• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 204
  • Last Modified:

Cleint not receivng new GPO

Windows 2003 SP2 DC x2
Windows 7
AD
GPO

recently had this error  JRNL_WRAP_ERROR on one domain controller on my DC PDC and we resolved that issue
All replication is working in both directions between my two local domain controllers.
No remote computers or servers here all on local lan

After we fixed the above error I created several new GPO's

All are working except for one.

I created GPOS by computer systems ie Windows 7 WSUS , Windows 8 WSUS, Windows Vista WSUS , Member Servers WSUS.
The Windows 7 WSUS is not working,

My computer abc001 is the only one in this gpo for testing

All other GPO's worked

the only setting in this gpo is for Client side targeting for WSUS  same setting as all the other GPO's

I have another GPO named WSUS which has all other WSUS settings defined

That works also

On my Windows 7 computer when I run RSOP I see all the GPO names and WSUS appears but Windows 7 WSUS does not appear.

Checked my event log and do not see any GPO errors just this message

Log Name:      System
 Source:        Microsoft-Windows-GroupPolicy
 Date:          3/15/2015 12:07:13 AM
 Event ID:      1502
 Task Category: None
 Level:         Information
 Keywords:      
 User:          SYSTEM
 Computer:      comp001.mydomain.com
 Description:
 The Group Policy settings for the computer were processed successfully. New settings from 5 Group Policy objects were detected and applied.
 Event Xml:
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   <System>
     <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
     <EventID>1502</EventID>
     <Version>0</Version>
     <Level>4</Level>
     <Task>0</Task>
     <Opcode>1</Opcode>
     <Keywords>0x8000000000000000</Keywords>
     <TimeCreated SystemTime="2015-03-15T04:07:13.772653000Z" />
     <EventRecordID>1938556</EventRecordID>
     <Correlation ActivityID="{1A842ACD-9CB8-4D99-844F-A19502FD98B3}" />
     <Execution ProcessID="1072" ThreadID="3804" />
     <Channel>System</Channel>
     <Computer>comp001.mydomain.com</Computer>
     <Security UserID="S-1-5-18" />
   </System>
   <EventData>
     <Data Name="SupportInfo1">1</Data>
     <Data Name="SupportInfo2">3439</Data>
     <Data Name="ProcessingMode">0</Data>
     <Data Name="ProcessingTimeInMilliseconds">2371</Data>
     <Data Name="DCName">\\tgcs011.our.network.tgcsnet.com</Data>
     <Data Name="NumberOfGroupPolicyObjects">5</Data>
   </EventData>
 </Event>
0
Thomas Grassi
Asked:
Thomas Grassi
  • 26
  • 24
1 Solution
 
arnoldCommented:
rerun gpmc on with this workstation but without regard to the user settings.

see which policies are being loaded/seen and the DC from which it gets them.

is it in a separate site or part of HQ ?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
this is all on the same lan network

You mean run GPMC on the server and run a group policy model for this computer and no user settings

Correct?
0
 
arnoldCommented:
Yes, look within AD user and computers to see where this computer is versus the others?
i.e. is it in the computers built-in OU with all other computers or is it in a different ou or in the built--in as the only computer there?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Thomas GrassiSystems AdministratorAuthor Commented:
I ran the GPMC for my computer

See attached

The report shows that all  the GPO names are present

But when I run rsop on that same machine it does not show all the GPO names

Not sure why RSOP not showing infor here
checked registry settings still not set either

The report shows the GPO names are enabled for this computer

Thoughts
0
 
arnoldCommented:
Do the settingd you want set reflected in the settings in GPMC?
While the policies are reflected, they might not apply.,
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Yes I need those setting

This is a working computer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    TargetGroupEnabled    REG_DWORD    0x1
    TargetGroup    REG_SZ    Vista
    WUServer    REG_SZ    http://wsus.our.network.tgcsnet.com
    WUStatusServer    REG_SZ    http://wsus.our.network.tgcsnet.com

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU


This is from the Windows 7 computer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windo
ws\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    WUServer    REG_SZ    http://wsus.our.network.tgcsnet.com
    WUStatusServer    REG_SZ    http://wsus.our.network.tgcsnet.com

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

you can see that
TargetGroupEnabled    REG_DWORD    0x1
    TargetGroup    REG_SZ    Windows 7

Is missing and on the vista computer it is working



the same type of GPO work on every other computer Windows 8 Windows Vista Windows 2008 Windows 2003
Only my windows 7 is not working

Thoughts
0
 
arnoldCommented:
Your multi-homed systems might be the issue. resolve those and see whether that will resolve this.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

I manually entered

TargetGroup and TargetGroupEnabled  in my Win 7 Registry for now

I can t see home the multi-homed servers have any effect on this

My DC's are single homed

My Windows 7 is single homed


This is very strange

I created another GPO today to see if that would work  No good

NFS is working because both sysvol folders are updating

Another strange thing is the GPMC Report shows all the correct GPO's

Did you get my last post on the Windows 2008 Ping issue?

Thanks
0
 
arnoldCommented:
missing gateway on the 10.1.8.17/22 network adapter 4 versus network adapter 3 10.2.8.17/22 with 10.2.8.1.
DFS has both Ips for the target computer.

Was the 10.1.8..x/22 network a typo?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Do not need gateway on the second nic

My Windows 2003 server with both vlans the second nic does not have a gateway and it works fine
My meraki MX60 SA does all the routing for the vlans


Was the 10.1.8..x/22 network a typo?

yes

10.1.8.x/22 is correct

10.2.8.x/22 is correct
0
 
arnoldCommented:
Try ,owing this system to a different OU, to have its cached GPos cleared. Then try brining it back. Check whether this system is a member of a different group ?
The registry change might be the one preventing the application of the GPO.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Try ,owing this system to a different OU, to have its cached GPos cleared.   ??? please clarify


Check whether this system is a member of a different group ?

You mean my windows 7 in a different group? if so what group you mean?

Thanks
0
 
arnoldCommented:
Does your ad have computer Oys other than the builtin computer?
Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.
You mentioned that yOU edited registry dealing with wsus update settings to set clienttarget, a GPO often set parameters on not configured or known defaults, a deviation will prevent the GPO from changing the current already customized settings.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

I will check that when back on site.

So GPO will not overlay reg settings?

That explains why my NTP GPO is not working

I can remove the settings from the registry as a test t see what happens

Will post results
0
 
arnoldCommented:
It will supersede entries added as part of local GPO. Manual changes to registry will remain byy the way settings from GPO are set.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Ok then I will remove them to see what happens.

Leaving to the site in a few be back in a few hours

Thanks for your help
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

I found this

http://stackoverflow.com/questions/1162215/gpo-settings-will-they-overwrite-registry-modifications-on-client-machine

Is this true

I would think it would be the purpose of GPO?
0
 
arnoldCommented:
Generally certain registry settings will be changed by gpo certain ones will not. folder redirection without a setting to revert, will not be reapplied when the account is moved to a different ou with a different storage location. meaning if you manually redirect folders to a separate location, a folder redirect policy will not alter the locally configued redirection.
if the gpo does not assert its changes, something is preventing it.
change the gpo to be enforced to see if that makes a difference.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

On site now

Does your ad have computer Oys other than the builtin computer?
 Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.


You meant
Does your ad have computer OU other than the builtin computer?

Correct?

My computer is in the folder Computers only
Is a member of Domain Computers       NTP Time Settings  and Windows 7

The Last two NTP Time Settings and Windows 7 are GPO Names

Compared to my other Windows 8 computer and they are the same  Except Windows 8 has Windows 8 GPO Name


For your last post

The NTP Time Settings must be one that do not because none of they computers got my changes.
Just trying to set
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    Type    REG_SZ    NTP
    NtpServer    REG_SZ    10.2.8.24


To

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    Type    REG_SZ    NTP
    NtpServer    REG_SZ    ntp.our.network.tgcsnet.com



Thoughts
0
 
arnoldCommented:
If all your systems are in the built-in computer OU, the GPOs are then added at the top of the domain?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

YEs I believe so.

Take a look at my screen shots

An all of the computers are in the same members of


Remember I have

Security Groups

Member Servers
Windows 7
Windows 8
Windows Vista
builtin-1.png
builtin-dc.png
0
 
arnoldCommented:
What about the GPMC display of how the GPOs are applied?

Security groups are used as security filters, they are not the basis on which GPOs are assigned.

GPOs are assigned to OUs and apply based on the security filter.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

I ran the Group Policy Modeling Repot on three computers including the one in question here

They all show the correct information all GPO listed under Applied GPO's are correct.

See the attached
TGKW001.htm
TGKW002.htm
TGKW006.htm
0
 
arnoldCommented:
Modeling is used to project what will be set if the assumptions/choices are made,
The group policy results wizard reports the current settings as they apply.

I can not currently view the attached.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

How about if I run gpresult /h report.html

Will that help us?

The modeling shows what will be done I get that now thanks
0
 
arnoldCommented:
The viewing is related to the system I was using not with your upload.

One thing, IMHO the only thing that should be set in the WSUS GPO is the intranet WSUS server
Everything else should be left to more customizable per ou/OS type, etc.
Client settings should be in the wsus <specific> your wsus 8 sets the mode to download and notify.

In your case, you set everything within the WSUS GPO leaving only the client targeting to the WSUS 8 in one example.Also your WSUS sets the install mode as downaload and install, it might not alert the non-administrative user that updates are available nor am I sure whether the user will be allowed to shutdown the system and have the updates applied at that time.


As to your NTP, usually the only thing that queries "external" NTP servers is the Master AD.  All the other systems synchronize with the DC. (one of your other questions)

WSUS GPO only sets intranet site
WSUS 8 sets client target, install mode (download and install 4) install immediate (I'd recommend the no auto-restart when a logged in user.. prevent the system from restarting after updates are installed in the morning as this can restart while the user is in the middle of an important task.)

Given you are using modeling, it is not including a security filter as configured on your GPO so it is not clear whether those settings could interfere with the application of the GPO.  
rerun the results wizard and see how the settings are applied.

gpresult /Scope Computer /V
Text file upload is fine.  When you upload the HTML it is "transmitted" as text when download/view is unavailable.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Got gpresult /scope computer /v results

1. my computer the problem one missing GPO name Windows 7 WSUS
2. my WinSAT computer has GPO Name Windows Vista WSUS

Tired the command on my Windows 8 computer got Access Denied

Thoughts

Note

I will run this on all others to compare later

None are getting my NTP GPO also


Thoughts?
gpresult.txt
gpresult.txt
0
 
arnoldCommented:
Look at the security filter you use for each GPO, often authenticated_user is used for these types of GPO.
In your case all client shave all GPOs apply windows vista GPO, windows 7 GPO and windows 8 GPO, and you are using the security filtering to differentiate which systems checking using which client target such that each will have two Other gpos as "available" but denied by security filtering.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Yes most of the GPO's I looked at use authenticated_user  for the security filter it adds that by default when you create the new gpo.

My security filters only include the security group Windows 7 GPO Vista GPO and Windows 8 GPO

Yes that is how you can differentiate the client target

Yes they showed all the other GPO's as denied.

The problem is that all other computers on the network are working with the correct GPO

Why just my Windows 7 not picking up the Windows 7 GPO is the big question here.

I can not put authenticated user into Windows 7 GPO then every user will get Windows 7


Could it be the added GPO DNS Suffix    that security filter is only by my computer name not a group


Thoughts.


PS the access denied on the Windows 8.1 was I need to run cmd prompt as administrator Don't know whey that is not the default way. but it works now
0
 
arnoldCommented:
Double check to make sure your windows 7 is the member of the computer security group that is used as the security filter in the windows 7 GPO.

Is this a system in a site as branchdc1 see whether it's position on the AD matches the location where it is.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

First thanks for the continuous support on this most guys drop off issues I appreciate it.

My Windows 7  TGKW001 is in as a member of the security group Windows 7

Windows 7 is added to the Security Filtering of the scope for Windows 7 WSUS

This is all one Forest One Domain I have two Domain Controllers

This is very strange that my Windows 7 computer is the only one that this GPO does not apply to

Unfortunately I only have one Windows 7 computer to test with here.  Hoping to have another one soon

My Windows 7 Computer has full administrator rights that I know of.

Can not figure this one out I have been researching also no luck.

I least this is a good learning process.

Hope we can figure this out.
0
 
arnoldCommented:
What errors if any are reported in GPMC for the GPO? What if any event logs exist on the client dealing with the application of the GPO?

One option could be to use netdom to rejoin the system into the domain just in case something of this nature is at hand.

Does the windows 7 have registry modification to wsus settings directly rather than using a local policy?

It could be something simple that I have not asked or not asked In a way that would clear things up or point you in the right direction.

GMPC group policy results on this system, what is being reported? Are there any errors indicated?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

In GPMC I ran Group Policy result for my computer

It reported this event only

Event ID:      1704 which is a normal process of Group Policy

Then I looked at this

Applied GPOs
Local Group Policy Local AD (1), Sysvol (1)
LogonAsAService our.network.tgcsnet.com AD (2), Sysvol (2)
DNS Suffix our.network.tgcsnet.com AD (3), Sysvol (3)
Default Domain Policy our.network.tgcsnet.com AD (72), Sysvol (72)
WSUS our.network.tgcsnet.com AD (20), Sysvol (20)

Denied GPOs
Name Link Location Reason Denied
{8DFABD80-E9C3-40D6-801C-C2D3771CB6F3} our.network.tgcsnet.com Inaccessible
{2E15508A-6585-401C-985F-AFF3A49DD25F} our.network.tgcsnet.com Inaccessible
{9B5C0FF6-65A7-47B8-AA90-814FB2862854} our.network.tgcsnet.com Inaccessible
{EEA475AB-8ED4-4E77-8B98-A18744F1CAD7} our.network.tgcsnet.com Inaccessible
{A7F93F2A-14C0-4494-9D67-291779C45144} our.network.tgcsnet.com Inaccessible
{DC299B63-10FF-4E0B-A3ED-428A976DD02B} our.network.tgcsnet.com Inaccessible

8D....    is my NTP GPO
EE.... is my Windows 7 GPO

What does inaccessible mean?

Are we getting somewhere now?

Thoughts
0
 
arnoldCommented:
Check whether these two GPOs have different values for AD and sysvol in either the computer settings or the user settings. If there are different values on the same category, that means you have an error in the GPO which prevents its replication into sysvol.

Inaccessible means it might not have replicated and does not exists on the branchdc1\sysvol\yorudomomain\policies
Or actually the security settings prevent access means denied.
Add to the window 7 GPO, the computer account itself in the security filter.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Putting the computer account in the security filter worked

did gpupdate /force on the server and my workstation queried the reg and show the target group win7 was added.

So why does the security group Windows 7 WSUS not work that what we need cause I jut want to add to the security group not update the GPO all the time

All the other security groups work

Well all but Windows 7 WSUS and NTP

Thoughts
0
 
arnoldCommented:
Double check the type of group it is , make sure it is a security group type.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Security Group Global

Same as Windows 8 and Windows Vista
0
 
arnoldCommented:
Look on the GPO delegation tab,security tab to see whether the windows 7 group is included there with appropriate rights. Compare is GPO to the windows 8 configuration dealing with access.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

Looked at both they have the same settings across the board

I was researching this and found this on another posting

"if you are applying to a set of computers, you may need to add them to a group and give this group read and apply, as well as authenticated users."


Also this comment

I have 3 choices for the permissions:
      Read
      Edit Settings
      Edit settings, delete or modify security

What kind of group, Domain Local or Global, then security or distribution?



But that does not explain why my other GPO's are working.

Thoughts
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Thought was researching and came across WMI filtering

select * from Win32_OperatingSystem where (Version like "6.1%" or Version like "6.2%" or Version like "6.3%") and ProductType = "1"

If I use a filter like above then I can use authenticated_users in place of the security group Windows 7
Another task i would not have to do add the new computer to a security group

The above is an example I found

What would you do If I just wanted to select Windows 7  which I believe is "6.1%"  

This is all new territory  for me

Thanks
0
 
arnoldCommented:
There are different ways to managed that.
Not sure why you would want to differentiate in this manner.
Using OUs
Workstations OU Authenticated_users workstations
Workstations TEST OU authenticated_users workstations_test
1 of each type is in this OU windows vista, 7 and windows 8 and windows 8.1)
auto-apporval for the workstation test OU for Critical and security updates. to install to this client target
once updates are auto-approved, two-three weeks later if no issues arise (those system need to be regularly used) a manual auto-approve for the same criteria, or manually going in approving each .....

Since you have the options, only you can decide which meet your needs.
you can do OUs with Security Groups with WMI filters.....

Glad I could help.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

Update

For the NTP GPO that was not working I got a lot further along now.

Created a WMI Filter excluded one Server which is the NTP server

Removed the Security Group NTP and added authenticated_users

ran gpudate /force and amazing all the computer and servers now have the NTP GPO
The WMI Filter works also because I checked by running the GRoup Policy Results on GPMC for that server and the NTP GPO was filtered by WMI

All good so far.
 So looks like WMI is the way to go instead of using Security Groups

Going to create more WMI filters to check for the OS version.


The only problem I have with the NTP GPO is the registry setting did not change.

And as I posted earlier that the registry changes will change that is the purpose of GPO

 I ran this  gpresult /scope computer /v

See attached

The NTPSERVER should be ntp.our.netwrok.tgcsnet.com       but it shows all kind of strange numbers.

Thoughts?
gpresult-NTP.txt
0
 
arnoldCommented:
gpresults /V /Scope Computer  does not report human readable values, GPO name, and settings name are human readable.

To get the detail/value in human readable form (HTML), you would need to use the /h which is available starting with windows vista or 7 /windows server 2008

see if w32tm /? is available on these systems to see what these systems reports as to the NTP server to which they will synchronize.
IMHO, THE only server that should reference a dedicated NTP server is the AD/DC Master all others should synchronize to the AD DC.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

gpresult /r report.html  showed the correct information   that's great. WMI filter works super.

ran w32tm /query /verbose  should my GPO settings

Then I figured out why I did not see them in the registry.
I was looking in the wrong place.

All my manual entries of NTP was in this path
hklm\system\currentcontrolset\services\w32time\parameters

The GPO uses this path

hklm\software\polices\Microsoft\w32time\parameters


Thoughts
0
 
arnoldCommented:
So you are set?

I have many thoughts, any subject in particular?
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

I am hoping so.

Just curious about the reg settings

Will the GPO settings override the other settings?
0
 
arnoldCommented:
I believe so.  You can confirm through the eventlog look for w32tm and see which system it synchronizes with.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold,

We got it

Log Name:      System
Source:        Microsoft-Windows-Time-Service
Date:          3/19/2015 12:40:00 PM
Event ID:      35
Task Category: None
Level:         Information
Keywords:      
User:          LOCAL SERVICE
Computer:      TGKW001.our.network.tgcsnet.com
Description:
The time service is now synchronizing the system time with the time source ntp.our.network.tgcsnet.com,0x1 (ntp.m|0x1|0.0.0.0:123->10.2.8.24:123).


That is from my GPO

We are now done

Now on to more WMI Filters
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

This worked

Thanks for all your help

Now off to WMI Filtering.
0
 
arnoldCommented:
:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 26
  • 24
Tackle projects and never again get stuck behind a technical roadblock.
Join Now