group policy won't work

[jemerich]

i can't get group policies implemented on my network but they work great in my little test environment. i'm using win server '03 and win2000 clients. i've checked the security settings, dns settings, command line executeables, you name it. nothing seems to make a difference. what am i missing? my production environment is a mixture of (2) nt4 servers and 1 win '03 server. is that causing my problem?

john

 

[ChicagoTechNet]

you may want to use gpresult to troubleshoot or post the result here.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network, Internet, VPN, Routing and How to at

http://www.ChicagoTech.net

 

[jemerich]

gpresult tells me group policy is coming from my test environment, not from my production domain. how do i redirect? i've already reset the computer account in AD and i also tried the netdom command. neither worked.

john

 

[jockojem]

Just to clarify.

You have a client machine (2000/XP/2003) in an OU. Domain is 2003 AD. Client is in the same domain as GPOs and in an OU upon which the GPO should be effective. Is this all correct?

Can you copy and paste the gpresult into a post?

Jem

 

[jemerich]

yes, everything you state is correct. i'm working on trying to figure out how to copy/paste gpresults into this forum.

 

[kirby449]

Have you definitely got primary DNS on client pointing to server ip address? Then set up DNS forwarding to ISP DNS server in DNS manager. Sounds to me like primary DNS server is not the sever address.

Just a thought

Hope it helps

Kirby449

 

[jemerich]

this is a mixed environment of 1 nt4 server and 1 win '03 server. is it possible the 2000 client is authenicating to the nt4 box therefore group policy won't work?

how do you findout what server is authenicating clients?

john

 

[kirby449]

In a mixed environment the W2003 domain controller should be the authentication server for the w2k clients. The NT4 server will be a BDC I assume, not a member server? Just turn off the NT4 server for testing.

Are you applying the GPOs at the domain level or OU level? Do you have the permissions enabled so that your authenticated users have Apply Group Policy permissions enabled?

 

[jemerich]

kirby449,

i followed up on your earlier request and i reviewed the dns config. i am indeed forwarding to my isp dns server, so i think everything is ok there.

my gpo is attempting to be applied at an OU level and yes, the permissions are set. i have checked and rechecked.

john

 

[jockojem]

John

Would still be interested in seeing the gpresult. You can pipe to a text file like so...

gpresult /v >c:\gpresultfile.txt

Cheers

Jem

 

[jemerich]

jem.

thanx for the tip on outputing the gp results to a file. here they are. the client is simply not picking up the policy.

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, January 21, 2004 at 3:15:02 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:



Domain Name: FLEXDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\TESTUSER.FLEXDOMAIN

The user is a member of the following security groups:


The user has the following security privileges:

Bypass traverse checking
Shut down the system
Remove computer from docking station


###############################################################

Last time Group Policy was applied: Wednesday, January 21, 2004 at 3:14:35 PM



###############################################################

Computer Group Policy results for:



Domain Name: FLEXDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Wednesday, January 21, 2004 at 3:06:16 PM
Group Policy was applied from: testserver.testserver.local


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
Revision Number: 3
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer

Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
Domain Name: testserver.local
Linked to: Domain (DC=testserver,DC=local)




The following settings were applied from: Local Group Policy

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\67F61730C7B41BA47B48F279E65B7E9725180744
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values


The following settings were applied from: Default Domain Policy

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\44DDE3EF94003A2889DF112892441A0D8478F8E1
ValueName: Blob
ValueType: REG_BINARY
Value: Binary data. Use the /S switch to display.

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values

KeyName: Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Revision Number: 3
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer

Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
Domain Name: TESTSERVER.LOCAL
Linked to: Domain (DC=testserver,DC=local)


Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Revision Number: 3
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer

Default Domain Policy
Revision Number: 3
Unique Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
Domain Name: TESTSERVER.LOCAL
Linked to: Domain (DC=testserver,DC=local)


Additional information is not available for this type of policy setting.

 

[jockojem]

Hi John

So computer policy settings are being applied from testserver.local domain. (Just to clarify - the client is in flexdomain and this isn't the downlevel domainname for testerver.local).

Was the client in testserver.local and then moved to flexdomain? What if any relationship is there between the two.

What was the result of netdom? Also I am a bit confused with your answer re dns. The primary dns server for the client should most definitely be pointing to the dns server with the srv records for your domain. Clients need to be able to locate the sysvol\domainname\policies share on a domain controller to download the policies. They identify the dc location from the _msdcs records in the domain zone file.

Not sure if any of this helps

Jem

 

[jemerich]

yes, the client was in testserver.local and then moved to flexdomain. there is no relationship between testserver.local and flexdomain.

the results of netdom were absolutely nothing.

as far as dns...sorry to create confusion. my dns config is exactly as you state.

john

 

[jockojem]

John

Don't know if you are still following this/having the problem.... sorry for not posting back - I have been off.... is the problem still there?

Jem