Re: Group Policies have stopped working.
From: Chris Murdoch (chris_murdoch_at_hotmail.com)
Date: 09/01/04
- Next message: Frank Drebin: "Re: Controlling access to USB ports in Windows 2000 and XP"
- Previous message: Mark Renoden [MSFT]: "Re: msi package installation problems"
- In reply to: Chris Murdoch: "Group Policies have stopped working."
- Messages sorted by: [ date ] [ thread ]
Date: 1 Sep 2004 16:55:10 -0700
chris_murdoch@hotmail.com (Chris Murdoch) wrote in message news:<7c7cac29.0409011005.66859c8d@posting.google.com>...
> Hi
>
> We've had Group Policies running for well over a year here with little
> or no problems.
> This week with no warning, one of our most important group policies
> stopped working.
>
> I ran gpresult, and here is an excerpt:
>
> RSOP results for SILVACOCORP\chrism on WILLOW : Logging Mode
> -------------------------------------------------------------
>
> OS Type: Microsoft Windows XP Professional
> OS Configuration: Member Workstation
> OS Version: 5.1.2600
> Domain Name: SILVACOCORP
> Domain Type: Windows 2000
> Site Name: CA
> Roaming Profile:
> Local Profile: C:\Documents and Settings\chrism
> Connected over a slow link?: No
>
> COMPUTER SETTINGS
> ------------------
> CN=WILLOW,OU=Workstations,OU=USA,DC=silvacocorp,DC=com
> Last time Group Policy was applied: 8/31/2004 at 2:22:47 PM
> Group Policy was applied from: washington.silvacocorp.com
> Group Policy slow link threshold: 500 kbps
>
> Applied Group Policy Objects
> -----------------------------
> CA Group Policy
> CA - Update Patches on AE PC's
> Registry Update Test
>
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> MA - Update Patches on Admin PC's
> Filtering: Not Applied (Empty)
>
> AZ Group Policy
> Filtering: Not Applied (Empty)
>
> Basic Group Policy for Silvaco
> Filtering: Not Applied (Unknown Reason)
>
> Allow Access to Screen Resolution
> Filtering: Not Applied (Empty)
>
> Default Domain Policy
> Filtering: Denied (Security)
>
> Allow Access to C Drive
> Filtering: Not Applied (Empty)
>
> Update Patches on Developer PC's
> Filtering: Not Applied (Empty)
>
> Software Distribution - QT Plugin
> Filtering: Not Applied (Unknown Reason)
>
>
> The main policy is the "Basic Group Policy for Silvaco" Policy which
> is not applied for an 'Unknown Reason'
> As you can see I also had an old policy "Software Distribution - QT
> Plugin" which had the same problem.
> I deleted this policy, and even now, 2 days later, it still shows in
> gpresult.
> It almost seems like the policies have been cached, (or I have no
> access to them)
>
> I created 2 new policies for testing, and neither of them even appear
> in the gpresult list, except on servers.
>
> I ran gpotool, and I couldn't see any problems in there - the policies
> all seem to be replicating to all our domain controllers fine.
>
> As far as I know, DNS is working well...
>
> Here is an ipconfig from my machine (which is only one of the machines
> that this is happening on):
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : willow
> Primary Dns Suffix . . . . . . . : silvacocorp.com
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : silvacocorp.com
> silvaco.com
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : 3Com 3C920B-EMB Integrated
> Fast Ethernet Controller
> Physical Address. . . . . . . . . : 00-E0-18-F0-B6-91
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.1.11.23
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 10.1.1.1
> DNS Servers . . . . . . . . . . . : 10.1.15.200
> 10.1.15.201
>
> I have also enabled verbose logging per Q221833.
>
> I get the following errors in the log:
> USERENV(df4.f6c) 09:52:08:937 ImpersonateUser: Failed to impersonate
> user with 5.
> USERENV(df4.f6c) 09:52:08:937 GetUserNameAndDomain Failed to
> impersonate user
>
>
> To all intents and purposes this looks to me like some sort of
> permissions problem, but I can't figure out what.
>
> To make things slightly more complicated, the Group Policies work on
> all our Servers everywhere - just not our workstations.
>
> The policy "Basic Group Policy for Silvaco" is a policy at the top
> level of the domain and should apply to all users and computer in the
> domain.
>
> My AD is split geographically with a US container with seperate Users
> and Computers containers below the US container (which is right off
> the top level).
> There is also a EU container with seperate Users and Computers
> containers below the EU container (which is right off the top level).
>
> eg
>
> silvacocorp
> us
> users
> computers
> eu
> users
> computers
>
> Strangely, computers in the EU get the policy with no problems.
>
> I checked the Links Tab on the group policy, and it reckons that it's
> looking at the domain as a whole.
>
>
>
> Ideas anyone ?
>
> regards
> Chris
Please disregard this post - I've actually got this working now.
For some reason one of the containers had block inheritance ticked.
Somehow this must have got done by mistake. Took me a while to figure it out tho :)
Chris
- Next message: Frank Drebin: "Re: Controlling access to USB ports in Windows 2000 and XP"
- Previous message: Mark Renoden [MSFT]: "Re: msi package installation problems"
- In reply to: Chris Murdoch: "Group Policies have stopped working."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
