Re: Problem Applying Group Policy
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 29 May 2008 13:44:55 -0500
Just some thoughts -- I don't "know" the answer...
"Keith Williams" <KeithWilliams@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:221216F4-DD70-4EF2-95F0-F344DC281583@xxxxxxxxxxxxxxxx
We are having an issue applying group policy to some XP SP2 clients - part
of
the problem is the randomness of the problem, it doesnt happen to all, or
even a sensible proportion, making troubleshooting harder. Also the
problem
has not always existed...
Anyway, we've spen a considerable time on this, so i'll try to paraphrase
what's seems to be going on.
The computer policy processing is being aborted on some computers.
By running Gpresult the problem cannot be seen as it says the policy has
been applied.
Then how do you know it aborts? Seriously, what is set that is in
that policy and what is not set?
What about GPResult /z (zuperverbose) is there a different before
and after the following?
Gpupdate /force - will fix the problem but only until the computer is
rebooted.
Is this stuff in a Script? Perhaps timing out?
Rsop.msc - the problem can been seen as a yellow triangle on "Computer
Configuration"
Drilling down into a policy setting/Right click/Properties/Precedence Tab
"The policy engine did not attempt to configure the setting. Etc..."
Application Event Log - Event ID : 1202
"Security policies were not propagated with the warning. 0xd: The data is
invalid."
[FYI: It's a good idea to always record the event SOURCE as well ]
Sounds like it might be corrupted except that GPUpdate works.
It might be a corrupted LOCAL GP "database" if I understand correctly.
(See below)
The easiest way to confirm the machine is affected, other than policy not
applying is to look at the file
C:\windows\security\logs\winlogon.log
At the end of this file there will be some "Error 13: The data is
invalid."
Errors
This is immediately preceded by :-
This is not the last GPO.
I would seriously look into the possibility that SOME DC(s) has the
GPO corrupted (and others do not.)
Which means it has not applied any remaining policies.
Investigation seems to suggest that policy processing stops when it comes
to
try to process the %appdata% variable, but only on SOME workstations.
In a script or elsewhere?
There are potentially two issues here:
1) The %appdata% not being processes
2) Whatever stopped it being processed, as this relatively new.
Google this (and similar):
[ site:microsoft.com GPO | "group policy" application 1202 ]
OR
[ site:microsoft.com GPO | "group policy" application 1202 data invalid ]
This article for instance discusses the corrupt local database:
http://support.microsoft.com/kb/278316
.
- Prev by Date: Re: Permissions on a shared folders through groups
- Next by Date: Re: Domain Controller Problem
- Previous by thread: Re: Replication Time - Question
- Next by thread: Re: Domain Controller Problem
- Index(es):
Relevant Pages
|
