+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Windows Server 2008 R2 Thread, Group Policy not applying .. well .. actually .. [read on] in Technical; Right, ok so an interesting one that I've been trying to trouble shoot. We changed school status / class names ...
  1. #1
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78

    Group Policy not applying .. well .. actually .. [read on]

    Right, ok so an interesting one that I've been trying to trouble shoot.

    We changed school status / class names / staff / pupils over the summer so I took the opportunity to streamline the GPOs on my network as such. I had a lot of legacy things in place still from when I took over the network (and it's 15 min / user setup time! I know .. madness!).

    Anyway, random things are happening. There are a couple of scenarios through the school:

    1. New Member of Staff + Freshly Imaged Machine = everything deploys as it should do
    2. New Member of Staff + Used machine but same image = things mainly deploy as they should do, but every so often they get a random drive crop up
    3. Old Member of Staff + Freshly Imaged or Used Image Machine = sometimes they get the new settings, sometimes they get the old settings
    4. The same set of things can be applied for the new students too


    So, I've tried forcing a GPUpdate on the various machines, to no avail, hence the trying a freshly imaged machine with an old user account, but I can't for the life of me figure out what's going on.

    There used to be a number of Logon / Startup Scripts used, but I've stripped these right back, in fact, pretty much the only script to run now is check the AV is installed (using a script provided by county technicians) and also check that the registration file is in place for TextEase as it doesn't always deploy correctly. There is then a couple of scripts that run to set Espresso Icons, Internet Icons (following the EU ruling for MS to remove all shortcuts for IE!) and a shortcut to our helpdesk.

    At logoff, the only thing to be run now is a force delete of all mapped drives hoping that by doing so that it would force the system to pick up the new settings.

    The only other thing to run at logon is the PC-Client for PaperCut.

    Now, to check things further I logged onto the servers with my own credentials (which I do normally anyway to avoid using the admin account unless I really need to as I've locked myself down slightly too). This is where it gets a bit more interesting and leads me to a couple of conclusions:

    If I log onto server-001 I get everything as I should get, new drive maps (despite the fact I've logged on previously with old drive maps), shortcuts, printers, etc. This is the server I edited the GPO settings on.

    If I log onto server-002 then I get all the old stuff in terms of drives, and I only get 1 of the shortcuts (Espresso) that was there previously. Printers deploy, but on the old settings.

    Now, this makes me think that somewhere along the lines, my SYSVOL has gone a bit funny, but I'm a bit at a loss on how to reset it sensibly. I've found a couple of howtos on MS technet, but wanted to see if there was something else that could be done or an easier solution instead of going through the whole SYSVOL reset procedure on a live network.

    Many thanks in advance
    Andy

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,954
    Thank Post
    862
    Thanked 1,443 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Daft question, but... it's not just cached copies of old roaming profiles in Documents & Settings, is it? Would explain why newly imaged machines are fine (no cache) but otherwise identical, just older machines, have problems (old settings cached).

    Might be worth finding a profile that has a problem on a certain machine, clearing both profile and machine down completely, and seeing if the problem persists. Or if that doesn't work, clear someone's profile down, remove any cached copies from a newly imaged machine and get them to log on that one, and see if it rebuilds correctly on that. Worth a punt, anyway!

  3. Thanks to sonofsanta from:

    soveryapt (21st September 2011)

  4. #3
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    Quote Originally Posted by sonofsanta View Post
    Daft question, but... it's not just cached copies of old roaming profiles in Documents & Settings, is it? Would explain why newly imaged machines are fine (no cache) but otherwise identical, just older machines, have problems (old settings cached).

    Might be worth finding a profile that has a problem on a certain machine, clearing both profile and machine down completely, and seeing if the problem persists. Or if that doesn't work, clear someone's profile down, remove any cached copies from a newly imaged machine and get them to log on that one, and see if it rebuilds correctly on that. Worth a punt, anyway!
    It's quite sporadic unfortunately. As in sometimes they can log onto a machine and it's fine, others it's not.

    I'm just running dcdiag /a /c /q to flag up any errors and it looks like there may be some issues with one of my servers actually, so going to take a look down that route ..

  5. #4

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,954
    Thank Post
    862
    Thanked 1,443 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Quote Originally Posted by aptproductions View Post
    It's quite sporadic unfortunately. As in sometimes they can log onto a machine and it's fine, others it's not.

    I'm just running dcdiag /a /c /q to flag up any errors and it looks like there may be some issues with one of my servers actually, so going to take a look down that route ..
    Don't forget to take a ball of string with you, so you can find your way back out of the maze in three days time... good luck!

  6. #5
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    DC Diag Reports from Various Servers:

    Server 1

    Code:
    C:\Users\administrator.BROADFIELD>dcdiag /a /c /q
    
             [BSS-SERVER-002] No security related replication errors were found on
    
             this DC!  To target the connection to a specific source DC use
    
             /ReplSource:.
    
             The event log File Replication Service on server
    
             BSS-SERVER-002.Broadfield.School could not be queried, error 0x6ba
    
             "The RPC server is unavailable."
    
             ......................... BSS-SERVER-002 failed test FrsEvent
    
             The event log Directory Service on server
    
             BSS-SERVER-002.Broadfield.School could not be queried, error 0x6ba
    
             "The RPC server is unavailable."
    
             ......................... BSS-SERVER-002 failed test KccEvent
    
             ** Did not run Outbound Secure Channels test because /testdomain: was
    
             not entered
    
             The event log System on server BSS-SERVER-002.Broadfield.School could
    
             not be queried, error 0x6ba "The RPC server is unavailable."
    
             ......................... BSS-SERVER-002 failed test SystemLog
    
             LDAP Error 0x5e (94) - No result present in message.
    
             ......................... BSS-SERVER-002 failed test
    
             VerifyEnterpriseReferences
    
             [BSS-SERVER-001] No security related replication errors were found on
    
             this DC!  To target the connection to a specific source DC use
    
             /ReplSource:.
    
             ** Did not run Outbound Secure Channels test because /testdomain: was
    
             not entered
    
             LDAP Error 0x5e (94) - No result present in message.
    
             ......................... BSS-SERVER-001 failed test
    
             VerifyEnterpriseReferences
    
                      Invalid service type: DNS on BSS-SERVER-002, current value
    
                      WIN32_OWN_PROCESS, expected value WIN32_OWN_PROCESS
    
             Test results for domain controllers:
    
    
    
                DC: BSS-SERVER-001.Broadfield.School
    
                Domain: Broadfield.School
    
    
    
    
    
                   TEST: Forwarders/Root hints (Forw)
    
                      Error: All forwarders in the forwarder list are invalid.
    
    
    
    
    
                DC: BSS-SERVER-002.Broadfield.School
    
                Domain: Broadfield.School
    
    
    
    
    
                   TEST: Basic (Basc)
    
                      Error: DNS service is not running
    
    
    
                   TEST: Forwarders/Root hints (Forw)
    
                      Error: All forwarders in the forwarder list are invalid.
    
                      Error: Both root hints and forwarders are not configured or
    
                      broken. Please make sure at least one of them works.
    
    
    
             Summary of DNS test results:
    
    
    
                                                Auth Basc Forw Del  Dyn  RReg Ext
    
                _________________________________________________________________
    
                Domain: Broadfield.School
    
                   BSS-SERVER-001               PASS WARN FAIL PASS WARN PASS n/a
    
                   BSS-SERVER-002               PASS FAIL FAIL PASS WARN PASS n/a
    
    
    
             ......................... Broadfield.School failed test DNS
    Server 2
    Code:
    C:\Users\Administrator.BROADFIELD>dcdiag /a /c /q
    
             [BSS-SERVER-002] No security related replication errors were found on
    
             this DC!  To target the connection to a specific source DC use
    
             /ReplSource:.
    
             ** Did not run Outbound Secure Channels test because /testdomain: was
    
             not entered
    
             LDAP Error 0x5e (94) - No result present in message.
    
             ......................... BSS-SERVER-002 failed test
    
             VerifyEnterpriseReferences
    
             [BSS-SERVER-001] No security related replication errors were found on
    
             this DC!  To target the connection to a specific source DC use
    
             /ReplSource:.
    
             The event log File Replication Service on server
    
             BSS-SERVER-001.Broadfield.School could not be queried, error 0x6ba
    
             "The RPC server is unavailable."
    
             ......................... BSS-SERVER-001 failed test FrsEvent
    
             The event log Directory Service on server
    
             BSS-SERVER-001.Broadfield.School could not be queried, error 0x6ba
    
             "The RPC server is unavailable."
    
             ......................... BSS-SERVER-001 failed test KccEvent
    
             ** Did not run Outbound Secure Channels test because /testdomain: was
    
             not entered
    
             The event log System on server BSS-SERVER-001.Broadfield.School could
    
             not be queried, error 0x6ba "The RPC server is unavailable."
    
             ......................... BSS-SERVER-001 failed test SystemLog
    
             LDAP Error 0x5e (94) - No result present in message.
    
             ......................... BSS-SERVER-001 failed test
    
             VerifyEnterpriseReferences
    
                      Invalid service type: DNS on BSS-SERVER-002, current value
    
                      WIN32_OWN_PROCESS, expected value WIN32_OWN_PROCESS
    
             Test results for domain controllers:
    
    
    
                DC: BSS-SERVER-002.Broadfield.School
    
                Domain: Broadfield.School
    
    
    
    
    
                   TEST: Basic (Basc)
    
                      Error: DNS service is not running
    
    
    
                   TEST: Forwarders/Root hints (Forw)
    
                      Error: All forwarders in the forwarder list are invalid.
    
                      Error: Both root hints and forwarders are not configured or
    
                      broken. Please make sure at least one of them works.
    
    
    
    
    
                DC: BSS-SERVER-001.Broadfield.School
    
                Domain: Broadfield.School
    
    
    
    
    
                   TEST: Forwarders/Root hints (Forw)
    
                      Error: All forwarders in the forwarder list are invalid.
    
    
    
             Summary of DNS test results:
    
    
    
                                                Auth Basc Forw Del  Dyn  RReg Ext
    
                _________________________________________________________________
    
                Domain: Broadfield.School
    
                   BSS-SERVER-002               PASS FAIL FAIL PASS WARN PASS n/a
    
                   BSS-SERVER-001               PASS WARN FAIL PASS WARN PASS n/a
    
    
    
             ......................... Broadfield.School failed test DNS
    In case it helps anyone with suggestions ..

  7. #6
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    Quote Originally Posted by sonofsanta View Post
    Don't forget to take a ball of string with you, so you can find your way back out of the maze in three days time... good luck!
    lol .. indeed!!

  8. #7

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    I'm in a casserole of nonsense with some GPO problems of my own....

    I've got some utterly ridiculous things going on here...


    But....

    Have you tried running a GPO simulation to see what should be happening?

    As part of my world of hurt here, I found that switches with spanning tree frequently cause problems with GPOs, scripts and such.
    Try switching off spanning tree (if your switch doesn't use redundant uplinks), or disable it for client ports (enable PORTFAST)

    Just Google GPO spanning tree.

  9. Thanks to jinnantonnixx from:

    soveryapt (21st September 2011)

  10. #8
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    Quote Originally Posted by jinnantonnixx View Post
    I'm in a casserole of nonsense with some GPO problems of my own....

    I've got some things which simply don't make sense...

    Have you tried running a GPO simulation to see what should be happening?

    As part of my world of hurt here, I found that switches with spanning tree frequently cause problems with GPOs, scripts and such.
    Try switching off spanning tree (if your switch doesn't use redundant uplinks), or disable it for client ports (enable PORTFAST)

    Just Google GPO spanning tree.
    I will take a look at that. Thanks

  11. #9

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    My simulation for a user on a machine says everything should be wonderful, but the whole bank of machines simply aren't doing what they should be..... it's utterly infuriating....

    If I fix it, I'll post the solution, even if it's a different problem....

  12. #10

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,954
    Thank Post
    862
    Thanked 1,443 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    It's worth bearing in mind that GPOs can just be retarded sometimes. I had one problem once with IE Security Zones where the solution was already implemented in the Basic User Config GPO, but wasn't applying; adding it in to the separate Staff and Student configs one node down fixed the problem. Never did work out why the domain stopped listening to that first GPO...

    @apt - the DNS entries look suspect... I'd run the command myself to check but my DC is running through adprep at the moment, so I dont' want to do anything to upset it...!

  13. #11

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    Ah, mixing IE settings in different GPOs is widely known to end in cataclysms. I've seen that a few times.

  14. #12

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    By the way, you have the synchronous enabled & asynchronus disabled on the machine side policy processing GPO?

    Don't forget this little beauty:

    Computer Settings
    Administrative Templates
    System
    Logon
    Always wait for the network at computer startup and logon - Enabled

  15. #13

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,954
    Thank Post
    862
    Thanked 1,443 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Quote Originally Posted by jinnantonnixx View Post
    By the way, you have the synchronous enabled & asynchronus disabled on the machine side policy processing GPO?

    Don't forget this little beauty:

    Computer Settings
    Administrative Templates
    System
    Logon
    Always wait for the network at computer startup and logon - Enabled
    On a similar note, the following reg key imported helps if you're getting Event ID 1054 in your logs, and possibly also 5719
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "DisableDHCPMediaSense"=dword:00000001
    Try updating your network drivers as well as sometimes outdated drivers stop some of our PCs from correctly picking up GPOs (which normally shows as Event ID 5719).

  16. #14

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,970
    Thank Post
    113
    Thanked 490 Times in 336 Posts
    Blog Entries
    2
    Rep Power
    283
    aha!
    This might be worth trying - it's shown something odd on my system.

    Run GPO simulation against a real user and a real machine (not just the OU/container), and go through the items in the 'settings' tab.

    I've seen a clash of policies; the 'winning policy' is not the one I expected to see setting the logon scipts which are causing the problems.

    I've got a mixed XP and 7 system, I think I'll put a WMI filter on my XP policies to make sure they don't shoulder my 7 policies out of the room.


    Edit: Discovered the WMI filter is already in place ('Pre-vista'). However, the policy is winning over my 7 policy (with a Windows 7 WMI filter). This shouldn't be happening! Aaargh!
    Last edited by jinnantonnixx; 21st September 2011 at 11:28 AM.

  17. #15
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    Quote Originally Posted by jinnantonnixx View Post
    My simulation for a user on a machine says everything should be wonderful, but the whole bank of machines simply aren't doing what they should be..... it's utterly infuriating....

    If I fix it, I'll post the solution, even if it's a different problem....
    I know, I can run various simulations and get a different response each time, even if it's the same one.

    I have a horrible feeling that my SYSVOL have gone a bit iffy and that instead of sharing out on DFS correctly, the computers are picking and choosing the logins.

    In response to SOS: I've just tried deleting profiles on problematic machines and then getting the member of staff to log back on again. The drives and stuff deployed perfectly, however .. once everything had loaded, Window (7 Pro 32Bit) decided that actually they only had a temporary logon .. however, a reboot of the machine and va va voom, all back and working properly.

    So, I'm going to attempt deleting all the profiles from the network other than the public one, so if anyone has a script that would do this .. lol ..

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Group Policy not applying
    By ricki in forum Windows
    Replies: 6
    Last Post: 30th April 2010, 04:36 PM
  2. group policy not applying
    By bart21 in forum Windows
    Replies: 4
    Last Post: 20th April 2010, 07:45 PM
  3. Group Policy not applying
    By Maximus in forum Wireless Networks
    Replies: 10
    Last Post: 4th June 2008, 10:51 PM
  4. Replies: 20
    Last Post: 12th November 2007, 04:55 PM
  5. Group Policy not applying
    By edie209 in forum Windows
    Replies: 18
    Last Post: 27th September 2006, 07:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •