Re: GPOs not being applied

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 05/11/04 

Date: Tue, 11 May 2004 06:58:51 -0700

how about the user side of things? Try this:

1) create a new OU
2) create a new user named Joe in the OU
3) create a new GPO and link it to the new OU
4) configure the GPO to remove the run command
5) log in as Joe to the "problem" computer
6) if the run command is removed, then move the "problem computer to the new
OU
7) configure the GPO linked to the new OU to now "not show the last logged
in user" (this is a computer configuration)
8) restart the "problem" computer and log on as Joe
9) logoff as Joe and now when you hit Ctrl-Alt-Del, there should not be any
name in the username box.

if this works, then there is something odd happening with the original OU.
If this fails for Joe and the "problem" computer, then the computer is
having trouble with the domain in some way, most likely a SID or name
duplication. If it is a SID problem, my guess is that a tool like ghost or
drive image was used on this computer, or another computer on the network.
If Joe works and the "problem" computer still fails, I would still lean
towards the SID, name duplication, or DNS area.

If all of this fails, I would turn on verbose logging and see what I can
find in the logs. If you need help tracking those down, I can help you with
those settings.

Let me know. 

-- 
Derek Melber
BrainCore.Net
derekm@braincore.net
<anonymous@discussions.microsoft.com> wrote in message
news:b15e01c4374d$ceab9fa0$a401280a@phx.gbl...
> Derek,
>
> Thanks a bunch for your help!!!
>
> I checked if it were a DNS problem.  I ran netdiag in
> verbose, I double-checked that all SRV records were
> present and I ran nslookup on the SRV records from the
> problem server, and all tests passed.  I'm more than
> confused now. If I am missing some tests, please let me
> know.
>
> Let me recap....All DNS configurations are correct (client
> side and server side), the problem server is unique (no
> duplicate SIDs, IPAs or name).  There are no Deny ACLs and
> authenticated users have Read and Apply GP permissions on
> the GPO.  No LMHOSTS nor HOSTS file is being used.  The
> GPO is not being blocked.  All other servers in
> the 'Computer' container have no problem.
>
> When the problem server is a member of a workgroup, the
> local GPO is applied.  However, once I join the domain, I
> get Userenv 1000 errors:
> Source: Userenv
> Category: None
> Event ID: 1000
> User: NT Authority\System
> Description:
> Windows cannot query for the list of Group Policy
> objects.  A message that describes the reason for
> this was previously logged by this computer.
>
> Am I missing something here? :-(
>
> You would think that it is a DNS issue, but oddly enough
> the problem server can resolve the SRV records.
>
> This one is turning out to be a real stumper.  Any other
> ideas/suggestions?
>
> Thanks again for the help!
>
>
> >-----Original Message-----
> >that sure sounds like a DNS issue to me.
> >
> >-- 
> >Derek Melber
> >BrainCore.Net
> >derekm@braincore.net
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:908501c43340$7a8952c0$a501280a@phx.gbl...
> >> I have removed the server from the domain and rejoined
> it
> >> without any errors.
> >>
> >> When the server was in a workgroup, the local policy was
> >> applied.  However, once I joined the domain Userenv 1000
> >> errors started appearing again.
> >>
> >> Thanks for the help!
> >>
> >> >-----Original Message-----
> >> >see if there is a duplicate name, IP, or SID on the
> >> network
> >> >
> >> >-- 
> >> >Derek Melber
> >> >BrainCore.Net
> >> >derekm@braincore.net
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:786201c4310f$c0dac610$a301280a@phx.gbl...
> >> >> This just keeps getting better...
> >> >>
> >> >> To answer Ken, there are no hosts and lmhosts file;
> good
> >> >> thought though!
> >> >>
> >> >> To answer Derek, I have not seen any Deny's in the
> ACLs.
> >> >>
> >> >> An interesting developement.  Friday night, the
> >> >> description changed for the Userenv 1000 error to
> >> >> read: "Windows cannot determine the user or computer
> >> name.
> >> >> Return value (1326)."
> >> >>
> >> >> So, I removed the server from the domain, and
> rejoined
> >> >> it.  Once I rebooted after the rejoin, EventID 1704
> >> >> (SceCli) was logged telling me the security policy in
> >> the
> >> >> Group Policy objects are applied successfully. :-0
> >> >>
> >> >> But wait, 7 minutes later, I am back to square one
> with
> >> >> Userenv 1000 again telling me ...Windows cannot
> query...
> >> >>
> >> >> Arrrgh!
> >> >>
> >> >>
> >> >> >-----Original Message-----
> >> >> >do you have any denies on the ACL?
> >> >> >
> >> >> >-- 
> >> >> >Derek Melber
> >> >> >BrainCore.Net
> >> >> >derekm@braincore.net
> >> >> ><anonymous@discussions.microsoft.com> wrote in
> message
> >> >> >news:6a2901c42ebf$e3306f50$a501280a@phx.gbl...
> >> >> >> That's what makes it all the more interesting...
> This
> >> >> >> server points to the exact same DNS as the others.
> >> >> >>
> >> >> >> For kicks, I even explicity gave the computer
> object
> >> >> read
> >> >> >> and apply group policy 'allow' rights on the GPO
> and
> >> >> >> nothing.
> >> >> >>
> >> >> >> :-(
> >> >> >>
> >> >> >> >-----Original Message-----
> >> >> >> >This almost sounds like a DNS issue... is this
> >> server
> >> >> set
> >> >> >> >up the same as the others, with regards to DNS?
> >> >> >> >
> >> >> >> >
> >> >> >> >>-----Original Message-----
> >> >> >> >>I have a Win2K Ad Srvr (w/SP4) that does not
> apply
> >> any
> >> >> >> >GPO
> >> >> >> >>settings, local and/or domain level.  The
> computer
> >> >> >> >object
> >> >> >> >>resides in the built-in 'computers' container,
> so
> >> only
> >> >> >> >the
> >> >> >> >>local and Default-Domain Policies should apply.
> >> >> >> >>
> >> >> >> >>When I run the
> >> >> >> >>'secedit /refreshpolicy machine_policy /enforce'
> >> >> >> >command,
> >> >> >> >>I get an SRV 2000 error in the event log:
> >> >> >> >>
> >> >> >> >>Source: Userenv
> >> >> >> >>Category: None
> >> >> >> >>Event ID: 1000
> >> >> >> >>User: NT Authority\System
> >> >> >> >>Description:
> >> >> >> >>Windows cannot query for the list of Group
> Policy
> >> >> >> >>objects.  A message that describes the reason
> for
> >> this
> >> >> >> >was
> >> >> >> >>previously logged by this computer.
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>It seems that the server has an old version of
> the
> >> >> >> >>policies (having ran gpresult), but the new
> >> versions
> >> >> >> >never
> >> >> >> >>get applied.  I have checked and the 'disable
> >> >> >> >>computer/user configuration settings' are
> cleared.
> >> >> >> >>
> >> >> >> >>I have 20 others servers in the 'computers'
> >> container
> >> >> >> >and
> >> >> >> >>only this one gives me this problem, so I
> suspect
> >> it
> >> >> is
> >> >> >> >>something local.
> >> >> >> >>
> >> >> >> >>I am at my wits end.  Please help :-0
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >