Re: Group policy - Inconsitent results depending of the Domain Controller

From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 10/10/04

  • Next message: carollgarden girls: "Thank you" 
    Date: Mon, 11 Oct 2004 08:06:29 +1000

    Hi

    It's still worth looking at turning off the DC that appears to be bad and
    have clients log on against the good server. You might have an issue
    with some clients in that they aren't actually logging onto the domain but
    instead using cached credentials and using old policy. Might be a
    networking or name resolution problem at the clients themselves.

    You could also look at user environment debug logging to understand what's
    happening:

    221833 How to enable user environment debug logging in retail builds of
    Windows
    http://support.microsoft.com/?id=221833

    Kind regards 

    -- 
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email 
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Francisco Monge" <fmonge@canadadirect.ca> wrote in message 
news:e%23t2TjWrEHA.3512@tk2msftngp13.phx.gbl...
>I have run the gpotool and it seems that everthing is ok in both DC.  I 
>also checked physically the GP in SYSVOL, and they are exactly the same on 
>both DC, which discards a replication problem.  Both DC are in the same 
>Site.
>
> I ran the Dcgpofix utility in order to restore the default domain policy 
> and default domain controllers policy to their original state after 
> installation, but the inconsistent behaviour of the GP remains: I modified 
> the "default domain policy", but when I ran the simulation on both DC, 
> each one gave different results.
>
> Francisco Monge
>
> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> a écrit dans le 
> message de news: %23nDJauNrEHA.3252@TK2MSFTNGP14.phx.gbl...
>> Hi
>>
>> If you download the resource kit tool gpotool.exe, you can have it query 
>> each DC and compare GPO's to see if that's where the inconsistency is:
>>
>>    gpotool /verbose
>>
>> If that is where the problem lies, you've most likely got a replication 
>> issue.
>>
>> If that isn't where the problem lies, turn off the DC that appears to be 
>> bad and have clients log on against the good server.  You might have an 
>> issue with some clients in that they aren't actually logging onto the 
>> domain but instead using cached credentials and using old policy.  Might 
>> be a networking or name resolution problem at the clients themselves.
>>
>> Kind regards
>> -- 
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email 
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>> "Francisco Monge" <fmonge@canadadirect.ca> wrote in message 
>> news:e1up7CLrEHA.4004@TK2MSFTNGP10.phx.gbl...
>>>I have 2 DC in my domain running Windows 2003 and I'm having inconsistent 
>>>results with "Group policies".
>>>
>>> I have modified the "default domain policy" to activate the Account 
>>> Policies/Password Policy (password history, password lenght, maximum 
>>> password age) for the whole domain and the changes are not taking effect 
>>> on the domain computers.
>>>
>>> I used the Group Policy Management Console to simulate the results of 
>>> the policy (Group Policy Modeling Wizard) and I notice that the results 
>>> depends on which DC is used for the simulation.  I also notice that if I 
>>> dont specify whitch DC use (process the simulation on any available 
>>> domain controller), it will not work.  I also notice that this only 
>>> affects the "Computer Configuration" and not the "User Configuration". 
>>> I've check GPO status and it's Enable (Computer and User configuration) 
>>> and the revision number for the Group Policy is the same for both 
>>> simulations (AD (61), Sysvol (61)).
>>>
>>> There is no blocking heritance anywhere or override GP.
>>>
>>> Does someone have an idea what can be wrong?
>>>
>>> Thank you
>>>
>>> Francisco Monge
>>>
>>>
>>
>>
>
>
  • Next message: carollgarden girls: "Thank you"

    Relevant Pages

    • Re: Prevented from adding users
      ... but disabling will allow the clients to make a ... connection without the (there is a policy in affect...) message. ... setting I should configure my print server name? ... This policy setting restricts the servers that a client can ...
      (microsoft.public.windowsxp.print_fax)
    • RE: Assigning New IPSec Policy to terminal server
      ... When I said 'link to this OU', I exactly mean 'apply Group Policy to this ... For TS server, we can define a OU named TS and put the TS server account ... in order to secure the communication between clients and Terminal ...
      (microsoft.public.windows.terminal_services)
    • RE: Assigning New IPSec Policy to terminal server
      ... the TS requests for security" I right click the Client (Respon Only) and ... changes the IPSec policy to NO for "Policy Assigned" it seems like I cannot ... When I said 'link to this OU', I exactly mean 'apply Group Policy to this ... in order to secure the communication between clients and Terminal ...
      (microsoft.public.windows.terminal_services)
    • Re: Multiple hosts with same IP address
      ... DNS" option on clients using group policy and if so what is that ... policy and where should I configure this? ... You could use a GPO, BUT, you'll need to create a new OU for DHCP Clients ...
      (microsoft.public.windows.server.dns)
    • Re: Prevented from adding users
      ... the error message only appears on our Windows XP pro clients. ... "A policy is in effect on your computer which prevents you from connecting ... and print restrictions" to disabled to allow connecting to any server. ... The policy setting applies only to non Print ...
      (microsoft.public.windowsxp.print_fax)