Computers not picking up the group policies

[FN-GM]

Hi

I am experiencing a few problems. Computers refuse to pickup there group policies. This has only just started happening. I haven’t changed any settings. Yesterday I added a computer to the domain and it wouldn’t get the policies and I have the same this morning. Yesterday I managed to get it to pick them up but only by doing gpupdate /force after 12 times.

User policies load fine.

Any thoughts please?

[SYNACK]

Could be the network cards or the switch. Some network cards, usually older or dodgey ones don't become ready and IP connected until after windows attempts to do machine policy stuff. This can also happen if you have a switch that is configured to use spanning tree protocol, this prevents bridging loops by keeping the port closed off for around 30-50 seconds till it is sure that it is not a loop.

For the dodgey network cards you can disable media sense http://support.microsoft.com/kb/239924/ which will make Windows wait for ip connectivity before proceeding. As to the switch you can configure it to use portfast but it depends on the model of switch as to how you need to configure it.

[FN-GM]

The switch is only a basic netgear one, both machines i have tried re-adding to the domain are less than a year old. Could it be a problem with the Nic in the server?

[SYNACK]

Not likely to be the server adapter as this is already on, if you can ping it from the stations then that should not be the problem. I would try the media sense thing as XP also has the same delayed connection issues with some gigabit adapters.

After you have applied the little registry fix then do a gpupdate /force and it should apply the settings first time.

[meastaugh1]

Any errors in the client event log?

Sometimes I get 1202 errors on newly added computers which results in policies being partially applied. This usually fixes it:
esentutl /p "%Windir%\security\Database\Secedit.sdb"

[bizzel]

Did you clear out DNS like you planned in the other thread?

[FN-GM]

No clearing the DNS was for work. That went good and everything seems fine.

This is my home test setup.

Cheers

Z

[Iain]

Have you tried switching userenv logging to verbose to see if you can get any more clues?

Also try increasing the amount of time the OS waits for the NIC to start, see KB840669. This solved a similar problem I was having with some slow NICs in some older laptops.

Hope that is of some help,

Iain.

[FN-GM]

Hi i re-installed XP on the machine (it needed one) and re-added it to the domain and it was fine.

[Michael]

Out of curiosity, did you create the computer object account in Active Directory (within the relevant OU), then add the computer to the domain, or did you simply add the computer to the domain?

The reason I ask, is because by default computers are placed in the Computers folder. Policies cannot be applied when the computer object is here. It must be moved to any OU you have created.

It could also be possible that the computer account became corrupt, so you can use the 'reset' option in AD to re-add the computer to your domain. You don't necessarily have to format, although of course formatting is as good as new

[FN-GM]

One computer was replacing an existing account. The other i added it then dragged the computer in the correct ou, rebooted did gpupdate /force and rebooted again and had no joy.

Z

[Michael]

Generally speaking, if you're adding a new computer which has the same computer name, you should delete the existing computer object account in AD (where ever it is located).

Then of course adding the new computer will generate a new computer object account and you just move it to the relevant OU.

How are you structuring your OUs? I generally create an OU called "Curriculum" for example, then create sub OUs whereby I move computer objects. Editing policies on the Curriculum OU (User or Computer) should then filter down to sub OUs, unless you block policy inheritance of course

[FN-GM]

Computers then either Laptops or Desktops.

Thanks

[Lithium]

One computer was replacing an existing account. The other i added it then dragged the computer in the correct ou, rebooted did gpupdate /force and rebooted again and had no joy.

Z

According to one or two Microsoft KB Articles, Moving a computer in Active Directory while it is turned on can break various trust links between it and the directory - causing various issues.