GPO no longer being applied to user

  • Thread starter Thread starter Jack Black
  • Start date Start date
J

Jack Black

Greetings AD Guru's

Suddenly, my GPO (single site, single domain) is no longer being applied to
my 200 users.
So, I can't change password expiration, lockout threshold, etc.

I've check DNS, etc. but still no luck.

Any ideas?

Thank you, Jack
 
Have you checked for errors on the event viewer? most probably problems with
the SYSVOL share.

You can turn on Debugging on a PC and see what is going on:

1.. If you encounter problems after making changes to the Default Domain
and/or Default Domain Controller group policies, you can enable GPO debug
logging on your server. To enable the logging:
1.. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
data type. Set the data value to 2.
3.. The log file will be generated as:
%SystemRoot%\security\logs\Scepol.log
2.. Enable Verbose logging by editing the registry. You are telling the
system to create a USERENV.LOG in winnt\debug directory. You can then
examine the file for errors.
1.. Run Regedit.
2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows NT -
CurrentVersion - Winlogon.
3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
value of 30002.
4.. Close Regedit.
5.. Log off and log back on.
3.. All the following changes should be done at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it as
a REG_DWORD with value 1 will affect the logging of GPO processing by
turning it on in verbose mode. After you make that change and restart the
system, you will see a lot more information reported, especially during
errors. In many cases, this will be enough to get the information you need.
2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
REG_DWORD with value 1 will turn on verbose logging specifically for GPO
application deployments. In the case of an administrator who is trying to
deploy antivirus files via GPO, this key would definitely be helpful in
improving logging.
3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
value 1, will turn on verbose logging for all GPO processing events,
including those listed above. It's basically a catch-all value, but the
downside is that it may confuse you when you examine the logs because it
will log lots of events that may not have anything to do with your specific
problem. Think carefully before turning this one on-it could increase your
workload.
Hope it helps,
P.
 
Thanks. I'll try that.

Jack B.

Pablo E. Colazurdo said:
Have you checked for errors on the event viewer? most probably problems
with
the SYSVOL share.

You can turn on Debugging on a PC and see what is going on:

1.. If you encounter problems after making changes to the Default Domain
and/or Default Domain Controller group policies, you can enable GPO debug
logging on your server. To enable the logging:
1.. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
data type. Set the data value to 2.
3.. The log file will be generated as:
%SystemRoot%\security\logs\Scepol.log
2.. Enable Verbose logging by editing the registry. You are telling the
system to create a USERENV.LOG in winnt\debug directory. You can then
examine the file for errors.
1.. Run Regedit.
2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows
NT -
CurrentVersion - Winlogon.
3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
value of 30002.
4.. Close Regedit.
5.. Log off and log back on.
3.. All the following changes should be done at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Diagnostics
1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it
as
a REG_DWORD with value 1 will affect the logging of GPO processing by
turning it on in verbose mode. After you make that change and restart the
system, you will see a lot more information reported, especially during
errors. In many cases, this will be enough to get the information you
need.
2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
REG_DWORD with value 1 will turn on verbose logging specifically for GPO
application deployments. In the case of an administrator who is trying to
deploy antivirus files via GPO, this key would definitely be helpful in
improving logging.
3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
value 1, will turn on verbose logging for all GPO processing events,
including those listed above. It's basically a catch-all value, but the
downside is that it may confuse you when you examine the logs because it
will log lots of events that may not have anything to do with your
specific
problem. Think carefully before turning this one on-it could increase your
workload.
Hope it helps,
P.
Click to expand...
 
There are a couple of test that you can perfrom - one is to actually enable
userenv debug logging on the client mahchine that is not processing group
policy. More information on how to enable this logging can be found here:

http://support.microsoft.com/kb/221833

I would be happy to take a look at the log file and help you decrypt its
information and try to help identify the problem.

Please provide more detailed infromation on how you determined why policies
are not being applied to this client.

Thanks,


John Powell
 
A quick and good test is to install the support tools (located on the
cd-rom of 2000 server cd) and once that is installed go to a command
prompt and run "gpresult /v".

See what happens - this should show what GP<s> is being applied. Maybe
only part of your GP<s> is being applied and not all for some reason.
After this follow the tips given above by other posters, however in my
experience if affecting your entire network then it's more likely than
not a replication problem. Check the event logs thoroughly on your DCs
for events that might be stopping your DCs acting as DCs.

Also please supply more details of your GP - is it the default domain
policy alone that should be applied to your workstations/users for
example?

I just fixed a similar problem with one Terminal server just by
rebooting it. For some reason it had stopped processing the GPs applied
to it and therefore everyone lost their proxy settings. However a
reboot fixed it. I believe the term used for that sort of problem is
"Microsoft".
 
Back
Top