+ Post New Thread
Results 1 to 9 of 9
Windows Thread, Random GPO issue in Technical; I have just noticed that I am having a random GPO problem. It seems that sometimes the GPO is not ...
  1. #1
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 17 Times in 16 Posts
    Rep Power
    22

    Random GPO issue

    I have just noticed that I am having a random GPO problem. It seems that sometimes the GPO is not applying allowing the user full access to the pc they are logged on to. But if they log off and log on again it can apply the GPO as it should do.

    I have two domain controllers one has two errors in event viewer
    Event ID 13 and Edvent ID 2089 (warning)

    On the second domain controllerI have 3 errors Event ID 1030, 1058 and 2089. I had these errors back around March time and cured them but there must be another reason for them to come back.

    This second DC hosts Exchange. I have thought about demoting the exchange server, but I understand that this will break exchange.

    Have you any ideas on why the GPOs are appling randomly

  2. #2

    Join Date
    Jul 2007
    Location
    Devon
    Posts
    233
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16

    Re: Random GPO issue

    Do you allow the computer to carry on being usable?

    I acn't remeber the name of the policy oject, but there's one which lets you logon before security settings have taken effect - allowing people access to stuff that GPO's disallow... but this gets removed when the object applies in the background...

    I thought you were supposed to run Exchange & DC's on seperate machines... but maybe it's me..

    Does the Microsoft Help and Support section give any more info on those errors... they usually solve it for me... not that I ever check server event logs.................


    EDIT: Have you checked the computer that is effected for any GPO Timeouts? or if it says a policy is corrupt? if a policy is corrupt, it'll abort the rest of it... leaving the user unrestricted...

  3. #3

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,283
    Thank Post
    1,379
    Thanked 2,381 Times in 1,676 Posts
    Rep Power
    704

    Re: Random GPO issue

    If you find out, let me know as 3 of mine did just that last week - only one error though

  4. #4
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,017
    Thank Post
    304
    Thanked 288 Times in 200 Posts
    Rep Power
    120

    Re: Random GPO issue

    i could be that your dcs arent synchronising correctly. MS have a piece of software called ultrasound, and it checks that the sysvol is been applied to all DCs.

  5. #5


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149

    Re: Random GPO issue

    Quote Originally Posted by Lithium
    ?

    I acn't remeber the name of the policy oject, but there's one which lets you logon before security settings have taken effect

    Dont know where it is exactly but its something like;

    "Wait for network before logon" or maybe "Allow syncronase logon"


    You ran dcdiag?

    Id start with your DNS records. Go through looking for any old/incorrect entries and get rid.

  6. #6

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,055
    Thank Post
    209
    Thanked 429 Times in 309 Posts
    Rep Power
    144

    Re: Random GPO issue

    There is a policy called 'always wait for network' somewhere in computer settings which ensures all group policys are applied before the user shell is loaded. Makes a slower login, but 100% reliable.

    Mike.

  7. #7
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 17 Times in 16 Posts
    Rep Power
    22

    Re: Random GPO issue

    Ok thanks guys I think the policy always wait for network needs to be the first thing I look at then I think I will try those MS tools that timbo mentions.

    But any other views are most welcome

  8. #8
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 17 Times in 16 Posts
    Rep Power
    22

    Re: Random GPO issue

    After spending the morning looking into this error I have I think found the problem.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1058
    Date: 11/09/2007
    Time: 17:47:00
    User: NT AUTHORITY\SYSTEM
    Computer: I13-01
    Description:
    Windows cannot access the file gpt.ini for GPO cn={7AFFBCDB-7598-40C9-B18D-82D173A27C39},cn=policies,cn=system,DC=school,DC=l ea,DC=sch,DC=uk. The file must be present at the location <\\school.lea.sch.uk\SysVol\school.lea.sch.uk\Poli cies\{7AFFBCDB-7598-40C9-B18D-82D173A27C39}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.
    Edit update on looking at the above location I have 2 unknown accounts in security could someone have a look at the security of their policies folder and post it here I am wondering if it is a security issue

    Edit 2 I have spoke to someone at another school and compared the settings I have also removed the 2 unknown accounts and it seems like all is working fine, the afternoon will tell.

  9. #9
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    671
    Thank Post
    41
    Thanked 17 Times in 16 Posts
    Rep Power
    22

    Re: Random GPO issue

    I think I have finally sorted it out, after loads of surfing the net I finally found a reference to the same problem as I was having.

    Two things (I think) caused this

    Problem one was DFS had stopped on domain controller 2

    Problem two was in sysvol I found two extra folders called "scripts_NTFRS_02208728" and "policies_NTFRS_020557a8" on DC2 and on DC1 one extra folder called "NTFRS_PreExisting_See_EventLog"

    I removed these directories (kept them safe just in case) and then forced replication, so far it seems that all the policy issues have gone.

    As for Event ID 13 thats is to do with certificate services

SHARE:
+ Post New Thread

Similar Threads

  1. Logon issue and Printers issue
    By mrbios in forum Windows
    Replies: 2
    Last Post: 17th December 2007, 12:40 PM
  2. random ping responses.
    By ranj in forum Wireless Networks
    Replies: 11
    Last Post: 13th March 2007, 04:17 PM
  3. Software Installation Policies - random issue
    By CM786 in forum Wireless Networks
    Replies: 4
    Last Post: 2nd October 2006, 02:12 PM
  4. Random RSS Feed
    By russdev in forum Comments and Suggestions
    Replies: 4
    Last Post: 21st March 2006, 10:22 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •