Re: Hang @ Applying Computer Settings/Applying Your Personal Setti

Steve :)

Below is the info you requested. I also ran NETDIAG, DCDIAG and GPOTOOL on
each DC and they came back with all Passed or Policy OK. The only exception
is a Kerberos ticket error on one DC. Based on what I'm reading though,
since it looks like I have a ad40dc1 ticket and no auth problems or Alert
Manager entries, this is just a bug in NETDIAG. If I'm wrong on that, please
let me know.

Thanks!

IPCONFIG /ALL from working PC
__________________________


Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : KOVACS
Primary DNS Suffix . . . . . . . : woolpertinc.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : woolpertinc.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : woolpertinc.local
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-0B-DB-15-31-6C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.165.115
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.165.1
DHCP Server . . . . . . . . . . . : 172.22.85.66
DNS Servers . . . . . . . . . . . : 172.22.85.66
172.22.85.197
Primary WINS Server . . . . . . . : 172.22.85.66
Secondary WINS Server . . . . . . : 172.22.85.197
Lease Obtained. . . . . . . . . . : Tuesday, October 11, 2005 1:43:55 PM
Lease Expires . . . . . . . . . . : Thursday, November 10, 2005 1:43:55 PM

IPCONFIG /ALL from problem PC
___________________________


Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : EVANSM
Primary DNS Suffix . . . . . . . : woolpertinc.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : woolpertinc.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : woolpertinc.local
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller
Physical Address. . . . . . . . . : 00-12-3F-DE-81-A1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.165.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.165.1
DHCP Server . . . . . . . . . . . : 172.22.85.66
DNS Servers . . . . . . . . . . . : 172.22.85.66
172.22.85.197
Primary WINS Server . . . . . . . : 172.22.85.66
Secondary WINS Server . . . . . . : 172.22.85.197
Lease Obtained. . . . . . . . . . : Wednesday, October 12, 2005 12:40:55 PM
Lease Expires . . . . . . . . . . : Friday, November 11, 2005 12:40:55 PM


NSLOOKUP to both DCs on both PCs returns
________________________________________

C:\>nslookup woolpertinc.local
Server: ad40dc1.woolpertinc.local
Address: 172.22.85.66

Name: woolpertinc.local
Addresses: 172.22.85.66, 172.22.85.197


C:\>nslookup woolpertinc.local
Server: ForestDnsZones.woolpertinc.local
Address: 172.22.85.66

Name: woolpertinc.local
Addresses: 172.22.85.197, 172.22.85.66


C:\>nslookup woolpertinc.local
Server: DomainDnsZones.woolpertinc.local
Address: 172.22.85.66

Name: woolpertinc.local
Addresses: 172.22.85.66, 172.22.85.197


SERVICES on both PCs
____________________

There are not services running on either machine that aren't running on
other machines either having the issue or not having the issue.


SECURITY OPTIONS in GP on both PCs
__________________________________

Same settings


IPSEC SECURITY POLICIES in GP on both PCs
_________________________________________

None


PING results on both PCs
________________________

C:\>ping ad40dc1

Pinging ad40dc1.woolpertinc.local [172.22.85.66] with 32 bytes of data:

Reply from 172.22.85.66: bytes=32 time=20ms TTL=126
Reply from 172.22.85.66: bytes=32 time=10ms TTL=126
Reply from 172.22.85.66: bytes=32 time=10ms TTL=126
Reply from 172.22.85.66: bytes=32 time=10ms TTL=126

Ping statistics for 172.22.85.66:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 20ms, Average = 12ms

C:\>ping ad40dc2

Pinging ad40dc2.woolpertinc.local [172.22.85.197] with 32 bytes of data:

Reply from 172.22.85.197: bytes=32 time=30ms TTL=126
Reply from 172.22.85.197: bytes=32 time=10ms TTL=126
Reply from 172.22.85.197: bytes=32 time=10ms TTL=126
Reply from 172.22.85.197: bytes=32 time=10ms TTL=126

Ping statistics for 172.22.85.197:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 30ms, Average = 15ms


SYSVOL access from both PCs
___________________________

Both can access \\woolpertinc.local\sysvol\Woolpertinc.local\Policies and
all subdirs and files


GPRESULT from problem PC
________________________

>>> NOTE <<< Have spot-checked three other working and three other problem PCs and there are ones on both sides getting policies from either DC.

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, October 12, 2005 at 2:00:29 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:

CN=Kovacs,OU=Users,OU=Migrated Objects,DC=Woolpertinc,DC=local

Domain Name: WOOLPERTINC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\kovacs

The user is a member of the following security groups:

WOOLPERTINC\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
WOOLPERTINC\SD
WOOLPERTINC\SD
WOOLPERTINC\Kovacs


###############################################################

Last time Group Policy was applied: Wednesday, October 12, 2005 at 1:50:58 PM
Group Policy was applied from: ad40dc1.Woolpertinc.local


===============================================================


The user received "Registry" settings from these GPOs:

Default User Policy


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

IE Preferences Policy
Default User Policy



###############################################################

Computer Group Policy results for:

CN=EVANSM,OU=Computers,OU=Migrated Objects,DC=Woolpertinc,DC=local

Domain Name: WOOLPERTINC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
WOOLPERTINC\EVANSM$
WOOLPERTINC\Domain Computers

###############################################################

Last time Group Policy was applied: Wednesday, October 12, 2005 at 1:48:00 PM
Group Policy was applied from: ad40dc1.Woolpertinc.local


===============================================================


The computer received "Registry" settings from these GPOs:

Default Computer Policy


===============================================================
The computer received "Microsoft Disk Quota" settings from these GPOs:

Default Computer Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Computer Policy


GPRESULT from working PC
________________________


Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, October 12, 2005 at 2:00:43 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:

CN=Kovacs,OU=Users,OU=Migrated Objects,DC=Woolpertinc,DC=local

Domain Name: WOOLPERTINC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\Kovacs

The user is a member of the following security groups:

WOOLPERTINC\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
WOOLPERTINC\SD
WOOLPERTINC\SD
WOOLPERTINC\Kovacs


###############################################################

Last time Group Policy was applied: Wednesday, October 12, 2005 at 12:19:39 PM
Group Policy was applied from: ad40dc2.Woolpertinc.local


===============================================================


The user received "Registry" settings from these GPOs:

Default User Policy


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

IE Preferences Policy
Default User Policy



###############################################################

Computer Group Policy results for:

CN=KOVACS,OU=Computers,OU=Migrated Objects,DC=Woolpertinc,DC=local

Domain Name: WOOLPERTINC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
WOOLPERTINC\KOVACS$
WOOLPERTINC\Domain Computers

###############################################################

Last time Group Policy was applied: Wednesday, October 12, 2005 at 12:39:50 PM
Group Policy was applied from: ad40dc2.Woolpertinc.local


===============================================================


The computer received "Registry" settings from these GPOs:

Default Computer Policy


===============================================================
The computer received "Microsoft Disk Quota" settings from these GPOs:

Default Computer Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Computer Policy



"Steven L Umbach" wrote:

> That sounds like a difficult problem to troubleshoot.
>
> You may have done much or all of this already but here is what I would do. I
> would run the support tool netdiag on one or two of the troubled computers
> and make sure their tcp/ip config is identical with the other computers that
> work well as far as preferred dns servers including the order they are in
> and then use nslookup to verify that the domain name [mydomain.com] resolves
> to the correct IP addresses of the domain controllers. Then I would check
> the services via services.msc and security options in Local Security Policy
> comparing a problem computer to a known good configuration to see if there
> are any discrepancies that you would want to fix and to see if an ipsec
> policy is assigned.
>
> I would verify that a problem computer can ping both domain controllers by
> name and IP address and that it can access the sysvol share and drill down
> to the folder where the Group Policy folder exists to the reg.pol files for
> user and machine on both domain controllers which should show in My Network
> Places. Gpresult could be used to see what domain controller is used to
> apply Group Policy and may be interesting to see if the same domain
> controller is used in cases where the hang happens and when not when the
> computer/user is in a different OU and that it is the same domain controller
> that at least some of the other computers are using. I would also run
> netdiag, dcdiag, and gpotool on the two domain controllers just to make sure
> all looks well with them and replication of Group Policy. If nothing seems
> to help out of desperation I would unjoin one problem computer from the
> domain and join it to the domain again to see what happens. --- Steve
>
>
>
> "Woolpert" <alert.manager@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:B1538E2C-8C87-4B48-9FFC-7B486188BF4A@xxxxxxxxxxxxxxxx
> > We have about 800 PCs across 25 offices. All are applying policies fine
> > and
> > very quickly except for about 20. Those 20 were set up all at once due to
> > an
> > acquisition and clones of the first one that was set up. We have a
> > standard
> > config image that is used to build up all of our machines, but for these
> > 20,
> > we used that image to build up one system, sysprep'd it and created an
> > image
> > which we cloned the remaining systems from. I'm pretty sure something
> > went
> > wrong in that process but I can't figure out what that would cause these
> > 20
> > machines, regardless of which office they are in, to take minutes
> > (sometimes
> > up to 7 or 8) to get past the 'Applying Computer Settings' and also the
> > 'Applying Your Personal Settings'.
> >
> > In my troubleshooting so far, I've:
> >
> > * Checked the Event Viewer and no SceCli or UserEnv errors
> > * Enabled UserEnv verbose logging and can see it taking minutes to process
> > the registry portion of the policies
> > * Moved machines from one office to another, both working and problem
> > machines. The ones that work, work everywhere and the ones that have
> > problems
> > have problems everywhere
> > * Moved their user and computer objects to an OU that doesn't have
> > policies
> > being applied and they do not hang at either message
> > * Created a new policy in that OU that had nothing set and they do not
> > hang
> > at either message
> > * All computer and user objects across our network are running the same
> > policies from the same two DCs
> >
> > I'm at a loss as to what to check next. Thanks for any info or direction
> > you can provide.
>
>
>
.

Relevant Pages

  • Re: Parts of GPO not working.
    ... If your users use other browsers like firefox from an usb stick/drive or whatever medium your policy will not help. ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: At this point, Im wondering if GPOs even work?
    ... what is set in a policy does not bubble up into the user interface. ... Pop-up Blocker" box on one and checked it on the other. ... ensured no GPOs nor local policy were superseding my Test GPO ... Config (so why do these settings even exist in Computer Config if they ...
    (microsoft.public.windows.group_policy)
  • Parts of GPO not working.
    ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changes to default Group Policy
    ... I am already using GPMC to manage GPOs. ... Policy and Default Domain Controllers Policy was first created? ... settings, I find comparing manually to be very time consuming. ... if there was a tool that I could use that would compare the default policies ...
    (microsoft.public.windows.group_policy)
  • Re: WMI missing security settings
    ... I believe the RSoP_x WMI settings will only account for the group ... security policy instead of the local policy. ... "Using SECEDIT to Force a Group Policy Refresh Immediately" ... Technically speaking, the items under "Security ...
    (microsoft.public.platformsdk.security)
Loading