Group Policy not applying correctly?
I'm having some trouble with a group policy that I want to apply. It doesn't look like the computer is even trying to update the computer policy? It also appears that the user policy is not applying correctly, but I could be wrong.
C:\Users\itworks>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
The Group Policy Client Side Extension Folder Redirection was unable to apply on
e or more settings because the changes must be processed before system startup o
r user logon. The system will wait for Group Policy processing to finish complet
ely before the next startup or logon for this user, and this may result in slow
startup and boot performance.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows could not determine the site asso
ciated for this computer, which is required for Group Policy processing.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
C:\Users\itworks>C:\Users\itworks>gpresult /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/16/2014 at 9:07:43 AM
RSOP data for STEWARTCALHUOUN\itworks on WS-13 : Logging Mode
--------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\itworks
Connected over a slow link?: No
USER SETTINGS
--------------
CN=ITworks Support,CN=Users,DC=STEWARTCALHUOUN,DC=local
Last time Group Policy was applied: 2/16/2014 at 9:05:39 AM
Group Policy was applied from: FS2-SCFH-W03.STEWARTCALHUOUN.local
Group Policy slow link threshold: 500 kbps
Domain Name: STEWARTCALHUOUN
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Small Business Server Folder Redirection
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server - Windows Vista policy
Filtering: Not Applied (Empty)
Small Business Server Update Services Client Computers Policy
Filtering: Denied (Security)
Small Business Server Update Services Common Settings Policy
Filtering: Not Applied (Empty)
Small Business Server Update Services Server Computers Policy
Filtering: Denied (Security)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Lockout Policy
Filtering: Disabled (GPO)
Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Small Business Server Client Computer
Filtering: Not Applied (Empty)
AVG MW Default Group Policy
Filtering: Not Applied (Empty)
Accounting Group
Filtering: Denied (Security)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Offer Remote Assistance Helpers
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
SBS Report Users
Schema Admins
SBS Mobile Users
Offer Remote Assistance Helpers
High Mandatory Level
C:\Users\itworks>
Can the machine find the server via DNS? Computers are reliant upon DNS to find the DC's and the associated SRV records, which tell it where the GPO's servers are.
ASKER
Workstation can ping server by name and be returned with the IP address. Yes, there is a startup script added via GPO. Startup.vbs
Set WSHShell = WScript.CreateObject("WScript.Shell")
'To Enable Remote DCOM in the computer
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"
'To Set Authentication Level to Connect
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"
'To Set Impersonation level to Impersonate
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel",3,"REG_DWORD"
Have you tried logging in as a regular user and seeing if the GPO rules apply then? Admins do not always have GPO settings applied to them and are not the best users to test with.
ASKER
Oh and I did restart the computer. See the Computer Properties screen from RSOP.MSC? Not sure how to approach that...
There may be another issue here. Is active directory working properly? Are there any directory-based errors in the event log on the DC?
ASKER
It looks identical when logged in as user.
ASKER
The only thing I see in Application Event Log that possibly resembles an Active Directory error is this one from yesterday morning.
What about the System Log? Nothing there? There is usually something there for some reason.
ASKER
It looks like the GPO is properly applying to the SBS box.
However this system also has this error popping up every 30-60 seconds.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>gpresult /r
ERROR: Invalid argument/option - '/r'.
Type "GPRESULT /?" for usage.
C:\Documents and Settings\Administrator>gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/16/2014 at 10:40:51 AM
RSOP data for STEWARTCALHUOUN\Administrator on FS2-SCFH-W03 : Logging Mode
---------------------------------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003 for Small Busin
ess Server
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=FS2-SCFH-W03,OU=Domain Controllers,DC=STEWARTCALHUOUN,DC=local
Last time Group Policy was applied: 2/16/2014 at 10:37:05 AM
Group Policy was applied from: FS2-SCFH-W03.STEWARTCALHUOUN.local
Group Policy slow link threshold: 500 kbps
Domain Name: STEWARTCALHUOUN
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Default Domain Policy
Small Business Server Update Services Server Computers Policy
Small Business Server Update Services Common Settings Policy
AVG MW Default Group Policy
Small Business Server Auditing Policy
Default Domain Controllers Policy
Small Business Server Lockout Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Domain Password Policy
Filtering: Denied (Security)
Small Business Server Update Services Client Computers Policy
Filtering: Denied (Security)
Small Business Server Folder Redirection
Filtering: Not Applied (Empty)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
FS2-SCFH-W03$
Domain Controllers
Exchange Domain Servers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Exchange Enterprise Servers
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=STEWARTCALHUOUN,DC=local
Last time Group Policy was applied: 2/16/2014 at 10:24:28 AM
Group Policy was applied from: FS2-SCFH-W03.STEWARTCALHUOUN.local
Group Policy slow link threshold: 500 kbps
Domain Name: STEWARTCALHUOUN
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Small Business Server Folder Redirection
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
Small Business Server Lockout Policy
Filtering: Disabled (GPO)
Accounting Group
Filtering: Denied (Security)
Small Business Server Update Services Client Computers Policy
Filtering: Denied (Security)
Small Business Server Client Computer
Filtering: Not Applied (Empty)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Update Services Server Computers Policy
Filtering: Denied (Security)
Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Small Business Server Update Services Common Settings Policy
Filtering: Not Applied (Empty)
AVG MW Default Group Policy
Filtering: Not Applied (Empty)
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
SBS Report Users
Schema Admins
SBS Mobile Users
Offer Remote Assistance Helpers
C:\Documents and Settings\Administrator>However this system also has this error popping up every 30-60 seconds.
ASKER
I see this in System.
Was there a server replacement made on the network? It seems as if kerberos on the client is looking for one server and finding another.
ASKER
Not to my knowledge.
It still seems as if the client is looking for one server and finding another. Have you considered disjoining the client from the domain and rejoining again?
So, according to your GPRESULT report you posted the policy IS applying:
By the way, I don't know why you posted a screen shot of the AVG Policy... this is NOT your folder redirection policy.
Anyhow... your issue is that you have a Windows 7 machine trying to be controlled by a Server 2003 (which is actually still running in Windows 2000 compatibility).
You should be able to force the processing of Group Policy by running gpupdate /force on the workstation. However, make sure you have installed the patch update for SBS 2003 to be able to more easily work with Windows Vista and 7 --
http://www.microsoft.com/en-us/download/details.aspx?id=22252
Applied Group Policy Objects
-----------------------------
Small Business Server Folder Redirection
Default Domain PolicyBy the way, I don't know why you posted a screen shot of the AVG Policy... this is NOT your folder redirection policy.
Anyhow... your issue is that you have a Windows 7 machine trying to be controlled by a Server 2003 (which is actually still running in Windows 2000 compatibility).
You should be able to force the processing of Group Policy by running gpupdate /force on the workstation. However, make sure you have installed the patch update for SBS 2003 to be able to more easily work with Windows Vista and 7 --
http://www.microsoft.com/en-us/download/details.aspx?id=22252
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nobody actually helped me fix it. We're replacing the server.
It's looks like the computer need a reboot in order to get GPO update. Also, is there any start up script added via GPO?