Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy not working at all - Or AFAIK

Status
Not open for further replies.
echz

echz

IS-IT--Management
Oct 8, 2003
14
US
I'm trying to configure Group Policy for my Windows 2003 domain, and it doesn't seem to be working.

I'm trying to accomplish a group policy setting to allow a Windows Firewall exception, and i'm trying to block access to the control panel...(as well as some other minor things like password length, etc.)

In order to see the Windows Firewall settings, I had to get the .ADM files for Windows XP and import a new admin. template. (perhaps this is where my problem lies?)

I've attempted to do it in 2 different fasions, one by changing the default group policy, and the other by creating a policy with just the rule to try and allow the firewall port, both with the GPMC utility.

I then did a gpupdate /force and it said it worked successfully then went to the client and logged out/in a few times, did a gpresult and it didn't process the 2nd policy just for the firewall rule, but it said it did process the default policy -- however, it didn't deny the firewall policy either, its just like it doesn't exist, and control panel is not blocked from the client side either.

I don't know if there's like some major thing I'm missing here or not, but I'm totally stumped as to why these group policy settings don't seem to work at all...if anyone can offer any help, I'd **REALLY** appreciate it....Thanks!!
 
Sort by date Sort by votes
Alright...It seems as if overnight, the Policy put itself into effect. However, not all users/computers are having it inforced. I have a group of about 10 users that's getting it inforced, but a user or 2 that's not having the features applied.

I've also got 1 newly installed workstation that doesn't even seem to get even the default group policy, because when I run 'gpresult' on that machine, I get presented with the line "INFO: The policy object does not exist."

Anyone have any thoughts on this?
 
Upvote 0 Downvote
go to your gp's and find the setting.. wait for network.. because if windows can start without GP taking effect..

then go to cmd.. and type in gpupdate /force
 
Upvote 0 Downvote
ok.. the policy is located here.

computer configureation -- system -- Login -- alwies wait for the network at computer startup and logon

hope this helps.. let me know..
 
Upvote 0 Downvote
I made the mod that you specified, and it still has not helped. I've still got a newly added domain user & computer that the policy is not being pushed to, because when I run the 'gpresult', I still get the "INFO: The policy object does not exist." This is driving me insane!!!
 
Upvote 0 Downvote
regarding the settings...you should not be improting templates into the policy like that, it is unecessary
you need to run gpmc or adminpak (to get to dsa.msc) from the XP workstation and make the setting there. default behavior is that the .adm of a client computer connecting to edit a group policy will copy their adm to the server...you cannot see the setting on the server itself, but it is set

this is why teh problem came about with the intrduction of XP SP2 where when connecting to a DC to edit policy after installing SP2, you discover that editing from anything under XP SP2, or editing from 2000 or 2003 server, you recieved a billion errors "the string was too long and has been truncated..."
so if you are usingXP SP2, might as well install 842933 now, it is a public download

BTW.....Win2003 SP1 released a couple nights ago at 8pm :)


default behavior for windows xp is that two reboots are erquired to apply computer policiies, 2-3 logons for user policies

the way to work around that is to set "always wait for the network at computer startup and logon" as somebody mentioned before...that works for the most part...

what events are the clients getting in event viewer? specifically you are looking for 1202 events from scecli, or any userenv events

if you have a winlogon.log, post the results of it

how many DCs do you have?

how is your DNS configured? should be the PDC emulator pointing to himself only for preferred DNS, and any replicas DCs and clients (including member servers) in the same site pointing to the PDCe as preferred and replica DCs as alternates

group policy object not found errors can indicate FRS issues

so check your file replication event logs as well and put any errors frmo there into here as well

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Alright... I got and installed the Adminpak on my XP SP2 Workstation -- herein lies ANOTHER problem...

I can't get any of the adminpak utils to connect to my server. I just ran the dsa.msc file, and attempted to add my domain and got "Local Security Authority cannot be contacted" when I type my domain in. If I go to Add DC and type the server name, I get the same "LSA cannot be contacted".

Going through and looking at the DNS config., it's looking like all the A records for client machines are wrong, as the router I'm using is distributing the DHCP - I don't know if that makes a difference or not as well. As far as how the DNS is configured, I have no clue - I took this over from an admin. that just stopped showing up, so I'm taking shots in the dark with a lot of it...

I just checked the FRS log and there's no errors in there, just standard reboot messages. I checked for the winlogon.log on the client computer that isn't receiving the policy, and it doesn't exist...

I also checked for the 1202 errors that you mentioned, and did not find any of them.

The only other thing that I can think of is that the NIC teaming is screwing me up. It's a Dell server with 4 NICs, 2 are TeamA and 2 are TeamB - I believe their set up for redundancy, one team with the IP address of 10.0.0.150, and the other with an ip of 10.0.0.151.

I'm at a complete loss here...short of rebuilding the server so the OS is configured MY way, I don't know what to do in order to get it to work MY way :) Any help anyone can offer would be great...Thanks!

 
Upvote 0 Downvote
also, my system log is riddled with this error:

--
A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
--

C:\Documents and Settings\Administrator>nbtstat -n

TeamB2:
Node IpAddress: [10.0.0.150] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
MARLSRVR <00> UNIQUE Registered
MARLTON <00> GROUP Registered
MARLTON <1C> GROUP Registered
MARLSRVR <20> UNIQUE Registered
MARLTON <1B> UNIQUE Registered
MARLSRVR <03> UNIQUE Registered
MARLTON <1E> GROUP Registered
MARLTON <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

TeamA1:
Node IpAddress: [10.0.0.151] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
MARLSRVR <00> UNIQUE Registered
MARLTON <00> GROUP Registered
MARLTON <1C> GROUP Registered
MARLSRVR <20> UNIQUE Registered
MARLTON <1B> UNIQUE Registered
MARLSRVR <03> UNIQUE Registered
MARLTON <1E> GROUP Registered

C:\Documents and Settings\Administrator>


These are the results it returns. I think something is screwey with the NIC teaming...Any clues?
 
Upvote 0 Downvote
OK...I fixed my problem with not being able to Add/View the Server in GPMC & DSA -- It was related to a DNS issue -> My router was receiving DHCP & Broadcasting DHCP to my LAN, and with the DHCP it was broadcasting, it was using the ISP's DNS. I configured the DHCP to distribute my server's IP as the DNS, which will then pass off any requests it doesnt know to the ISP's DNS.

So that solves a few problems....However I'm still stuck with a few computers not getting the default group policy pushed to them, even after several reboots and login/outs. Anybody have any clues as to why?! I'm gonna lose it! :)
 
Upvote 0 Downvote
you cannot have multihomed DCs without MAJOR implications

keep that in mind

what happens is the netlogon service will register ALL enabled NICs, and whichever NIC registers first in particular areas, may not be the one that registers in the others, or the wrong NIC may register alogether

this can of course break authentication, group policy, and many other areas

you get the duplicate TCP messages because of having more than 1 NIC
and it is a problem, like I said

what are teh userenv events you are getting on the clients in the app log?

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
268
Aquiles Vidal
Aquiles Vidal
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
236
microsGuy16
microsGuy16
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
145
technome
technome
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
450
mangentle
mangentle
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
99
mikehook
mikehook

Part and Inventory Search

Sponsor

Back
Top