Re: Path Rules - Enabled Paths sometime are restricted

Ok. I think we have it figured out. GPOtool said there were inconsistent
GPOs in the org. I used Replmon to see if repplication was working. No
errors found. So I created the file CreatedonMaster.txt and put in the
sysvol on our global catalog server. I checked the sysvol on all other
servers to see if it got there and it did not replicate to SKIP.

After careful review of the replication logs in event viewer on Skip, I found:

The File Replication Service has detected that the replica set "DOMAIN
SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

This was preventing replication. The fix to that is to re-initialize
replication which I found at

http://support.microsoft.com/kb/290762/

With replication restored, GpoTool said all GPO are now consistent on all
DC...

It looks like this fixed it and are simply waiting to see if it comes up
again.

Thanks for the help!

Kirk Miller





"Steven Umbach" wrote:

> Check to see if SRP are configured on any other Group Policy including locally
> on the computer in question. Keep in mind that SRP can be configured for user or
> computer configuration so you will have to check both places in each GPO.I have
> never seen what you describe and the only thing I can think of is that SRP is
> configured in more than one Group Policy and for some reason the policy
> application is not inconsistent. When you run RSOP again and if you see that the
> line is missing check to see if it shows what Group Policy applied the SRP
> settings. The support tool gpresult will also show all the current Group
> Policies that apply to a computer/user and that info may also help. Gpotool is
> also helpful in checking consistency of Group Policy replication and for
> mismatches between sysvol and AD. --- Steve
>
>
>
> "Kirk Miller" <UCanSendemailtothefollowing-kirk@xxxxxxxxx> wrote in message
> news:9D55A3FB-2376-4A5E-BAEA-11A685EF4CCA@xxxxxxxxxxxxxxxx
> > Thanks for the info! We had the problem crop up again today on a users
> > machine I ran netdiag and dcdiag. Both showed no problems on the network and
> > all DC were as expected and DNS records were good. We manage our own DNS and
> > run all XP SP2 with Microsoft Update installed on a 2003 native network.
> >
> > We ran rsop on the client machine and the following path exception was
> > missing:
> >
> > C:\Program Files\Quest Technologies\QuestSuite Professional
> >
> > The exact order of the path rules on the server include the following
> >
> > C:\Program Files\QuarkXPress Passport
> > C:\Program Files\Quest Technologies\QuestSuite Professional
> > c:\Program Files\QUICKEN
> >
> > The path in front and behind were both present on the client.
> >
> > According to gpresult, the proper policy was applied and came from our
> > domain controler named SKIP. I looked on Skip and all three lines above are
> > in the policy and it was added to the policy on aug 25. This path was
> > working this morning at 8 am.
> >
> > The user said he worked in the program most of the day and closed it. When
> > he re-opened it, he received the denied error.
> >
> > What else can I check? Why would this one path be left out of the policy?
> > Does XP store the path rules that are currently being used... and when the
> > policy gets refreshed (we refresh once per hour) it conflicts? Any thoughts
> > or other ideas we should check?
> >
> > Machine is
> >
> >
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> > > Next time that it happens try running the Resultant Set of Policy mmc snapin
> > > on that computer and check to see if the rules for SRP are coming from the
> > > GPO you expect. You also could use the support tool gpresult to do much of
> > > the same and it will also show the last time that GP was applied and from
> > > what domain controller. Also look in Event Viewer system and application
> > > logs to see if anything helpful is reported there and run the support tool
> > > netdiag to see if any problems are found with dns, dc discovery, or
> > > trust/secure channel. Since you are experiencing problems with inconsistent
> > > application of Group Policy I would also run netdiag, dcdiag, and gpotool on
> > > your domain controllers and verify that dns is correct for your domain per
> > > the link below. Make sure that you NEVER list an ISP dns server as a
> > > preferred dns server for any domain computer. The support tools are on the
> > > install disk in the support/tools folder where you run the setup program
> > > there to install them as a group. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- DNS
> > > FAQ for Active Directory
> > >
> > > "Kirk Miller" <UCanSendemailtothefollowing-kirk@xxxxxxxxx> wrote in message
> > > news:1F9210A5-286A-4716-8DBA-ABE8EA4949BB@xxxxxxxxxxxxxxxx
> > > >I have a problem where programs which are enabled via Path rules sometimes
> > > > will still be blocked. The paths are correct and work 80% of the time,
> > > > but
> > > > sometimes you will click and receive the restricted message. Somtimes it
> > > > happens to IE, sometimes to an FTP program, sometimes something else.
> > > > Doing
> > > > a GPUpdate/force/reboot solves the problem.... but it might crop up later.
> > > >
> > > > I have seen this problem on both 16 bit and 32 bit applicatiosns. What
> > > > should I look for?
> > > >
> > > > Thanks!
> > >
> > >
> > >
>
>
>
.

Relevant Pages

  • Re: Exception the Group Policy Applies
    ... > I have 20 sites and have default domain policy named disable run. ... You indicated Domain policy which means it isn't related to sites. ... Perhaps replication of the policy or setting is NOT occuring to the ... In fact the most like reasons end up back at DNS. ...
    (microsoft.public.windows.server.active_directory)
  • Upgrade AD issues
    ... Opened local system policy on ServerA to "Authenticated ... The File Replication Service is having ... >>Registration of DNS ...
    (microsoft.public.win2000.active_directory)
  • Re: New GPO Not Recognized by Clients
    ... Running replmon--searching DC's for replication failures yielded no failures. ... SYSVOL portion of the GPO is not replicating to those DCs. ... Script Group Policy Settings with the GPExpert Scripting Toolkit for ... Friendly name: TIS Staff Policy ...
    (microsoft.public.windows.server.active_directory)
  • Re: gp error
    ... PASS - All the DNS entries for DC are registered on DNS server ... Starting test: CrossRefValidation ... Friendly name: Default Domain Policy ... Friendly name: New Group Policy Object ...
    (microsoft.public.windows.group_policy)
  • Re: GPO applies to one user and not to another ??
    ... Then check your dns configuration to make sure that ... probably the cause of ninety percent of Group Policy problems. ... A new user added to this GPO does not apply the GPO when ... > The Folder redirection policy is not enabled. ...
    (microsoft.public.win2000.group_policy)