Policies being applied to only some machines

[Greg Merideth]

Setup a new 2003 server, had 44 machines join into the new domain
creating new accounts from each workstation. Networking is just fine,
all machines see servers, servers see machines, everyone's happy
but...there are 11 machines which refuse (or reject, who knows) to
take any of the GPO settings.

We've perma-set the homepage and online support options in IE along
with about 72 other user/machine object settings and still, only 33 of
the machines take the settings. The other 11 even though it says
"Applying Objects..." never actually apply anything.

All of the machines were (ugh..) windows 2000->windows xp upgraded
(not fully installed) and I'm thinking there might be a conflict
somehow with their older GPO settings -vs- their new ones.

Anyone encounter this before that might know what we need to do?

Also, after the 2003 was installed we started getting "Cannot find
GPT.INI" error messages in the event log but that vanished running
'dcgpofix.exe' with the /both option. Possibly the servers GPO
settings got screwed up and not the workstations?

Thanks for any help.

 

[Oli Restorick [MVP]]

Have you tried using gpresult.exe to help? This command is built in to XP.

Regards

Oli

 

[Stew]

Best ways to check applied policy on workstation...

Start => Help and Support ... Under "Pick a task" section... Select "Using
Tools to view your computers..."... From the "Tools" navigator on the left
select "Advanced System Information"... On the right select "View Group
Policy Settings Applied"... this will give you an advance HTML view of the
policies applied to a specific computer...

For trouble shooting policy look in
"C:\Windows\Security\Logs\winlogon.log"... this will tell you what went
right or what went wrong... often something fails early and then after that
everthing else is messed up...

HTH,

Stew.

 

[Greg Merideth]

We grabbed the log files and added the additional "debug" logging
entry into the registry on the stubborn computers and sure enough,
those machines are all complaining that they cannot find or they do
not have read access to the GPT.INI file yet, they do. I can
physically browse to the /sysvol folder and find the GPT.INI file in
the exact spot that the .log file claims the file is not accessible
from all machines.

Another monkey to the wrench (as it were) is that the /sysvol folder
is now showing some 11 different GUID's all with their own GPT.INI and
resulting /machine and /user subfolders.

The 2003's registry shows a combination of 4 different GUID's being
used as the default GPO so I'm considering a backup and a wipe of the
server with a nice fresh install.

At one point the MMC browse of the GPO locked up and refused to be
killed (even with the systools pkill), however, it was only being
locked by 1 of the 8 processors (4 physical with 4 HT's). That
required a reset of win2k3 (yay) after which the ghosted 10 GUID's
appeared in the /sysvol folder.

At least we can backup the GPO before the wipe.

Thanks for the logging information advice.