Re: GPOs not being applied
From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 05/12/04
- Next message: Nathan Guidry: "Software Restriction Policy?????"
- Previous message: Rich: "GP cumulative effect and SUS"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Reply: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 May 2004 09:20:02 -0700
start here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
-- Derek Melber BrainCore.Net derekm@braincore.net <anonymous@discussions.microsoft.com> wrote in message news:bf5201c4382c$3891eb20$a601280a@phx.gbl... > I tried your suggestion. The user policy was applied to > Joe, but the computer policy was not applied to > the "problem" computer. > > I used ntdsutil to check for duplicate SIDs and found > none. I used nbtstat -n and checked WINS to look for > duplicate names and found none. And nslookup verifies the > srv records... hmm... :-( > > What logging are you talking about? > > Thanks! > > > >-----Original Message----- > >how about the user side of things? Try this: > > > >1) create a new OU > >2) create a new user named Joe in the OU > >3) create a new GPO and link it to the new OU > >4) configure the GPO to remove the run command > >5) log in as Joe to the "problem" computer > >6) if the run command is removed, then move the "problem > computer to the new > >OU > >7) configure the GPO linked to the new OU to now "not > show the last logged > >in user" (this is a computer configuration) > >8) restart the "problem" computer and log on as Joe > >9) logoff as Joe and now when you hit Ctrl-Alt-Del, there > should not be any > >name in the username box. > > > >if this works, then there is something odd happening with > the original OU. > >If this fails for Joe and the "problem" computer, then > the computer is > >having trouble with the domain in some way, most likely a > SID or name > >duplication. If it is a SID problem, my guess is that a > tool like ghost or > >drive image was used on this computer, or another > computer on the network. > >If Joe works and the "problem" computer still fails, I > would still lean > >towards the SID, name duplication, or DNS area. > > > >If all of this fails, I would turn on verbose logging and > see what I can > >find in the logs. If you need help tracking those down, I > can help you with > >those settings. > > > >Let me know. > > > >-- > >Derek Melber > >BrainCore.Net > >derekm@braincore.net > ><anonymous@discussions.microsoft.com> wrote in message > >news:b15e01c4374d$ceab9fa0$a401280a@phx.gbl... > >> Derek, > >> > >> Thanks a bunch for your help!!! > >> > >> I checked if it were a DNS problem. I ran netdiag in > >> verbose, I double-checked that all SRV records were > >> present and I ran nslookup on the SRV records from the > >> problem server, and all tests passed. I'm more than > >> confused now. If I am missing some tests, please let me > >> know. > >> > >> Let me recap....All DNS configurations are correct > (client > >> side and server side), the problem server is unique (no > >> duplicate SIDs, IPAs or name). There are no Deny ACLs > and > >> authenticated users have Read and Apply GP permissions > on > >> the GPO. No LMHOSTS nor HOSTS file is being used. The > >> GPO is not being blocked. All other servers in > >> the 'Computer' container have no problem. > >> > >> When the problem server is a member of a workgroup, the > >> local GPO is applied. However, once I join the domain, > I > >> get Userenv 1000 errors: > >> Source: Userenv > >> Category: None > >> Event ID: 1000 > >> User: NT Authority\System > >> Description: > >> Windows cannot query for the list of Group Policy > >> objects. A message that describes the reason for > >> this was previously logged by this computer. > >> > >> Am I missing something here? :-( > >> > >> You would think that it is a DNS issue, but oddly enough > >> the problem server can resolve the SRV records. > >> > >> This one is turning out to be a real stumper. Any other > >> ideas/suggestions? > >> > >> Thanks again for the help! > >> > >> > >> >-----Original Message----- > >> >that sure sounds like a DNS issue to me. > >> > > >> >-- > >> >Derek Melber > >> >BrainCore.Net > >> >derekm@braincore.net > >> ><anonymous@discussions.microsoft.com> wrote in message > >> >news:908501c43340$7a8952c0$a501280a@phx.gbl... > >> >> I have removed the server from the domain and > rejoined > >> it > >> >> without any errors. > >> >> > >> >> When the server was in a workgroup, the local policy > was > >> >> applied. However, once I joined the domain Userenv > 1000 > >> >> errors started appearing again. > >> >> > >> >> Thanks for the help! > >> >> > >> >> >-----Original Message----- > >> >> >see if there is a duplicate name, IP, or SID on the > >> >> network > >> >> > > >> >> >-- > >> >> >Derek Melber > >> >> >BrainCore.Net > >> >> >derekm@braincore.net > >> >> ><anonymous@discussions.microsoft.com> wrote in > message > >> >> >news:786201c4310f$c0dac610$a301280a@phx.gbl... > >> >> >> This just keeps getting better... > >> >> >> > >> >> >> To answer Ken, there are no hosts and lmhosts > file; > >> good > >> >> >> thought though! > >> >> >> > >> >> >> To answer Derek, I have not seen any Deny's in the > >> ACLs. > >> >> >> > >> >> >> An interesting developement. Friday night, the > >> >> >> description changed for the Userenv 1000 error to > >> >> >> read: "Windows cannot determine the user or > computer > >> >> name. > >> >> >> Return value (1326)." > >> >> >> > >> >> >> So, I removed the server from the domain, and > >> rejoined > >> >> >> it. Once I rebooted after the rejoin, EventID > 1704 > >> >> >> (SceCli) was logged telling me the security > policy in > >> >> the > >> >> >> Group Policy objects are applied successfully. :-0 > >> >> >> > >> >> >> But wait, 7 minutes later, I am back to square one > >> with > >> >> >> Userenv 1000 again telling me ...Windows cannot > >> query... > >> >> >> > >> >> >> Arrrgh! > >> >> >> > >> >> >> > >> >> >> >-----Original Message----- > >> >> >> >do you have any denies on the ACL? > >> >> >> > > >> >> >> >-- > >> >> >> >Derek Melber > >> >> >> >BrainCore.Net > >> >> >> >derekm@braincore.net > >> >> >> ><anonymous@discussions.microsoft.com> wrote in > >> message > >> >> >> >news:6a2901c42ebf$e3306f50$a501280a@phx.gbl... > >> >> >> >> That's what makes it all the more > interesting... > >> This > >> >> >> >> server points to the exact same DNS as the > others. > >> >> >> >> > >> >> >> >> For kicks, I even explicity gave the computer > >> object > >> >> >> read > >> >> >> >> and apply group policy 'allow' rights on the > GPO > >> and > >> >> >> >> nothing. > >> >> >> >> > >> >> >> >> :-( > >> >> >> >> > >> >> >> >> >-----Original Message----- > >> >> >> >> >This almost sounds like a DNS issue... is this > >> >> server > >> >> >> set > >> >> >> >> >up the same as the others, with regards to > DNS? > >> >> >> >> > > >> >> >> >> > > >> >> >> >> >>-----Original Message----- > >> >> >> >> >>I have a Win2K Ad Srvr (w/SP4) that does not > >> apply > >> >> any > >> >> >> >> >GPO > >> >> >> >> >>settings, local and/or domain level. The > >> computer > >> >> >> >> >object > >> >> >> >> >>resides in the built-in 'computers' > container, > >> so > >> >> only > >> >> >> >> >the > >> >> >> >> >>local and Default-Domain Policies should > apply. > >> >> >> >> >> > >> >> >> >> >>When I run the > >> >> >> >> >>'secedit /refreshpolicy > machine_policy /enforce' > >> >> >> >> >command, > >> >> >> >> >>I get an SRV 2000 error in the event log: > >> >> >> >> >> > >> >> >> >> >>Source: Userenv > >> >> >> >> >>Category: None > >> >> >> >> >>Event ID: 1000 > >> >> >> >> >>User: NT Authority\System > >> >> >> >> >>Description: > >> >> >> >> >>Windows cannot query for the list of Group > >> Policy > >> >> >> >> >>objects. A message that describes the reason > >> for > >> >> this > >> >> >> >> >was > >> >> >> >> >>previously logged by this computer. > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >>It seems that the server has an old version > of > >> the > >> >> >> >> >>policies (having ran gpresult), but the new > >> >> versions > >> >> >> >> >never > >> >> >> >> >>get applied. I have checked and the 'disable > >> >> >> >> >>computer/user configuration settings' are > >> cleared. > >> >> >> >> >> > >> >> >> >> >>I have 20 others servers in the 'computers' > >> >> container > >> >> >> >> >and > >> >> >> >> >>only this one gives me this problem, so I > >> suspect > >> >> it > >> >> >> is > >> >> >> >> >>something local. > >> >> >> >> >> > >> >> >> >> >>I am at my wits end. Please help :-0 > >> >> >> >> >. > >> >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> >. > >> >> >> > > >> >> > > >> >> > > >> >> >. > >> >> > > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: Nathan Guidry: "Software Restriction Policy?????"
- Previous message: Rich: "GP cumulative effect and SUS"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Reply: anonymous_at_discussions.microsoft.com: "Re: GPOs not being applied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
