GPO no longer being applied to user

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Greetings AD Guru's

Suddenly, my GPO (single site, single domain) is no longer being applied to
my 200 users.
So, I can't change password expiration, lockout threshold, etc.

I've check DNS, etc. but still no luck.

Any ideas?

Thank you, Jack
4 answers Last reply
More about longer applied user
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Have you checked for errors on the event viewer? most probably problems with
    the SYSVOL share.

    You can turn on Debugging on a PC and see what is going on:

    1.. If you encounter problems after making changes to the Default Domain
    and/or Default Domain Controller group policies, you can enable GPO debug
    logging on your server. To enable the logging:
    1.. Use Regedt32 to navigate to:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
    2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
    data type. Set the data value to 2.
    3.. The log file will be generated as:
    %SystemRoot%\security\logs\Scepol.log
    2.. Enable Verbose logging by editing the registry. You are telling the
    system to create a USERENV.LOG in winnt\debug directory. You can then
    examine the file for errors.
    1.. Run Regedit.
    2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows NT -
    CurrentVersion - Winlogon.
    3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
    value of 30002.
    4.. Close Regedit.
    5.. Log off and log back on.
    3.. All the following changes should be done at:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
    1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it as
    a REG_DWORD with value 1 will affect the logging of GPO processing by
    turning it on in verbose mode. After you make that change and restart the
    system, you will see a lot more information reported, especially during
    errors. In many cases, this will be enough to get the information you need.
    2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
    REG_DWORD with value 1 will turn on verbose logging specifically for GPO
    application deployments. In the case of an administrator who is trying to
    deploy antivirus files via GPO, this key would definitely be helpful in
    improving logging.
    3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
    value 1, will turn on verbose logging for all GPO processing events,
    including those listed above. It's basically a catch-all value, but the
    downside is that it may confuse you when you examine the logs because it
    will log lots of events that may not have anything to do with your specific
    problem. Think carefully before turning this one on-it could increase your
    workload.
    Hope it helps,
    P.


    "Jack Black" <JackBlack@hat.com> wrote in message
    news:uW4QM8f3EHA.1152@TK2MSFTNGP14.phx.gbl...
    > Greetings AD Guru's
    >
    > Suddenly, my GPO (single site, single domain) is no longer being applied
    to
    > my 200 users.
    > So, I can't change password expiration, lockout threshold, etc.
    >
    > I've check DNS, etc. but still no luck.
    >
    > Any ideas?
    >
    > Thank you, Jack
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks. I'll try that.

    Jack B.

    "Pablo E. Colazurdo" <rael@singularidad.com.ar> wrote in message
    news:OBpCbEg3EHA.2012@TK2MSFTNGP15.phx.gbl...
    > Have you checked for errors on the event viewer? most probably problems
    > with
    > the SYSVOL share.
    >
    > You can turn on Debugging on a PC and see what is going on:
    >
    > 1.. If you encounter problems after making changes to the Default Domain
    > and/or Default Domain Controller group policies, you can enable GPO debug
    > logging on your server. To enable the logging:
    > 1.. Use Regedt32 to navigate to:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
    > 2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
    > data type. Set the data value to 2.
    > 3.. The log file will be generated as:
    > %SystemRoot%\security\logs\Scepol.log
    > 2.. Enable Verbose logging by editing the registry. You are telling the
    > system to create a USERENV.LOG in winnt\debug directory. You can then
    > examine the file for errors.
    > 1.. Run Regedit.
    > 2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows
    > NT -
    > CurrentVersion - Winlogon.
    > 3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
    > value of 30002.
    > 4.. Close Regedit.
    > 5.. Log off and log back on.
    > 3.. All the following changes should be done at:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    > NT\CurrentVersion\Diagnostics
    > 1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it
    > as
    > a REG_DWORD with value 1 will affect the logging of GPO processing by
    > turning it on in verbose mode. After you make that change and restart the
    > system, you will see a lot more information reported, especially during
    > errors. In many cases, this will be enough to get the information you
    > need.
    > 2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
    > REG_DWORD with value 1 will turn on verbose logging specifically for GPO
    > application deployments. In the case of an administrator who is trying to
    > deploy antivirus files via GPO, this key would definitely be helpful in
    > improving logging.
    > 3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
    > value 1, will turn on verbose logging for all GPO processing events,
    > including those listed above. It's basically a catch-all value, but the
    > downside is that it may confuse you when you examine the logs because it
    > will log lots of events that may not have anything to do with your
    > specific
    > problem. Think carefully before turning this one on-it could increase your
    > workload.
    > Hope it helps,
    > P.
    >
    >
    > "Jack Black" <JackBlack@hat.com> wrote in message
    > news:uW4QM8f3EHA.1152@TK2MSFTNGP14.phx.gbl...
    >> Greetings AD Guru's
    >>
    >> Suddenly, my GPO (single site, single domain) is no longer being applied
    > to
    >> my 200 users.
    >> So, I can't change password expiration, lockout threshold, etc.
    >>
    >> I've check DNS, etc. but still no luck.
    >>
    >> Any ideas?
    >>
    >> Thank you, Jack
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    There are a couple of test that you can perfrom - one is to actually enable
    userenv debug logging on the client mahchine that is not processing group
    policy. More information on how to enable this logging can be found here:

    http://support.microsoft.com/kb/221833

    I would be happy to take a look at the log file and help you decrypt its
    information and try to help identify the problem.

    Please provide more detailed infromation on how you determined why policies
    are not being applied to this client.

    Thanks,


    John Powell


    "Jack Black" wrote:

    > Greetings AD Guru's
    >
    > Suddenly, my GPO (single site, single domain) is no longer being applied to
    > my 200 users.
    > So, I can't change password expiration, lockout threshold, etc.
    >
    > I've check DNS, etc. but still no luck.
    >
    > Any ideas?
    >
    > Thank you, Jack
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    A quick and good test is to install the support tools (located on the
    cd-rom of 2000 server cd) and once that is installed go to a command
    prompt and run "gpresult /v".

    See what happens - this should show what GP<s> is being applied. Maybe
    only part of your GP<s> is being applied and not all for some reason.
    After this follow the tips given above by other posters, however in my
    experience if affecting your entire network then it's more likely than
    not a replication problem. Check the event logs thoroughly on your DCs
    for events that might be stopping your DCs acting as DCs.

    Also please supply more details of your GP - is it the default domain
    policy alone that should be applied to your workstations/users for
    example?

    I just fixed a similar problem with one Terminal server just by
    rebooting it. For some reason it had stopped processing the GPs applied
    to it and therefore everyone lost their proxy settings. However a
    reboot fixed it. I believe the term used for that sort of problem is
    "Microsoft".
Ask a new question

Read More

Microsoft Active Directory Windows