2K and XP Pro clients "ignoring" Group Policy

[cpfcu]

Hi,

We're running a mixed-mode 2K AD domain with four DC's at our HQ site and one DC at a remote site. I am pushing out the Windows SUS Auto Updates client to our 2K and XP Pro client machines and I have a handful of them that are simply "ignoring" the Group Policy. No events in the clients' App or System logs, it's as if they're oblivious to the GPO... I used gpresult on the XP Pro machines and the RSOP doesn't even acknowledge the GPO, even after using gpupdate numerous times with various switches (/force, /sync, /boot). When I use ADU&C and manually connect to each DC, the GPO is correctly applied to the OU. AD doesn't seem to think we have any slow links (unless I'm looking in the wrong place). Also, a handful of the machines that are getting the GPO, report "cannot find the path specified". I gave Read/Execute permissions to Authenticated Users and Domain Computers for the folder with the MSI package (the folder is located on a file server at our HQ location). Does anyone have any suggestions?

 

[lmoe]

Have you tried removing and recreating the users on the domain?

L.M.C.
IT/MIS

 

[cpfcu]

Sorry, I forgot to mention this is a computer policy. There are no user settings associated with this GPO.

 

[mawilson]

Are all of the ones that are ignoring the GPO in the same OU? Is policy inheritance being blocked at the OU level?

 

[cpfcu]

The machines having the problem are in three office locations, and each location's machines are in their own OU, each OU having a sub-OU to divide the 2K and XP machines. In other words:

- Domain.com
|- Leo (office name)
||- Computers (W2K machine accounts only)
|||- Windows XP Pro (XP Pro machine accounts only)

|- Lex (office name)
||- Computers
|||- Windows XP Pro

|- PF (office name)
||- Computers
|||- Windows XP Pro

The GPO is applied at each "Computers" OU. All of the locations except "Leo" are in the same AD Site. The policy is being applied or ignored across both 2K and XP machines.

Mawilson, do you think it would help to use the "no override" setting in the GPO properties?

 

[mawilson]

That would be good to try. "No override" will go over any inheritance blocking and apply to the OU's.

 

[cpfcu]

I will give that a try and update the thread tomorrow. Thank you!

 

[cpfcu]

After some further investigation, I think I may have traced it down to stupid simple. After I reviewed some Event Logs by hand (instead of using my Excel VBA script), I found that the problem is now narrowed to the "Leo" AD site. After checking clients at that site, I stumbled across an event similar to "the path {30862BBD-2786-4B78-9AE6-35E2DC12D179} cannot be found at \\domain.com\sysvol". I copied that folder from another DC and I will see what happens tomorrow. So maybe I really have a FRS problem and not a GPO problem?

 

[xmsre]

Staging area is full or journal wrap would be prime suspects...

 

[cpfcu]

xmsre, is the staging area the SYSVOL share, and what do you mean by journal wrap?

Thanks!

 

[cpfcu]

I reviewed more Event Logs and the problem definitely lies in FRS and not the GPOs... I found that all of the policies folders are not replicating between servers. After copying them manually, everything seems to be working. So I have some research to do on FRS.

Thank you everyone for your fast replies!

 

[mlichstein]

Manually copying your polices only masks the problem.

What were the errors you saw in the file replication log in event viewer? What service pack are the DCs at? How much free space do you have on the servers?

 

[cpfcu]

I agree completely with the problem being masked, mlichstein. I appreciate your help with continuing to troubleshoot to the cause instead of stopping with the symptoms.

As far as the FRS logs on the Leo site's server, the only four recent warnings are:

Event ID: 13562
Date: 2/10/2004
Time: 3:00:15 AM
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller dc1.domain.com for FRS replica set configuration information. Could not find computer object for this computer. Will try again at next polling cycle.

Event ID: 13508
Date: 1/11/2004
Time: 1:02:31 PM
Description:
The File Replication Service is having trouble enabling replication from DC3 to DC1 for c:\winnt\sysvol\domain using the DNS name dc3.domain.com. FRS will keep retrying.
Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name dc3.domain.com from this computer.
[2] FRS is not running on dc3.domain.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

The #13508 warning (above) repeats for the connections from DC2 and DC4, and the entire set of 3 #13508 warnings is listed on 9/5/03. So in summary there is one warning on 2/10/04, three similar warnings on 1/11/04, and two similar warnings on 9/5/03.

Four of the DC's are on SP2 at the moment and one is on SP3. Free space on the C: volume ranges from 804.9M to 5.3G for all DC's.

 

[mlichstein]

Check the domain controllers OU. Is there a computer account for the machine that is getting this error?

If there is, right click it and check the security tab on it. List the permissions.

You may need to check off advanced features in the view menu of AD users and computers to see the security tab.

 

[cpfcu]

The DC's machine account security permissions are as follows:

#INFORMATION TECHNOLOGY (Global Security group containing IT staff user accounts): shows Special on Object & All Child Objects, but does not show Allow or Deny for any permissions

Account Operators: Allow Full Control

Administrators: Allow Read, Write, Create All Child Objects, Change Password, Receive As, Reset Password, Send As, Validated write to DNS host name, Validated write to service principal name; additional Special permissions on Object & All Child Objects: Allow List Contents, Read All Properties, Write All Properties, Delete, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, All Extended Rights, Create All Child Objects, Create Directory Synchronization Objects, Create IntelliMirror Service Objects, Create Message Transfer Agent Objects, Create Printer Objects

Authenticated Users: Allow Read; additional Special permissions on Object only: Allow List Contents, Read All Properties, Read Permissions

Cert Publishers: Allow Read/Write Property on Object only

Domain Admins, Enterprise Admins: Allow Full Control

Everyone: Allow Change Password

Pre-Windows 2000 Compatible Access: Allow List Contents on Object & All Child Objects; additional Special permissions on User Objects: Allow List Contents, Read All Properties, Read Permissions; additional Special permissions on Group objects: Allow List Contents, Read All Properties, Read Permissions

Print Operators: Allow Create/Delete Printer Objects on Object only

SELF: Allow Create All Child Objects, Delete All Child Objects, Validated write to DNS host name, Validated write to service principal name

SYSTEM: Allow Full Control

 

[mlichstein]

What is the name of the machine that showing these errors? It looks like it is trying to poll dc1...

Is AD replication working in the domain? You can do a 'repadmin /showreps' and post the output here. Repadmin is in the Windows 2000 support tools.

 

[cpfcu]

I'm sorry, I told you the errors and didn't tell you which server was showing the errors... It is DC1.

 

[mlichstein]

Ok cool...what about the repadmin /showreps output.

 

[cpfcu]

Here is the output as completed from my workstation:

C:\>repadmin /showreps DC=domain,DC=com dc1 /verbose
Leo\dc1
DSA Options : (none)
objectGuid : 4f915d07-b451-4f60-a99b-6770fc4ae1a9
invocationID: c926c04d-cd42-49f0-9327-af6dc6cb35f8

==== INBOUND NEIGHBORS ======================================

DC=domain,DC=com
HQ\DC4 via RPC
objectGuid: f694ed0a-ace6-49be-9e90-a30436b8493f
Address: f694ed0a-ace6-49be-9e90-a30436b8493f._msdcs.domain.com
ntdsDsa invocationId: efa54c40-b355-4c1a-9339-b7114c97b13a
WRITEABLE DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 1688681/OU, 1688681/PU
Last attempt @ 2004-03-08 14:48.46 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

C:\>

 

[mlichstein]

Is that the entire output from repadmin? That shows that DC1 is only replicating the domain partition from DC4. It should also be replicating the configuration and schema partitions.