C 
		
								
				
				
			
		Chris Murdoch
Hi
We've had Group Policies running for well over a year here with little
or no problems.
This week with no warning, one of our most important group policies
stopped working.
I ran gpresult, and here is an excerpt:
RSOP results for SILVACOCORP\chrism on WILLOW : Logging Mode
-------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: SILVACOCORP
Domain Type: Windows 2000
Site Name: CA
Roaming Profile:
Local Profile: C:\Documents and Settings\chrism
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WILLOW,OU=Workstations,OU=USA,DC=silvacocorp,DC=com
Last time Group Policy was applied: 8/31/2004 at 2:22:47 PM
Group Policy was applied from: washington.silvacocorp.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
CA Group Policy
CA - Update Patches on AE PC's
Registry Update Test
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
MA - Update Patches on Admin PC's
Filtering: Not Applied (Empty)
AZ Group Policy
Filtering: Not Applied (Empty)
Basic Group Policy for Silvaco
Filtering: Not Applied (Unknown Reason)
Allow Access to Screen Resolution
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Denied (Security)
Allow Access to C Drive
Filtering: Not Applied (Empty)
Update Patches on Developer PC's
Filtering: Not Applied (Empty)
Software Distribution - QT Plugin
Filtering: Not Applied (Unknown Reason)
The main policy is the "Basic Group Policy for Silvaco" Policy which
is not applied for an 'Unknown Reason'
As you can see I also had an old policy "Software Distribution - QT
Plugin" which had the same problem.
I deleted this policy, and even now, 2 days later, it still shows in
gpresult.
It almost seems like the policies have been cached, (or I have no
access to them)
I created 2 new policies for testing, and neither of them even appear
in the gpresult list, except on servers.
I ran gpotool, and I couldn't see any problems in there - the policies
all seem to be replicating to all our domain controllers fine.
As far as I know, DNS is working well...
Here is an ipconfig from my machine (which is only one of the machines
that this is happening on):
Windows IP Configuration
Host Name . . . . . . . . . . . . : willow
Primary Dns Suffix . . . . . . . : silvacocorp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : silvacocorp.com
silvaco.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920B-EMB Integrated
Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-E0-18-F0-B6-91
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.11.23
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.15.200
10.1.15.201
I have also enabled verbose logging per Q221833.
I get the following errors in the log:
USERENV(df4.f6c) 09:52:08:937 ImpersonateUser: Failed to impersonate
user with 5.
USERENV(df4.f6c) 09:52:08:937 GetUserNameAndDomain Failed to
impersonate user
To all intents and purposes this looks to me like some sort of
permissions problem, but I can't figure out what.
To make things slightly more complicated, the Group Policies work on
all our Servers everywhere - just not our workstations.
The policy "Basic Group Policy for Silvaco" is a policy at the top
level of the domain and should apply to all users and computer in the
domain.
My AD is split geographically with a US container with seperate Users
and Computers containers below the US container (which is right off
the top level).
There is also a EU container with seperate Users and Computers
containers below the EU container (which is right off the top level).
eg
silvacocorp
us
users
computers
eu
users
computers
Strangely, computers in the EU get the policy with no problems.
I checked the Links Tab on the group policy, and it reckons that it's
looking at the domain as a whole.
Ideas anyone ?
regards
Chris
				
			We've had Group Policies running for well over a year here with little
or no problems.
This week with no warning, one of our most important group policies
stopped working.
I ran gpresult, and here is an excerpt:
RSOP results for SILVACOCORP\chrism on WILLOW : Logging Mode
-------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: SILVACOCORP
Domain Type: Windows 2000
Site Name: CA
Roaming Profile:
Local Profile: C:\Documents and Settings\chrism
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=WILLOW,OU=Workstations,OU=USA,DC=silvacocorp,DC=com
Last time Group Policy was applied: 8/31/2004 at 2:22:47 PM
Group Policy was applied from: washington.silvacocorp.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
CA Group Policy
CA - Update Patches on AE PC's
Registry Update Test
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
MA - Update Patches on Admin PC's
Filtering: Not Applied (Empty)
AZ Group Policy
Filtering: Not Applied (Empty)
Basic Group Policy for Silvaco
Filtering: Not Applied (Unknown Reason)
Allow Access to Screen Resolution
Filtering: Not Applied (Empty)
Default Domain Policy
Filtering: Denied (Security)
Allow Access to C Drive
Filtering: Not Applied (Empty)
Update Patches on Developer PC's
Filtering: Not Applied (Empty)
Software Distribution - QT Plugin
Filtering: Not Applied (Unknown Reason)
The main policy is the "Basic Group Policy for Silvaco" Policy which
is not applied for an 'Unknown Reason'
As you can see I also had an old policy "Software Distribution - QT
Plugin" which had the same problem.
I deleted this policy, and even now, 2 days later, it still shows in
gpresult.
It almost seems like the policies have been cached, (or I have no
access to them)
I created 2 new policies for testing, and neither of them even appear
in the gpresult list, except on servers.
I ran gpotool, and I couldn't see any problems in there - the policies
all seem to be replicating to all our domain controllers fine.
As far as I know, DNS is working well...
Here is an ipconfig from my machine (which is only one of the machines
that this is happening on):
Windows IP Configuration
Host Name . . . . . . . . . . . . : willow
Primary Dns Suffix . . . . . . . : silvacocorp.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : silvacocorp.com
silvaco.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920B-EMB Integrated
Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-E0-18-F0-B6-91
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.11.23
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.15.200
10.1.15.201
I have also enabled verbose logging per Q221833.
I get the following errors in the log:
USERENV(df4.f6c) 09:52:08:937 ImpersonateUser: Failed to impersonate
user with 5.
USERENV(df4.f6c) 09:52:08:937 GetUserNameAndDomain Failed to
impersonate user
To all intents and purposes this looks to me like some sort of
permissions problem, but I can't figure out what.
To make things slightly more complicated, the Group Policies work on
all our Servers everywhere - just not our workstations.
The policy "Basic Group Policy for Silvaco" is a policy at the top
level of the domain and should apply to all users and computer in the
domain.
My AD is split geographically with a US container with seperate Users
and Computers containers below the US container (which is right off
the top level).
There is also a EU container with seperate Users and Computers
containers below the EU container (which is right off the top level).
eg
silvacocorp
us
users
computers
eu
users
computers
Strangely, computers in the EU get the policy with no problems.
I checked the Links Tab on the group policy, and it reckons that it's
looking at the domain as a whole.
Ideas anyone ?
regards
Chris
 
	