Client not accepting group policy changes on 2003 Server

[sclementshall]

I have setup a domain controller with approx. 12 clients on Windows 2003 Server. One of these clients, and one alone, will not accept any group policy changes. I have taken it off the domain, put it back on the domain, swapped PCs out, tested network connections and drops.

The software program that uses the data from the server takes a minute to load on this particular client, yet does fine on the others. Also, I can not print from this program once I am in (using this client).

The user can sign on to any other client and everything works fine. I am able to ping my domain controller by name. I can browse folders setup on the domain controller, except even though I change permissions to those folders, some I am able to access and others I am not. I have changed the computer name. I have done everything I know to do. I ran GPupdate /force and it says that it's been updated but whatever change has been made still doesn't apply to this particular computer.

 

[monsterjta]

What OU do you have the policies applied? Is the problem computer in this OU? Can you show me the results of a GPRESULT command, and give me the names of the policies you expect to see?

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[sclementshall]

GPResult is showing The applied group policy objects is the local group policy instead of the default domain policy like the rest of the workstations on the network.

I am a computer tech, but my experience with servers unfortunately is limited at best. It is a strange thing, but it is just this one work station that is problematic. All other stations, which were setup at the same time and in the same way, are behaving fine.

 

[monsterjta]

If you look in Active Directory Users and Computers, are ALL computers in the same OU?

Have you tried rebooting the problematic workstation?

When you type in SET at a CMD prompt, what is the Logon Server? Is it the Domain Controller?

Are you logging into the domain, or to the local workstation?

These all may seem like simple questions, but necessary for everything to work.

Can you show me the output of the gpresult?

Can you produce an RSOP in Group Policy Management Console?

Are you using the GPMC w/SP1?

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[sclementshall]

Yes, all the computers are in the same OU.

Yes, multiple reboots of the problem PC.

Logon Server is the domain controller.

Logging onto the domain.

GPResults:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/2/2006 at 10:09:03 PM



RSOP results for MCHALL\administrator on ADMASST : Logging Mode
----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: MCHALL
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator.mchall
Connected over a slow link?: Yes


COMPUTER SETTINGS
------------------
CN=ADMASST,CN=Computers,DC=mchall
Last time Group Policy was applied: 11/2/2006 at 9:41:13 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Local Group Policy

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=mchall
Last time Group Policy was applied: 11/2/2006 at 9:54:08 PM
Group Policy was applied from: MANYSERVER.mchall
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Enterprise Admins
Schema Admins
Group Policy Creator Owners
Domain Admins

I am sorry for my ignorance, but what is the RSOP?

Thank you so much for your responses...

 

[monsterjta]

How many Group Policies do you have? I am seeing the Default Domain policy applying. Are there others you are expecting to be applied?

I see a couple things here. You are logging on as an administrator. Many policies do not apply to administrator users or domain admins group. What happens if you login as a domain user?

Also, I noticed that you are connected over what is defined as a slow link. Many policies will not be processed over slow links. Are you loggin in remotely?

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[sclementshall]

One domain policy (the default). I do not see the default policy applying on the computer settings of this ws, only the local policy. All of the other clients have the domain policy being applied to the computer settings.

Yes, logging on as admin. have logged on as domain user as well, still not able to browse the network properly (still slow to access data on server- again, just this machine) and still will not allow administrator access to certain folders where permissions have been changed (it's changing permissions for all others but this one).

I am connected over a LAN.

Thanks again for giving me hope by at least responding!

 

[monsterjta]

Run a RSOP report in Group Policy Management Console for that user and that computer, by right-clicking RSOP and following the wizard.

Also, make sure you are not applying a security filter to the Default Domain Policy. Open the GPO, right-click the top branch and click on properties (or security). Can't remember exactly what the steps are, but you'll see security settings somewhere within the GPO. Make sure there are no special permissions setup for Authenticated Users. Also, make sure the problematic computer is not listed in security. If it is, delete it.

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[patstone]

Try this ........

ENABLE Do not detect slow network connections in GP

In GP this is found at Computer Configuration/Administrative Templates/System/User Profiles

Then

Modify the default user profile to include the registry value GroupPolicyMinTransferRate with DWORD value of "0":


A. Under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System",
create a value named as GroupPolicyMinTransferRate and give the value data
0.


B. Under "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System",
create a value named as GroupPolicyMinTransferRate and give the value data
0.


C. Restart the client computer to take effect.