GPOs only applying once a day

Short problem description:
I have 1200 systems that are on 24/7 and rebooted once a day between 3 and
4am when an update script is run (I know, but it isn't my decision).
Policies typically (with few exceptions) apply
at that reboot. If a system is rebooted during the day, policies usually
don't apply (although some exceptions apply). Or if a system is reboot at
11pm, the 3am reboot doesn't get policies applied. Basically, policies are
applied once a day. Any attempts made by rebooting the system beyond that
will not re-apply policies.

Long problem description:
I have policies blocked in an OU that contains roughly 1200 computers. I
apply a couple policies to that OU and to OUs beneath it. As I said above,
these systems get rebooted at least once a day, sometimes more depending on
the situation. The policies are only applied once a day, although I don't
know exactly the amount of time it waits until a reboot will finally apply
the policy. It could be 16 hours, for all I know.

If I make a change to a policy, save it, and then reboot the system, then
that policy will apply again as expected, but only the first time. After
that I have to wait until the next day for it to apply.

I've looked at the winlogon.log and see nothing relating to a failure. I've
turned on verbose logging for the userenv, too. In the userenv.log file, I
can compare one from a boot that applies the policy and one that does not
apply the policy. They are identical up until the line that policies begin
to apply. Then in the log that policies applied, you can see where things
are working. That portion just doesn't exist in the log where policies did
not apply. Once the policies have applied in the first, the next line in
the log picks up and continues just the same as in the second log. The
policy stuff just doesn't exist in the second. No warnings, errors,
failures, attempts...nothing. That segment of logging just isn't in the
second log. Along with that, there is nothing in the event log relating to
GP failures, either.

I see no policies that would make this happen, either. Is it possible I
have a corrupt policy set somewhere?

I'm at a loss and I have no idea where else I should be searching. Any
ideas on how I can trace this or if you know of any possible causes, I'd be
forever in your debt.

thanks,
Russ Oliver
Systems Programmer
Information Technology
University of Wyoming


.

Relevant Pages

  • Re: win2003 fax service
    ... actually i didn't need to reboot, restarting the fax service worked fine. ... > now this worries me as i don't know how many policies are missing their ... >> Fax Service runs under the account NETWORK SERVICE. ... choose Local Policies then User Rights Assignment. ...
    (microsoft.public.win2000.fax)
  • Re: GPO not implemented, possible corrupt local profile?
    ... The policy will apply every 90 minutes (for some policies you need a reboot), as for your problem I'll have to do some testing first. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Annoying Policy Problem
    ... Interesting that the setting persists in a non domain computer. ... all policies in effect you can try this. ... and then back on or reboot to see it finally work. ... >>> again and the enabled radio button is ticked. ...
    (microsoft.public.windows.group_policy)
  • Re: CTRL ALT DEL function disabled locally
    ... Chris Redmond wrote: ... > I've tried setting up an OU without the policies. ... > unplugging it from the network.....Once I added it to the Domain, ... Upon reboot I was immediately locked out without the ...
    (microsoft.public.win2000.security)
  • Re: Turned off SMB signing on server...
    ... Here is the exact event info: ... Security policies were propagated with warning. ... >> Still can't reach server from Client. ... >> really well and reboot ...
    (microsoft.public.windows.server.sbs)