That and check that your DNS infrastructure is working properly. Most GP issues are usually down to DNS being screwed somewhere along the line.
Try running DCdiag on your DC and check that there are no errors relating to DNS registration. It won't hurt to run ipconfig /registerdns anyway even if does check out ok.
Check that DHCP is handing out the correct DNS information (if you are using it...) Then check that your clients can correctly resolve the DC's A name and the SRV records that it will have registered.
You could try working your way through Troubleshooting Group Policy Using Event Logs to see if any errors are reported.
DCdiag returned all results as passed. Did the ipconfig /registerdns as well. Rebooted clients an still nothing. Will try the troubleshooting guide posted by teejay next.
Originally Posted by DrCheese
After checking through the Event Viewer there was only two events that seem odd:
Event ID 5314: A fast link was detected. The Estimated bandwidth is 0 kbps. The slow link threshold is 500 kbps.
Event ID 5327: Estimated network bandwidth on one of the connctions: 0 kbps.
Ok, try making a change to a group policy that will require a client reboot, such as assign a piece of software to install. On the client, from the command prompt console, do a gpupdate /force. If it says something along the lines of need to reboot for software installation, then the machine is reading the group policy.
Also, have you done the following on a client:
In order to troubleshoot Group Policy more effectively you can enable verbose logging.
Enable Logging to Userenv.log:
Registry Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserenvDebugLevel = REG_DWORD 0x10002
A full log of GPO activities will then be created in %systemroot%\ Debug\UserMode\Userenv.log
Set this key to start verbose logging to the Application Event Log:
Set: RunDiagnosticLoggingGroupPolicy = REGDWORD 1
A more comprehensive log of Group Policy will be made to the Event Log
More help can be found on GPO troubleshooting on the following link:
Have you tied rebuilding/placing a new client onto the network that didn't exist before?
Yes, actually noticed it after joining a brand new laptop into the domain. Also created a bare-metal vm and installed Win7 and Server 2003 R2 (added Client Extentions too) to try.
Originally Posted by p858snake
So I have made some progress today. I deleted every GPO that I created on the old server. Then I reset the Default Domain Policy and Default Domain Controller Policy back to their defaults by running dcgpofix /target:both. Be sure to backup the GPOs first. From there I recreated my custom GPOs and they seem to be working, except one. I am trying to map a drive when I am logged in as the Domain Administrator. I have created the item-level targeting to only apply when the SID matches DOMAIN\Administrator but it doesn't seem to map the drive.
That's great news :-)
Originally Posted by bmittleider
Is UAC enabled on the PC as this can cause problems when Domain Admins log in with mapped drives. Try it as a normal user, or disable UAC.
I have created an account and added it to the Domain Admins group. This user successfully maps to the drive. However the built-in Administrator account cannot map the drive. Have tested on Windows 7, Server 2008 R2 and Server 2003 R2. If the user that has been added to Domain Admins logs into any of those OS it works as expected. Didn't have that problem with Server 2008. Could it be a new security option in the schema?
Edit: As far as UAC, Server 2003 doesn't have that so on that computer it wouldn't be an issue.
Hmm.. in the targeting are you picking the "Administrator" with the native user browser/picker thingy ("from this location" = your *domain*) as opposed to just typing it in the box? Did you select match by SID?
Yes I was matching by SID and it still doesn't work. Not sure what is happening but now it's less of a problem since the rest of the GPOs are functioning. I will continue to troubleshoot but not in a high priority.
Thanks to everyone who posted suggestions. Hope someone can have an easier time fixing it than I did.
Had the same issue and found that, for me at least the issue was a race condition thanks to the LAN NIC's getting a bit over zealous..
Running this on each problem machine then forcing the gpupdate again solved it.
Windows Registry Editor Version 5.00