Re: GPO no longer being applied to user
From: Pablo E. Colazurdo (rael_at_singularidad.com.ar)
Date: 12/09/04
- Next message: Mikey: "Re: OU Design with single domain AD structure"
- Previous message: Kevin: "Re: Restoring domain controller"
- In reply to: Jack Black: "GPO no longer being applied to user"
- Next in thread: Jack Black: "Re: GPO no longer being applied to user"
- Reply: Jack Black: "Re: GPO no longer being applied to user"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 9 Dec 2004 15:09:43 -0000
Have you checked for errors on the event viewer? most probably problems with
the SYSVOL share.
You can turn on Debugging on a PC and see what is going on:
1.. If you encounter problems after making changes to the Default Domain
and/or Default Domain Controller group policies, you can enable GPO debug
logging on your server. To enable the logging:
1.. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
data type. Set the data value to 2.
3.. The log file will be generated as:
%SystemRoot%\security\logs\Scepol.log
2.. Enable Verbose logging by editing the registry. You are telling the
system to create a USERENV.LOG in winnt\debug directory. You can then
examine the file for errors.
1.. Run Regedit.
2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows NT -
CurrentVersion - Winlogon.
3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
value of 30002.
4.. Close Regedit.
5.. Log off and log back on.
3.. All the following changes should be done at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it as
a REG_DWORD with value 1 will affect the logging of GPO processing by
turning it on in verbose mode. After you make that change and restart the
system, you will see a lot more information reported, especially during
errors. In many cases, this will be enough to get the information you need.
2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
REG_DWORD with value 1 will turn on verbose logging specifically for GPO
application deployments. In the case of an administrator who is trying to
deploy antivirus files via GPO, this key would definitely be helpful in
improving logging.
3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
value 1, will turn on verbose logging for all GPO processing events,
including those listed above. It's basically a catch-all value, but the
downside is that it may confuse you when you examine the logs because it
will log lots of events that may not have anything to do with your specific
problem. Think carefully before turning this one on-it could increase your
workload.
Hope it helps,
P.
"Jack Black" <JackBlack@hat.com> wrote in message
news:uW4QM8f3EHA.1152@TK2MSFTNGP14.phx.gbl...
> Greetings AD Guru's
>
> Suddenly, my GPO (single site, single domain) is no longer being applied
to
> my 200 users.
> So, I can't change password expiration, lockout threshold, etc.
>
> I've check DNS, etc. but still no luck.
>
> Any ideas?
>
> Thank you, Jack
>
>
- Next message: Mikey: "Re: OU Design with single domain AD structure"
- Previous message: Kevin: "Re: Restoring domain controller"
- In reply to: Jack Black: "GPO no longer being applied to user"
- Next in thread: Jack Black: "Re: GPO no longer being applied to user"
- Reply: Jack Black: "Re: GPO no longer being applied to user"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
