Default GP Applies to some but not all users

[JeremyH]

I have a network consisting of a W2K DC, a NT4 member
server, W2K, NT4 and XP workstations. I have applied a
default GP which is being picked up by some users but not
by others. Using GPResult.exe I get the error
message "Failed to open key with 2" when logged on as a
user who doesn't pick up the policy. There are no related
errors in the Event Log. Any ideas would be appreciated as
I've run out of 'em! There are no related errors in the
Event Log.

 

[Derek Melber [MVP]]

couple of points to consider:

1) GPOs only apply to 2000 and XP, not NT
2) Be sure all of the accounts (either comptuer or user) are in the correct
OU where the GPO is linked
3) Be sure that DNS is properly configured on each client computer. DNS
issues will make GPOs fail quick!

 

[JeremyH]

Thanks for your input Derek

1) I am trying to set up security on W2K and XP clients
2) All the user accounts are in the User folder in Active
Directory Users and Computers, the GPO is the default in
the top level of ADU&C
3) I am able to ping dc.domain.local so I gess DNS is okay

Any other ideas?

Jeremy

 

[Derek Melber [MVP]]

More ideas:

1) don't only ping, but make sure the DNS settings are correct. DNS IP
address, DNS domain name for the client computer, and DNS registration
domain name for client computer
2) Run the gpresult to see if there are any errors reported.
3) for you XP clients, run the RSOP.msc tool and the RSOP tool in the Help
and Support center (under advanced tools)... they can help track down
possible issues
4) check out the EVent Logs for possible clues
5) if you have multiple sites, make sure that replication is not the issue.
You might be getting GPOs from some DCs that have the correct settings, but
others don't have the correct settings yet. Run the Replication Monitor from
the Support Tools to track down the GPO replication status. It will tell you
if the Sysvol and AD have the same version of GPO. You can also force
replication across sites using this tool.

Hope these can help

 

[JeremyH]

Derek,

Once again, thank you for your suggestions.

1) The DNS settings appear to be correct
2) GPResult.exe produces the following; "Failed to open
key with 2"
3) The policy fails to be picked up by the same users
regardless of whether they log on to a W2K or an XP client.
4) Nothing relevant in the event logs (any of them)
5) Only one site is involved

Where would I find the meaning of the gpresult message?

Regards

Jeremy

 

[Derek Melber [MVP]]

Did you try to run the gpresult -v or -s (verbose and superverbose)?

As for the secret decoder ring... go search TechNet. It will help a lot!