Clients not processing GPO's

[Don]

Hello All, I am in the process of trying to setup GPO's
for use with MS Software Update Services. I have created
an OU within my domain and applied the GPO's to machines
not users. I keep getting the following error" Windows can
not access file gpt.ini for GPO (cn=(xxxx). The file must
be present at the location
\\domain.com\sysvol\domain.com\Policies\GPO number\gpt.ini.
System cannot find the path specified. Group ploicy
processing aborted." Now I have shared the folder SysVol
and all sub folders under it. I can use my browser to
locate the folder, but the clients do not get the policy.
I am at my wits end I setup the GPO's according to MS
Deployment and setup guide. Can someone PLEASE help me out?
The more detailed info the better. This is a win2k donain
using Active Dir.
Thanks for any information...
Don

 

[Cary Shultz [A.D. MVP]]

Don,

You have to make sure that the computer accounts are in the OU to which you
applied the GPO. That is the first thing ( and does not really necessarily
have anything to do with your issue - just making sure that you have done
this ).

Did you manually share the SYSVOL folder ( typically
c:\winnt\SYSVOL\sysvol ) or was it already shared out? What are the
permissions ( both Share and NTFS )? Typically, IIRC, the Share Permissions
should be Administrators and Authenticated Users @ Full Control and Everyone
@ Read while the NTFS Permissions should be Administrators/System @ Full
Control, Authenticated Users and Server Operators @ Read&Execute,List Folder
Contents,Read and Creator Owner having 'special' permissions @ Full Control
( but for Subfolders and Files only ).

Another thing is DNS. You need to make sure that all of the computers in
your domain have only the local DNS Server information in their TCP/IP
configuration settings. The only place for your ISP DNS Servers information
is in the Forwarders tab....

If you do a net share at each of your DCs what do you see?

HTH,

Cary

 

[Tom McErlane]

Don,

I had a problem like this a while back. I also did everything they way I
was told. I posted this problem to the news group and one person replied
that to process Group Policies that DFS had to be running at the server. I
started DFS and have never had another problem.

Hope this helps.

Tom

 

[Don]

Tom,
Thanks for the info, I thought I had DFS configured
correctly, but I am new to AD/GPO's so maybe not. When I
checked it this is the info I see.

left pane= \\domainname.com(gpo name)
right pane=root replicas
servername/gpo name
Status has a green check mark. Is there anything else that
I need to check?

Thanks again
Don

 

[Tom]

Don,

Right Click on My Computer, click on manage from the submenu. Next expand
Services and Applications and click on Services. Look for Distributed File
System and make sure it is started. I also set the startup type to
automatic.

Hope this helps. I am also new to AD.

Tom

 

[Don]

Tom,

I verified that DFS services are running and set to
automatic startup. Is there any way to check to make sure
that GPO's have been processed successfully on the client?
I looked at the event log and there were no error messages
stating that gpo's have not been processed. Just wondering
if there was a log to check or something, maybe on the
server side?

Thanks again for the quick response and helpful info.
Don

 

[Tom]

Don,

I never had to go that far. I put a domain level policy in that forced all
users to use a password protected screen saver and that the timeout was 600
seconds (10 minutes). I then went into AD Sites and Services and forced
replication between my 2 DCs, logged out of my own machine and logged back
in. Went to the screen savers tab in Display, and verified the settings
were 10 minutes & password protected was checked. The selections were also
greyed out like they were suppose to be. Since this worked and the errors
were no longer in the client log files, I made the determination that my
clients were processing there Group Policies. One other thing to very is,
in the Group Policy under properties that authorized users or specified
groups or users you want the policy to apply to, can read and apply the
policy. With the example I gave above I had to move that policy into OU's,
since I didn't want screen savers running on my servers.

Hope this helps,

Tom

 

[Tom]

Don,

I just checked the application log on my workstation

Event = Information
Event ID = 1704
Sender = SCECLI

messsage = Group Policies have been administered successfully

Tom