Clients not Picking up Correct GPO Names

Windows 2003 SP2 DC
Windows Server 2008
Windows Server 2003
Windows 7
Windows 8 Vista

Clients not picking up Correct GPO names and updates

Working with WSUS  setting up new GPO for WSUS

I had one GPO Name WSUS trying to create unique GPO Names for WSUS
During my setup I found that the Default Domain Policy had WSUS settings so I edited the Default Domain Policy and Disabled all the WSUS setting in the Default Domain Policy
And Modified WSUS settings.
Ran gpupdate /force on the DC that runs the PDC
Ran gpupdate /force on all computers

Most got the correct gpo name

I ran RSOP on every computer/server and on the one that are working shows only the WSUS GPO Name
The problem is on some of the servers and computers
When I ran RSOP on them I found That the Default Domain Policy GPO Name and WSUS GPO name were present

Why is this happening?

Once you disable a setting it should not be picked up.

Where is this information kept?
Do I have a caching issue here?

How can I fix this.

Thanks Tom
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you may have inudvertantly made an error in a GPO which will prevent it from replicating, looking at the GPO detail the sysvol and AD value for each portion Computer settings and User settings have to be the same. If it is not the same, there is an error in the portion of the GPO where the sysvol and Ad values are different.

Using GPMC and group policy results wizard, you will be able to see the settings that apply and the winning GPO that sets them.

You might have multiple layered GPos that have the same settings. While you working on one, another is the one actually setting it.
i.e. an admin before you created a GPO not related to WSUS but non the less has WSUS settings within, and also has the setting in default domain. Default domain policy was winning, you made a change and now the other "hidden" GPO is now setting those values. Did you disable the settings, or changed them to notset/undefined.......
Thomas GrassiSystems AdministratorAuthor Commented:

I changed them to not configured should I disable them?
I am trying to run group results wizard but not having good luck with that

Do you have some instructions on how to use it ?


Group Policy Results wizard.
If you are only interested in the application of user settings, during the selection of the computer system, there is an option to disregard the computer selection.
The same applies to the looking at computer settings by disabling the consideration of the user portion.

For the overall
Identify the system you want to test, then you will be allowed to query for the username and the list will only provide info on users who've previously logged into this system.  You can not test a workstation for settings of a user who has never logged into this workstation.

At the conclusion of the wizard, there is a settings tab. this reflects the settings from all Computer GPOs and User GPOs that apply to the computer/user along with the Winning GPO that controls these settings.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Thomas GrassiSystems AdministratorAuthor Commented:

I got the wizard working thanks

You mentioned I might have a bad GPO and that got me thinking had a six hour drive today and had plenty of time to think this thru

On the Default Domain Policy I had WSUS settings as I mentioned before and one setting was "Enable client-side targeting"  which had "servers;vista;xp;win7;win8"

What I did was blank the Target Group name for this computer filed now it is empty. Then Click Not Configured

In all my research I saw somewhere where this might be a problem

Running RSOP on all machines I just have one now that has setting from the Default Domain Policy which has all the settings as not configured

But because I blanked out the Target Group setting is that the reason I have this issue?



In the mean time I am going to try to add and entry in that field and then disable it see what that does.
Client target should be a single string, not sure whether that entry was being seen as invalid preventing the changes to the GPO from replicating. i.e. ad and sysvol had different numbers.
before you go through again, check whether the GPO sysvol/ad are the same for computer and user settings respectively.
Thomas GrassiSystems AdministratorAuthor Commented:

Good call

I checked the SYSVOL on both DC's and they do not match that is the problem here.
So I then went to look at the event logs and I forgot about these

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            3/14/2015
Time:            7:58:17 PM
User:            N/A
Computer:      TGCS011
The File Replication Service is having trouble enabling replication from TGCS012 to TGCS011 for c:\windows\sysvol\domain using the DNS name FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 [1] FRS can not correctly resolve the DNS name from this computer.
 [2] FRS is not running on
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

DC 2   PDC All Roles on this one

Event Type:      Error
Event Source:      NtFrs
Event Category:      None
Event ID:      13568
Date:            3/13/2015
Time:            7:10:21 PM
User:            N/A
Computer:      TGCS012
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 [1] Volume "\\.\C:" has been formatted.
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
 [4] File Replication Service was not running on this computer for a long time.
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Click down the key path:
Double click on the value name
   "Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

For more information, see Help and Support Center at

I checked the reg entry "Enable Journal Wrap Automatic Restore" it was not present but I added it per instructions as a dword and the value was set to 0 zero

Restarted File Replication Service and the same error appeared again

How do I fix event 13568

If we fix this then the GPO will work correct?

Thanks TOM
You need to set the value to one, restart ntfrs service and change the value back to 0.

Once this is fixed, the correct GPOs will be on this system. then you can see whether they apply as you expect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:

I reset it back to one (1) for now

Hope not to see this again..

Thanks for all your help

the Problem was FRS not working properly

Glad we figure this out together.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.