Re: Time GPO for Clients
- From: Brian Edwards <BrianEdwards@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Oct 2007 12:32:01 -0700
inline...
"Jorge Silva" wrote:
First let me tel you that in previous post when editing the registry I was
refering to edit the registry directly and not using GPO, so Nimral is
correct when saying "Policies are applied with system rights".
See inline
I tested the policy I created with a Domain Admin login and the settings
did
not make it into the registry even though the GPO is properly configured.
If you run gpupdate /force, does the policy apply?
Any errors in event log?
The policy is getting applied, that's not the problem. It is applying, but
is not making the registry changes. Rsop indicates that the GPO is making
the change, but a check of the registry disagrees. The settings remain the
same.
How should I go about tracing the problem? I've verified that no other
GPO's apply these particular settings, so there should be no conflicts.
I've
verified, through gpresult, that the GPO is getting applied to the
computer.
Check for client DNS configuration
All proper.
, and FW blocked connections
Windows Firewall is disabled on all clients/servers.
, also have a
look at EventLog
System log indicates event ID 35 events, saying that the computer is
sync'ing with one of our Domain Controllers. That's on this particular
computer. I'll have to test with another client machine to see if it is now
behaving as this one is, however, previously most clients were getting errors
29 & 14.
, there're other tools that might help you to troubleshoot
this, like RSoP.msc, Gpresult and enabling userenv.log
The only thing I can think of is that the Domain Admin account doesn'tIs this a custm template or a script that is runing to update these changes?
have
permissions to make registry changes, although when I manually make a
change
in the Windows Time Service settings, they are accepted and applied.
Standard GPO template.
If it's a startup script you need to reboot the machine (if applies to the
machine), if applies to user you must logoff and logon again, but in this
case What I said before applies, meaning that the logged user must have
permissions to do that change.
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
Thanks again, Jorge. It is much appreciated. ;)
I may have found the problem. This particular GPO, in GPMC, under
Delegation, was configured to Deny "Apply Group Policy" permissions to
"Domain Controllers". I wonder if that was affecting clients in that when
authentication occurred, no matter which DC was used to authenticate against,
that DC was unable to apply the policy to the computer due to that Deny
setting. I removed that Deny setting about an hour ago, and so far I've been
able to successfully run "w32tm /resync" on every client I've tried.
Previously that command failed on about 50% of the clients.
.
- Follow-Ups:
- Re: Time GPO for Clients
- From: Jorge Silva
- Re: Time GPO for Clients
- References:
- Re: Time GPO for Clients
- From: Nimral
- Re: Time GPO for Clients
- From: Jorge Silva
- Re: Time GPO for Clients
- Prev by Date: Re: How grant rights to add servers to domain into a particular OU
- Next by Date: Re: Global Catalog and Exchange Server Placement Question
- Previous by thread: Re: Time GPO for Clients
- Next by thread: Re: Time GPO for Clients
- Index(es):
Relevant Pages
|
