:43 AM


RSOP data for STEWARTCALHUOUN\itworks on WS-13 : Logging Mode
--------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\itworks
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=ITworks Support,CN=Users,DC=STEWARTCALHUOUN,DC=local
    Last time Group Policy was applied: 2/16/2014 at 9:05:39 AM
    Group Policy was applied from:      FS2-SCFH-W03.STEWARTCALHUOUN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        STEWARTCALHUOUN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Folder Redirection
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Not Applied (Empty)

        Small Business Server Update Services Client Computers Policy
            Filtering:  Denied (Security)

        Small Business Server Update Services Common Settings Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Update Services Server Computers Policy
            Filtering:  Denied (Security)

        Small Business Server Windows Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PostSP2

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        AVG MW Default Group Policy
            Filtering:  Not Applied (Empty)

        Accounting Group
            Filtering:  Denied (Security)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        SBS Report Users
        Schema Admins
        SBS Mobile Users
        Offer Remote Assistance Helpers
        High Mandatory Level

C:\Users\itworks>

Open in new window


GPO contentsGPO Applies to
0
Comment
Question by:ITworks
17 Comments
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
Comment Utility
Hi,

It's looks like the computer need a reboot in order to get GPO update. Also, is there any start up script added via GPO?
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Can the machine find the server via DNS? Computers are reliant upon DNS to find the DC's and the associated SRV records, which tell it where the GPO's servers are.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
Workstation can ping server by name and be returned with the IP address. Yes, there is a startup script added via GPO. Startup.vbs

Set WSHShell = WScript.CreateObject("WScript.Shell")
'To Enable Remote DCOM in the computer
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"
'To Set Authentication Level to Connect
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"
'To Set Impersonation level to Impersonate
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel",3,"REG_DWORD"

Open in new window

0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Have you tried logging in as a regular user and seeing if the GPO rules apply then? Admins do not always have GPO settings applied to them and are not the best users to test with.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
Oh and I did restart the computer. See the Computer Properties screen from RSOP.MSC? Not sure how to approach that...RSOP.MSC Computer Properties.
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
There may be another issue here. Is active directory working properly? Are there any directory-based errors in the event log on the DC?
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
It looks identical when logged in as user.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
The only thing I see in Application Event Log that possibly resembles an Active Directory error is this one from yesterday morning.

ADAP?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
What about the System Log? Nothing there? There is usually something there for some reason.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
It looks like the GPO is properly applying to the SBS box.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>gpresult /r
ERROR: Invalid argument/option - '/r'.
Type "GPRESULT /?" for usage.

C:\Documents and Settings\Administrator>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/16/2014 at 10:40:51 AM


RSOP data for STEWARTCALHUOUN\Administrator on FS2-SCFH-W03 : Logging Mode
---------------------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003 for Small Busin
ess Server
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=FS2-SCFH-W03,OU=Domain Controllers,DC=STEWARTCALHUOUN,DC=local
    Last time Group Policy was applied: 2/16/2014 at 10:37:05 AM
    Group Policy was applied from:      FS2-SCFH-W03.STEWARTCALHUOUN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        STEWARTCALHUOUN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Default Domain Policy
        Small Business Server Update Services Server Computers Policy
        Small Business Server Update Services Common Settings Policy
        AVG MW Default Group Policy
        Small Business Server Auditing Policy
        Default Domain Controllers Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Domain Password Policy
            Filtering:  Denied (Security)

        Small Business Server Update Services Client Computers Policy
            Filtering:  Denied (Security)

        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PostSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        FS2-SCFH-W03$
        Domain Controllers
        Exchange Domain Servers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        Exchange Enterprise Servers


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=STEWARTCALHUOUN,DC=local
    Last time Group Policy was applied: 2/16/2014 at 10:24:28 AM
    Group Policy was applied from:      FS2-SCFH-W03.STEWARTCALHUOUN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        STEWARTCALHUOUN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Folder Redirection
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Accounting Group
            Filtering:  Denied (Security)

        Small Business Server Update Services Client Computers Policy
            Filtering:  Denied (Security)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PostSP2

        Small Business Server Update Services Server Computers Policy
            Filtering:  Denied (Security)

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server Update Services Common Settings Policy
            Filtering:  Not Applied (Empty)

        AVG MW Default Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        SBS Report Users
        Schema Admins
        SBS Mobile Users
        Offer Remote Assistance Helpers

C:\Documents and Settings\Administrator>

Open in new window


However this system also has this error popping up every 30-60 seconds.

Administrative Templates error.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
I see this in System.

Kerberos
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Was there a server replacement made on the network? It seems as if kerberos on the client is looking for one server and finding another.
0
 
LVL 4

Author Comment

by:ITworks
Comment Utility
Not to my knowledge.
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
It still seems as if the client is looking for one server and finding another. Have you considered disjoining the client from the domain and rejoining again?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
So, according to your GPRESULT report you posted the policy IS applying:

  Applied Group Policy Objects
    -----------------------------
        Small Business Server Folder Redirection
        Default Domain Policy

Open in new window


By the way, I don't know why you posted a screen shot of the AVG Policy... this is NOT your folder redirection policy.

Anyhow... your issue is that you have a Windows 7 machine trying to be controlled by a Server 2003 (which is actually still running in Windows 2000 compatibility).  

You should be able to force the processing of Group Policy by running gpupdate /force on the workstation.  However, make sure you have installed the patch update for SBS 2003 to be able to more easily work with Windows Vista and 7 --

http://www.microsoft.com/en-us/download/details.aspx?id=22252
0
 
LVL 4

Accepted Solution

by:
ITworks earned 0 total points
Comment Utility
Jeffrey,

The problem was with the AVG policy, not folder redirection. This never could get fixed, but we're replacing the server now.
0
 
LVL 4

Author Closing Comment

by:ITworks
Comment Utility
Nobody actually helped me fix it. We're replacing the server.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now