Windows Thread, Group Policy not being applied to client machine in Technical; We seem to have one machine where group policy is not getting applied correctly. When a pupil logs onto the ...
7th February 2008, 10:18 PM #1
Group Policy not being applied to client machine
We seem to have one machine where group policy is not getting applied correctly. When a pupil logs onto the machine they are not getting some of the group policies we have in place.
I tried a couple of things with interesting results:
1) Pinging the DC - This works fine (both IP and DNS)
2) Pinging the machine form the DC - This does not work unless I disable the Windows Firewall on the machine
We use Windows Firewall which is set by group policy.
Any ideas what might be causing this?
7th February 2008, 10:20 PM #2
Any useful messages in the client event logs?
7th February 2008, 10:52 PM #3
I can't remember the exact message but there were netlogon errors being logged everytime I tried to logon to this machine - along the lines of no domain controller could be found.
One other thing that was happening was the pupils home folder was being mapped to the root of the share (which they dont have access to) instead of actual home folder.
7th February 2008, 11:15 PM #4
I take it you have run a gpupdate on the client - [ part of the Edugeek Admin Bar - see below ]
And that the PC is in the correct OU and has not got any other special over - riding policies ?
7th February 2008, 11:19 PM #5
Yep run gpupdate /force, reset as required. The machine is in the same OU is has always been in since it was first installed along with 28 other machines that don't have the problem. It's just this single machine!
7th February 2008, 11:19 PM #6
- Rep Power
I had this exact problem recently on a number of machines. For me, it was a DNS issue--for some reason, the computers had a bad DHCP address which did not point to the DC DNS server. A simple release renew of the ip address solved the issue for me (except for one machine that had to be rejoined to the domain for unknown reasons).
Have you tried ipconfig/ release and ipconfig/ renew yet?
7th February 2008, 11:22 PM #7
Why? I would have thought you have a superior firewall protecting your network where it joins the outside wall. You shouldn't need to firewall the individual machines too.
Originally Posted by adamf
Windows Firewall always gets switched off here (... just not quickly enough sometimes)
7th February 2008, 11:23 PM #8
I did try release/renew also deleted the lease from the DHCP server neither worked. I haven't tried removing it from the domian and rejoining it yet - i'll give that a go.
7th February 2008, 11:26 PM #9
Originally Posted by elsiegee40
We do have a superior firewall protecting the network.
I don't know why Windows Firewall is on (something the person I replaced put in place). It's gonna be turned off now cause it's caused too many problems aside from this (had a few problems with it and ghost).
Last edited by adamf; 7th February 2008 at 11:29 PM.
7th February 2008, 11:34 PM #10
- Rep Power
Might seem really obvious but I've found it can be helpful to check - make sure your DNS addresses for the network connection point to the correct DNS server (try specifying the absolute DNS IP instead of getting it automatically as well). If that's all fine, you can do as you suggested yourself; take the computer off of the domain and then see if it can connect again (if it's a DNS issue it may not find the domain after you take it off though.)
Last edited by DarkLight; 7th February 2008 at 11:36 PM.
7th February 2008, 11:40 PM #11
That was my only concern, about it not being able to rejoin. The DNS addresses are correct (as set by the server options in DHCP) and the A records exist on all 3 DNS servers.
Originally Posted by Dark Light
7th February 2008, 11:46 PM #12
- Rep Power
You'll have to find and solve the issue if the computer is on the domain or otherwise, so trying to rejoin the domain isn't a bad option even it can't instantly rejoin. It may help you to see what error there is when connecting - if there is one.
Edit : Do you know if the problems are related to specific policies, and have you looked at the resultant set of policy (rsop.msc) to see what is applied to the machine?
Last edited by DarkLight; 7th February 2008 at 11:54 PM.
7th February 2008, 11:47 PM #13
Sounds odd, but have you tried it on a different port ? [ a port from a known working PC which is getting its policy updates ok ]
You could try giving the client a static IP address.....
Move the client to a different OU - [ different policy ] then back again - also may be worth running filemon / regmon whilst running a GPupdate to see whats happening. Will be interesting to see a set of event logs too.....
8th February 2008, 01:13 AM #14
I've post this before, in many cases I have found the reverse dns to be the problem if you have one.
Check the reverse lookup zones in your DNS. Are there multiple entries for the same IP/Hostname?
GP relies on DNS for resolution if IP is the only protocol (who uses anything else).
You must be able to ping by hostname and ping -a xxx.xxx.xxx.xxx by IP from the DC to client.
If you use the windows firewall make sure the policy allows remote management and whatever other services you need eg. ping.
I have often found if you fix the reverse dns issues the GP's suddenly work.
8th February 2008, 02:42 PM #15
Just to let you all know removing the machine from the domain and rejoining fixed the problem although the cause is still unknown.
By CM786 in forum Windows
Last Post: 26th February 2010, 11:00 AM
By pedster666 in forum Hardware
Last Post: 27th February 2008, 11:03 AM
By jman167 in forum Windows
Last Post: 28th June 2007, 11:27 PM
By CM786 in forum Windows
Last Post: 11th July 2006, 08:37 PM
Last Post: 7th July 2006, 05:19 PM
Users Browsing this Thread
There are currently 2 users browsing this thread. (0 members and 2 guests)