Re: Group policies show empty in Vista Event log

Thanks for the ideas Darren,

I have verified that the GP's are present and accounted for on all DC's.
Replication
seems to be chuggin along just fine. The only machines that are giving me
any grief are
my first two Vista machines to join my little domain. Not only that but on
each restart of
the Vista machine I have verified login server and taken note of which
server is servicing the
requests for GPO's. Approximately 80% of the time the server involved is
the PDC emulator.

David

"Darren Mar-Elia" wrote:

Yes, they should assuming the default permissions are in place on that GPO.
That being said, the other option is that the client computers are using a
DC to process policy that has not yet received the GPO information for this
GPO. That is, when you make a change to a GPO, by default the change occurs
at the PDC emulator DC and replicates out from there. Clients on the network
will use their nearest DC, and if that DC has not yet received the change to
the GPO, they would report that GPO empty (assuming the change was the first
one after the GPO had been created). So, this could either be an issue of
not waiting long enough for the GPO change to propagate or having problems
with SYSVOL replication.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

*******************************
Secure and configure your Windows desktops accurately every time without
having to learn or install new technology.
Find out more about Desktop Policy Manager at
http://www.sdmsoftware.com/desktop_management
*******************************
"DP" <DP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3CE5FD45-2B92-489D-A692-36BCBBCF2D13@xxxxxxxxxxxxxxxx
I can see the logic in your response. These policies are linked at the
Domain level. Should not all users in the domain then be considered as
linked?

"Darren Mar-Elia" wrote:

It sounds like you are not linking those GPOs to the correct spot. If you
have specified per-user settings then you need to link the GPO in line
with
the user objects in AD that you wish to affect--not the computer objects.
Hope that helps!

Darren


--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

*******************************
Secure and configure your Windows desktops accurately every time without
having to learn or install new technology.
Find out more about Desktop Policy Manager at
http://www.sdmsoftware.com/desktop_management
*******************************



"DP" <DP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E0546AF7-9625-40C4-8C65-EFE63532E1B0@xxxxxxxxxxxxxxxx
I have been trying to incorporate a couple of Vista computers in my
W2003
based domain. They joined the domain and the computer objects show in
AD
just fine. The GPO's are being read by the Vista machines and
apparently
filtered correctly as to which should and should not apply. The ones
that
should apply show as empty as indicated by the event log as shown
below.

The following Group Policy objects were not applicable because they
were
filtered out :

Login Script
Not Applied (Empty)
OFFICE
Not Applied (Empty)
Vista Startup
Not Applied (Empty)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Microsoft-Windows-GroupPolicy"
Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>5313</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2008-04-28T14:10:33.360Z" />
<EventRecordID>30824</EventRecordID>
<Correlation ActivityID="{DE7A80E8-7E82-44C5-812C-5D5543C48CC4}" />
<Execution ProcessID="1284" ThreadID="2976" />
<Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
<Computer>usernamevista.x.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="DescriptionString">Login Script
Not Applied (Empty)
OFFICE
Not Applied (Empty)
Vista Startup
Not Applied (Empty)
</Data>
<Data Name="GPOInfoList"><GPO
ID="{BC5A9548-C741-454D-9373-40F5A8FA8E43}"><Name>Login
Script</Name><Version>0</Version><SOM>LDAP://DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{BC5A9548-C741-454D-9373-40F5A8FA8E43}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO
ID="{E1B04AF9-0731-41CB-B594-839C51B7535E}"><Name>OFFICE</Name><Version>0</Version><SOM>LDAP://DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{E1B04AF9-0731-41CB-B594-839C51B7535E}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO
ID="{4E0AC329-BA50-400E-9E2A-C8B759ED81AD}"><Name>Vista
Startup</Name><Version>0</Version><SOM>LDAP://OU=CH Vista
Computers,DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{4E0AC329-BA50-400E-9E2A-C8B759ED81AD}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO></Data>
</EventData>
</Event>

<GPO ID="{BC5A9548-C741-454D-9373-40F5A8FA8E43}"><Name>Login
Script</Name><Version>0</Version><SOM>LDAP://DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{BC5A9548-C741-454D-9373-40F5A8FA8E43}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO
ID="{E1B04AF9-0731-41CB-B594-839C51B7535E}"><Name>OFFICE</Name><Version>0</Version><SOM>LDAP://DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{E1B04AF9-0731-41CB-B594-839C51B7535E}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO
ID="{4E0AC329-BA50-400E-9E2A-C8B759ED81AD}"><Name>Vista
Startup</Name><Version>0</Version><SOM>LDAP://OU=CH Vista
Computers,DC=x,DC=com</SOM><FSPath>\\x.com\SysVol\x.com\Policies\{4E0AC329-BA50-400E-9E2A-C8B759ED81AD}\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO>

These results indicate that the policy info was being looked for in the
\Machine area and all of these policies were in the \User area.

Any and all assistance greatly appreaciated. Thank you.




.

Relevant Pages

  • Re: Group policies show empty in Vista Event log
    ... The empty policies I was seeing ... login when a GPO refers to a login script in VBS format that makes calls to ... Vista machine without entirely turning off UAC? ... Find out more about Desktop Policy Manager at ...
    (microsoft.public.windows.group_policy)
  • Re: Group policies show empty in Vista Event log
    ... the other option is that the client computers are using a DC to process policy that has not yet received the GPO information for this GPO. ... Clients on the network will use their nearest DC, and if that DC has not yet received the change to the GPO, they would report that GPO empty. ... Find out more about Desktop Policy Manager at http://www.sdmsoftware.com/desktop_management ...
    (microsoft.public.windows.group_policy)
  • Re: DST Updates Deployed via Group Policy
    ... if they are just reg settings and nothing more then ... WAS able to select the group in the GPO editor so I assumed that it ... things are working, that is, the machines are being healthy little ... however I have not tested the script locally on ...
    (microsoft.public.windows.group_policy)
  • Re: DST Updates Deployed via Group Policy
    ... In KB914387 Microsoft gives you the registry keys that need to be changed ... saw that my EST reg entries were the same as my 2003 server and 2000 ... WAS able to select the group in the GPO editor so I assumed that it could ... things are working, that is, the machines are being healthy little ...
    (microsoft.public.windows.group_policy)
  • Re: DST Updates Deployed via Group Policy
    ... Aren't these "patches" for XP and 2003 just the same registry ... WAS able to select thegroupin the GPO editor so I assumed that it ... things are working, that is, the machines are being healthy little ... however I have not tested the script locally on ...
    (microsoft.public.windows.group_policy)
Quantcast