Group Policies have stopped working.

From: Chris Murdoch (chris_murdoch_at_hotmail.com)
Date: 09/01/04

• Next message: news.birch.net: "Installing applications"
• Previous message: Mike Towan: "Password Policy GPO in Windows 2003"
• Next in thread: jabrandt_at_online.microsoft.com: "Re: Group Policies have stopped working."
• Reply: jabrandt_at_online.microsoft.com: "Re: Group Policies have stopped working."
• Reply: Chris Murdoch: "Re: Group Policies have stopped working."
• Messages sorted by: [ date ] [ thread ]

Date: 1 Sep 2004 11:05:19 -0700

Hi

We've had Group Policies running for well over a year here with little
or no problems.
This week with no warning, one of our most important group policies
stopped working.

I ran gpresult, and here is an excerpt:

RSOP results for SILVACOCORP\chrism on WILLOW : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: SILVACOCORP
Domain Type: Windows 2000
Site Name: CA
Roaming Profile:
Local Profile: C:\Documents and Settings\chrism
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=WILLOW,OU=Workstations,OU=USA,DC=silvacocorp,DC=com
    Last time Group Policy was applied: 8/31/2004 at 2:22:47 PM
    Group Policy was applied from: washington.silvacocorp.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
        CA Group Policy
        CA - Update Patches on AE PC's
        Registry Update Test

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        MA - Update Patches on Admin PC's
            Filtering: Not Applied (Empty)

        AZ Group Policy
            Filtering: Not Applied (Empty)

        Basic Group Policy for Silvaco
            Filtering: Not Applied (Unknown Reason)

        Allow Access to Screen Resolution
            Filtering: Not Applied (Empty)

        Default Domain Policy
            Filtering: Denied (Security)

        Allow Access to C Drive
            Filtering: Not Applied (Empty)

        Update Patches on Developer PC's
            Filtering: Not Applied (Empty)

        Software Distribution - QT Plugin
            Filtering: Not Applied (Unknown Reason)

The main policy is the "Basic Group Policy for Silvaco" Policy which
is not applied for an 'Unknown Reason'
As you can see I also had an old policy "Software Distribution - QT
Plugin" which had the same problem.
I deleted this policy, and even now, 2 days later, it still shows in
gpresult.
It almost seems like the policies have been cached, (or I have no
access to them)

I created 2 new policies for testing, and neither of them even appear
in the gpresult list, except on servers.

I ran gpotool, and I couldn't see any problems in there - the policies
all seem to be replicating to all our domain controllers fine.

As far as I know, DNS is working well...

Here is an ipconfig from my machine (which is only one of the machines
that this is happening on):

Windows IP Configuration

        Host Name . . . . . . . . . . . . : willow
        Primary Dns Suffix . . . . . . . : silvacocorp.com
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : silvacocorp.com
                                            silvaco.com
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : 3Com 3C920B-EMB Integrated
           Fast Ethernet Controller
        Physical Address. . . . . . . . . : 00-E0-18-F0-B6-91
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.1.11.23
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 10.1.1.1
        DNS Servers . . . . . . . . . . . : 10.1.15.200
                                            10.1.15.201

I have also enabled verbose logging per Q221833.

I get the following errors in the log:
USERENV(df4.f6c) 09:52:08:937 ImpersonateUser: Failed to impersonate
user with 5.
USERENV(df4.f6c) 09:52:08:937 GetUserNameAndDomain Failed to
impersonate user

To all intents and purposes this looks to me like some sort of
permissions problem, but I can't figure out what.

To make things slightly more complicated, the Group Policies work on
all our Servers everywhere - just not our workstations.

The policy "Basic Group Policy for Silvaco" is a policy at the top
level of the domain and should apply to all users and computer in the
domain.

My AD is split geographically with a US container with seperate Users
and Computers containers below the US container (which is right off
the top level).
There is also a EU container with seperate Users and Computers
containers below the EU container (which is right off the top level).

eg

silvacocorp
  us
    users
    computers
  eu
    users
    computers

Strangely, computers in the EU get the policy with no problems.

I checked the Links Tab on the group policy, and it reckons that it's
looking at the domain as a whole.

Ideas anyone ?

regards
Chris

• Next message: news.birch.net: "Installing applications"
• Previous message: Mike Towan: "Password Policy GPO in Windows 2003"
• Next in thread: jabrandt_at_online.microsoft.com: "Re: Group Policies have stopped working."
• Reply: jabrandt_at_online.microsoft.com: "Re: Group Policies have stopped working."
• Reply: Chris Murdoch: "Re: Group Policies have stopped working."
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint