_Group Policy only 1 of 6 is working

[David Stal]

Hi all
I have created 6 group polices on a DC but only 1 is being updated and
enforced on any of the workstations (XP and 2k).

GPResult says that all 6 were applied to all the XP machine I've
checked. I have verified that all 6 are setup identically
(security/permissions etc.) other than the GP properties of course.

One of the policies not being updated is the password restrictions
(enforce history 6 passwords, max password age 42 days, min password
age 1 day, min password length 8 chars). However, users can change
their blank password to blank as many times a day as they wish. I need
to fix this!!

Any help will be appreciated.

Thanks
David

 

[Derek Melber [MVP]]

What is the config of the OUs and GPOs (links, settings, etc). Also, where
do the user and computer accounts live that are in question?

 

[David Stal]

All GPOs reside at the domain level (AD Users and Computers / Domain.
All users are in various OUs beneath this.

There are no links
Default security (authenticated users have Read and Apply Group
Policy). I am a domain admin and these policies are not working for me
either.

Policies setup
Password Policies: (not currently working)
Computer Configuration / Windows Settings / Security Settings /
Account Policies / Password Policy
set to: 6 remembered, min age 1 day, max age 42 days, min length 8
characters
Interactive logonrompt user to change password before expiration
set to: 5 days

LogOff Script: (Working)
User Configuration / Windows Settings / Scripts
Logoff.bat

Now I come to look at it, all the GPOs that are not working are all
Computer Configuration.

Any clues what might be going on?

Thanks
David

 

[David Stal]

Additional: This AM GPUpdate is now showing the 5 GPOs as "filtering:
Not Applied (empty) on the XP machines

And the event log is listing several Userenv errors when updating the
policies (Events 1030, 1058, 1091, 1085)

I'm really beginning to dislike group policies. o|

BTW, a while ago all SYSVOL contents got deleted due to a linked copy
being created via a test tape restore. I fixed it with LINKD and
recreated all polices from scratch.

 

[Derek Melber [MVP]]

you say there are NO LINKS? Do you really mean that? I assume not.

Do you have ANY block policy inheritance on the OUs?

I am also wondering if the SYSVOL issue is something here? Are you getting
ANY FRS problems or events on the DCs? I think we need to 100% verify FRS is
working first, then see about the GPOs. If the GPUPDATE is saying that all
GPOs are empty... that is troubling. How many DCs?

 

[David Stal]

Sorry, links has
Domain
Domain/CompanyOU <- this where I applied the GPO <Blush>I
didn't hit the Find now button </BLUSH>

No Blocks at all

FRS is working (netlogon is replicating between DCs) and nothing in
the event logs.

2 DCs

Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
OK

 

[Derek Melber [MVP]]

David,

Let me make sure I understand what you have:

Domain level:
Default Domain GPO with default settings

CompanyOU:
GPO1
GPO2
GPO3
GPO4
GPO5
GPO6

User and computer accounts are scattered in the OUs, but some are in the
CompanyOU.
Only one of the GPOs from the CompanyOU level are applying to the computer
accounts that reside in the CompanyOU.
The other 5 indicate that the GPO is <empty>.

This indicates to me that you have not configured ANY GPO settings in these
other GPOs. I know that sounds strange... but this is what it is telling me.
The other possibility is that you have filtered out all user and computer
accoutns from applying these 5 GPOs? Have you checked the filters (ACL) on
the GPOs?

 

[David Stal]

You understand it correctly, except all users are in Department OUs
under CopmanyOU

ACLs on the GPOs: Athenticated users have read and Apply Group Policy.
unless filtering is handled else where?

All of the GPOs do have settings, specifically the password policy I
detailed earlier. Unless you mean something else by that. )

 

[Derek Melber [MVP]]

Ok, thanks for that info!

If you have 6 GPOs applied to one OU, all with Password policies, then you
will only get one Password policy result. The one at the top of the list
(the highest priority).

 

[David Stal]

All 6 policies are different. One does password restrictions, another
one does auditing, another one clears the last logged on user ID, etc.

 

[Derek Melber [MVP]]

David,

The only things that I can think of that could be causing this to fail are:

1) filtering of the GPO ACL
2) no override

I can't see why anything else would be causing this behavior.

 

[David Stal]

Thanks anyway . )

I guess I'll just have to break down and call micro$oft.

 

[David Stal]

Called MS and after 2 1/2 hours and 3 levels of support later it
turned out that when the contents of SYSVOL was deleted it cleaned out
all my default domain policies. They told me password policies can
only be applied against this policy, hense it stopped working.

Anyhoo, they emailed me a fix recreateDefPol.exe and that fixed the
problem.

However it also broke my exchange server, I had to run Domain Prep to
get it back up.

Well everything is working now and I'm happy, if not $250US poorer.
)

 

[Derek Melber [MVP]]

David,

Thanks for the update, sorry it came to this. However, I don't recall
discussing that the contents of Sysvol got deleted?

Also, can you send me a copy of that EXE? I would love to have that on hand.
Thx

 

[Derek Melber [MVP]]

David,

Sorry, to much water under the bridge.. I now see our discussion of the
Sysvol!

 

[David Stal]

Derek
I've Attached the file.

Thanks again

David,

Thanks for the update, sorry it came to this. However, I don't recall
discussing that the contents of Sysvol got deleted?

Also, can you send me a copy of that EXE? I would love to have that on hand.
Thx