Hi All,


I have a single server machine running Windows 2000 Server and a bunch of
Windows XP SP1 client machines. I set up three Group Policy Objects on our
single domain and use Security Filtering to apply them to different users,
which appeared to be happily working. However, it has recently stopped
applying the Computer Configuration nodes but successfully applies the User
Configuration settings.

Using GPMC on one of the XP machines, the appropriate Computer Configuration
is not applied and under Denied GPO's it lists one of the GPO's that it
legitimately shouldn't apply. However, it also lists the two other GPO's by
their GUID's, not their 'friendly names' and the reason denied is given as
'Inaccessible'. Under User Configuration, all GPO's are correctly listed and
applied / denied.

If I then do the following:

a.. Right click on one of the Group Policy Results for a user (in GPMC).
b.. Select Advanced View (which appears to bring up Resultant Set of
Policy).
c.. Right click on Computer Configuration.
d.. Select Properties.
e.. Tick 'Display All GPO's and Filtering Status'.
....the inaccessible GUID's appear with 'Not Applied (Unknown)' under
filtering and 'AD (0) , Sysvol (0)' under Revision. Next to a successfully
applied policy, it reports something like 'AD(102), Sysvol (102)'.

There is also a 'rogue' GPO which the system wouldn't let me delete. In the
end, rightly or wrongly, I deleted its folder in Sysvol. However, it still
displays in Group Policy.

These are some of the things I can remember trying over the last few days:

a.. made sure Authenticated Users have rights to access GPO's in Sysvol (I
assume Authenticated Users would do it).
b.. Run GPOTOOL which reports all GPO's OK (except the rogue one, which it
can't find as I deleted it!).
c.. Checked my DNS which appears to work fine. I have a single DNS Server
on the Windows 2000 Server platform which all clients (and the server) point
to. I have a DNS Forwarder set up for my Internet ISP DNS Servers and the
clients have only the server DNS entered.
d.. I have deleted all my old GPO's and recreated them from scratch.
I have been all over the Web looking for solutions but nobody seems to have
the issue where Computer Configuration doesn't get applied but User
Configuration does.

Any help would be greatly appreciated.

Phil.

PS I'm relatively new to Newsgroup postings and I cannot figure how to post
a reply into an existing thread. I'm using Outlook Express so any pointers
gratefully received!

Phil-

Can you post the contents of the winlogon.log file form one of the clients?
It's under %windir%\security\logs. If you don't want to post it here, email
it to me as an attachment.

As far as replying into a thread, select it, and press Reply Group, up on
the toolbar.

--
--
Brian Desmond
Windows Server MVP
(E-Mail Removed)

Http://www.briandesmond.com


"Phil" <(E-Mail Removed)> wrote in message
news:c1vu2e$3bp$1$(E-Mail Removed)...
> Hi All,
>
>
> I have a single server machine running Windows 2000 Server and a bunch of
> Windows XP SP1 client machines. I set up three Group Policy Objects on our
> single domain and use Security Filtering to apply them to different users,
> which appeared to be happily working. However, it has recently stopped
> applying the Computer Configuration nodes but successfully applies the
User
> Configuration settings.
>
> Using GPMC on one of the XP machines, the appropriate Computer
Configuration
> is not applied and under Denied GPO's it lists one of the GPO's that it
> legitimately shouldn't apply. However, it also lists the two other GPO's
by
> their GUID's, not their 'friendly names' and the reason denied is given as
> 'Inaccessible'. Under User Configuration, all GPO's are correctly listed
and
> applied / denied.
>
> If I then do the following:
>
> a.. Right click on one of the Group Policy Results for a user (in GPMC).
> b.. Select Advanced View (which appears to bring up Resultant Set of
> Policy).
> c.. Right click on Computer Configuration.
> d.. Select Properties.
> e.. Tick 'Display All GPO's and Filtering Status'.
> ...the inaccessible GUID's appear with 'Not Applied (Unknown)' under
> filtering and 'AD (0) , Sysvol (0)' under Revision. Next to a successfully
> applied policy, it reports something like 'AD(102), Sysvol (102)'.
>
> There is also a 'rogue' GPO which the system wouldn't let me delete. In
the
> end, rightly or wrongly, I deleted its folder in Sysvol. However, it still
> displays in Group Policy.
>
> These are some of the things I can remember trying over the last few days:
>
> a.. made sure Authenticated Users have rights to access GPO's in Sysvol
(I
> assume Authenticated Users would do it).
> b.. Run GPOTOOL which reports all GPO's OK (except the rogue one, which
it
> can't find as I deleted it!).
> c.. Checked my DNS which appears to work fine. I have a single DNS
Server
> on the Windows 2000 Server platform which all clients (and the server)
point
> to. I have a DNS Forwarder set up for my Internet ISP DNS Servers and the
> clients have only the server DNS entered.
> d.. I have deleted all my old GPO's and recreated them from scratch.
> I have been all over the Web looking for solutions but nobody seems to
have
> the issue where Computer Configuration doesn't get applied but User
> Configuration does.
>
> Any help would be greatly appreciated.
>
> Phil.
>
> PS I'm relatively new to Newsgroup postings and I cannot figure how to
post
> a reply into an existing thread. I'm using Outlook Express so any pointers
> gratefully received!
>
>
>
>

Hi Brian,

I wasn't aware of winlogon.log so when I looked at it, I noticed an oddity.
I have been installing new machines to all users onto which we installed XP
in two late night sessions. When I look at the dates created and dates
modified for the winlogon.log file on these machines, the date created in
each of the two batches is the date we loaded XP on them. No surprise there.
However the last modified date on most of them is the same - about a month
ago - about the same time Computer Configuration stopped applying. This is
also the date of the last entry in the winlogon.log. In addition, 2 of the
PC's had not been powered up since the initial XP load; when they were, a
set of entries were logged in winlogon.log. Subsequently, no further entries
were made. It's almost as if the first time they fired up they happily
applied the policy, but once fully fired up and logged in, something about
the system/network/domain/GP disables any future Computer Configuration
applications. Am I miles off the mark here??!! I have EMailed you the
winlogon.log from one of these machines.

Incidentally, I have also used XP ADM files rather than the 2000 Server
ones, as indicated in a number of web articles eg
http://www.microsoft.com/windowsxp/p...detemplate.asp.

Cheers,

Phil.



"Brian Desmond [MVP]" <(E-Mail Removed)> wrote in message
news:O18ls$9$(E-Mail Removed)...
> Phil-
>
> Can you post the contents of the winlogon.log file form one of the
clients?
> It's under %windir%\security\logs. If you don't want to post it here,
email
> it to me as an attachment.
>
> As far as replying into a thread, select it, and press Reply Group, up on
> the toolbar.
>
> --
> --
> Brian Desmond
> Windows Server MVP
> (E-Mail Removed)
>
> Http://www.briandesmond.com
>
>
> "Phil" <(E-Mail Removed)> wrote in message
> news:c1vu2e$3bp$1$(E-Mail Removed)...
> > Hi All,
> >
> >
> > I have a single server machine running Windows 2000 Server and a bunch
of
> > Windows XP SP1 client machines. I set up three Group Policy Objects on
our
> > single domain and use Security Filtering to apply them to different
users,
> > which appeared to be happily working. However, it has recently stopped
> > applying the Computer Configuration nodes but successfully applies the
> User
> > Configuration settings.
> >
> > Using GPMC on one of the XP machines, the appropriate Computer
> Configuration
> > is not applied and under Denied GPO's it lists one of the GPO's that it
> > legitimately shouldn't apply. However, it also lists the two other GPO's
> by
> > their GUID's, not their 'friendly names' and the reason denied is given
as
> > 'Inaccessible'. Under User Configuration, all GPO's are correctly listed
> and
> > applied / denied.
> >
> > If I then do the following:
> >
> > a.. Right click on one of the Group Policy Results for a user (in
GPMC).
> > b.. Select Advanced View (which appears to bring up Resultant Set of
> > Policy).
> > c.. Right click on Computer Configuration.
> > d.. Select Properties.
> > e.. Tick 'Display All GPO's and Filtering Status'.
> > ...the inaccessible GUID's appear with 'Not Applied (Unknown)' under
> > filtering and 'AD (0) , Sysvol (0)' under Revision. Next to a
successfully
> > applied policy, it reports something like 'AD(102), Sysvol (102)'.
> >
> > There is also a 'rogue' GPO which the system wouldn't let me delete. In
> the
> > end, rightly or wrongly, I deleted its folder in Sysvol. However, it
still
> > displays in Group Policy.
> >
> > These are some of the things I can remember trying over the last few
days:
> >
> > a.. made sure Authenticated Users have rights to access GPO's in
Sysvol
> (I
> > assume Authenticated Users would do it).
> > b.. Run GPOTOOL which reports all GPO's OK (except the rogue one,
which
> it
> > can't find as I deleted it!).
> > c.. Checked my DNS which appears to work fine. I have a single DNS
> Server
> > on the Windows 2000 Server platform which all clients (and the server)
> point
> > to. I have a DNS Forwarder set up for my Internet ISP DNS Servers and
the
> > clients have only the server DNS entered.
> > d.. I have deleted all my old GPO's and recreated them from scratch.
> > I have been all over the Web looking for solutions but nobody seems to
> have
> > the issue where Computer Configuration doesn't get applied but User
> > Configuration does.
> >
> > Any help would be greatly appreciated.
> >
> > Phil.
> >
> > PS I'm relatively new to Newsgroup postings and I cannot figure how to
> post
> > a reply into an existing thread. I'm using Outlook Express so any
pointers
> > gratefully received!
> >
> >
> >
> >
>
>