General discussion

Locked

Group policy settings not being applied

By techrific ·
Hi all, Im pretty new to this arena, but here is what I have done....

Set up server 2k3 and an active directory domain, the policy settings were being applied fine before, but now, something is wrong.

It is set to enforced, link enabled, and the OU I created contains the GPO and the only one user it applies to, but the settings are not manifesting at logon, the machine takes ages TO logon, and when I try to do an RSOP on one of the machines I logged into with the domain account, my only options are the administrator acct. and not the domain acct. though the profile is on the machine after logging in.

Does this make sense to anyone? Any help is appreciated all!!!!
THX.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by ICB's corner In reply to Group policy settings not ...

I had this kind of problem with a 2k3 server ...
I looked in Event Viewer to find some errors. I found error id 1003.
I had installed UPS software before I joined the computer to my domain and it was a software conflict. I joined to domain, reboot and the computer was blocked in "applying computer settings ...". Some java support was bad and UPS software distributed on CD creates the problem.
You must try to collect more details and search on Internet something related to these details.
Another tip: use command-line gpupdate to force Group Policy update with local admin account.

Collapse -

by techrific In reply to

Poster rated this answer.

Collapse -

by BFilmFan In reply to Group policy settings not ...

First things first.

Is it a user configuration or computer configuration policy being applied?

If it is both, then the computer account and user account both must be in the OU where the policy is being applied.

Collapse -

by BFilmFan In reply to

From your comment, you need to associate the subnet with the correct AD site to fix the issue in your first comment box.

You can associate a catch all subnet and associate it to your AD. This is described well in this article:

http://www.windowsitpro.com/Article/ArticleID/45472/45472.html

Collapse -

by BFilmFan In reply to

Sounds like the computer failed to join the domain correctly. You can use NETDOM to force it in. Netdom is on the tools portion of the Win 2K3 CD and a total explanation of it can be found here:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/460e3705-9e5d-4f9b-a139-44341090cfd4.mspx

Also, edit your GPO within the AD Users and Computers tool, navigating the Computer Configuration\Administrative Templates\System\Group Policy folder and enable User Group Policy Loopback Processing Mode.

Collapse -

by techrific In reply to

Poster rated this answer.

Collapse -

by techrific In reply to Group policy settings not ...

Ok Back at it :) Thanks for the responses gents! I am pulling my hair out!!

I checked the event viewer and there are in fact a couple of errors, one of them is this;

None of the IP addresses (192.168.0.1 XX.XXX.XX.XX) of this Domain Controller map to the configured site 'NewWinSite'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP address of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above list of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such that the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range includes the above IP address) which maps to the selected site object.

and the other I will add as a new comment as it will not fit....

Collapse -

by techrific In reply to Group policy settings not ...

Here is the other error...

During the past 4.06 hours there have been 111 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

I am seriously missing something I see, I just dont understand what changed... our network was down for a couple days last week, and it seems since then that we have had this problem.

Again thanks a ton gents, hope to hear from you soon!
Brent

Collapse -

by techrific In reply to Group policy settings not ...

Mr. BfilmFan, thanks again, I have edited both the computer settings and the user settings via the GPO I created and linked in the OU, (wish I could show you a screenshot here..) in the OU I have the user I have created which all will use in this environment (40 machines in an internet cafe) to login. Does any of this offer any clus as to what I am missing?
THX!
Brent

Collapse -

by techrific In reply to Group policy settings not ...

yet another hopefully helpful comment...

When I am using the AD users and computers snap-in and viewing the computers on the domain, I try to 'manage' one of them via the snap in and it tells me it cannot find the network path... just to clarify, I right click on the computer in the snap in, choose manage, and it cannot find it, lol. It is a machine I just removed and re-added to the domain, have disabled the security service and there is no other firewall running on the target machine that could to my eyes prevent access.

I ran an RSOP on one of the machines in the domain, logged in as local admin, and this is what came back... (next comment)

Back to Networks Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums