Sign-in / Sign-up
Your question

GPO no longer being applied to user

Tags:
  • Microsoft
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Anonymous
December 9, 2004 12:54:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Greetings AD Guru's

Suddenly, my GPO (single site, single domain) is no longer being applied to
my 200 users.
So, I can't change password expiration, lockout threshold, etc.

I've check DNS, etc. but still no luck.

Any ideas?

Thank you, Jack

More about : gpo longer applied user

Anonymous
December 9, 2004 6:09:43 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Have you checked for errors on the event viewer? most probably problems with
the SYSVOL share.

You can turn on Debugging on a PC and see what is going on:

1.. If you encounter problems after making changes to the Default Domain
and/or Default Domain Controller group policies, you can enable GPO debug
logging on your server. To enable the logging:
1.. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
data type. Set the data value to 2.
3.. The log file will be generated as:
%SystemRoot%\security\logs\Scepol.log
2.. Enable Verbose logging by editing the registry. You are telling the
system to create a USERENV.LOG in winnt\debug directory. You can then
examine the file for errors.
1.. Run Regedit.
2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows NT -
CurrentVersion - Winlogon.
3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
value of 30002.
4.. Close Regedit.
5.. Log off and log back on.
3.. All the following changes should be done at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it as
a REG_DWORD with value 1 will affect the logging of GPO processing by
turning it on in verbose mode. After you make that change and restart the
system, you will see a lot more information reported, especially during
errors. In many cases, this will be enough to get the information you need.
2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
REG_DWORD with value 1 will turn on verbose logging specifically for GPO
application deployments. In the case of an administrator who is trying to
deploy antivirus files via GPO, this key would definitely be helpful in
improving logging.
3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
value 1, will turn on verbose logging for all GPO processing events,
including those listed above. It's basically a catch-all value, but the
downside is that it may confuse you when you examine the logs because it
will log lots of events that may not have anything to do with your specific
problem. Think carefully before turning this one on-it could increase your
workload.
Hope it helps,
P.


"Jack Black" <JackBlack@hat.com> wrote in message
news:uW4QM8f3EHA.1152@TK2MSFTNGP14.phx.gbl...
> Greetings AD Guru's
>
> Suddenly, my GPO (single site, single domain) is no longer being applied
to
> my 200 users.
> So, I can't change password expiration, lockout threshold, etc.
>
> I've check DNS, etc. but still no luck.
>
> Any ideas?
>
> Thank you, Jack
>
>
Anonymous
December 9, 2004 6:09:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks. I'll try that.

Jack B.

"Pablo E. Colazurdo" <rael@singularidad.com.ar> wrote in message
news:o BpCbEg3EHA.2012@TK2MSFTNGP15.phx.gbl...
> Have you checked for errors on the event viewer? most probably problems
> with
> the SYSVOL share.
>
> You can turn on Debugging on a PC and see what is going on:
>
> 1.. If you encounter problems after making changes to the Default Domain
> and/or Default Domain Controller group policies, you can enable GPO debug
> logging on your server. To enable the logging:
> 1.. Use Regedt32 to navigate to:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SecEdit
> 2.. On the Edit menu, Add Value name PolicyDebugLevel, as a REG_DWORD
> data type. Set the data value to 2.
> 3.. The log file will be generated as:
> %SystemRoot%\security\logs\Scepol.log
> 2.. Enable Verbose logging by editing the registry. You are telling the
> system to create a USERENV.LOG in winnt\debug directory. You can then
> examine the file for errors.
> 1.. Run Regedit.
> 2.. Navigate to Hkey_Local_Machine - Software - Microsoft - Windows
> NT -
> CurrentVersion - Winlogon.
> 3.. Add a REG_DWORD value called UserEnvDebugLevel and type in a Hex
> value of 30002.
> 4.. Close Regedit.
> 5.. Log off and log back on.
> 3.. All the following changes should be done at:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Diagnostics
> 1.. RunDiagnosticLoggingGroupPolicy. Adding this value and setting it
> as
> a REG_DWORD with value 1 will affect the logging of GPO processing by
> turning it on in verbose mode. After you make that change and restart the
> system, you will see a lot more information reported, especially during
> errors. In many cases, this will be enough to get the information you
> need.
> 2.. RunDiagnosticLoggingApplicationDeployment. Adding this value as a
> REG_DWORD with value 1 will turn on verbose logging specifically for GPO
> application deployments. In the case of an administrator who is trying to
> deploy antivirus files via GPO, this key would definitely be helpful in
> improving logging.
> 3.. RunDiagnosticLoggingGlobal, which, when added as REG_DWORD with
> value 1, will turn on verbose logging for all GPO processing events,
> including those listed above. It's basically a catch-all value, but the
> downside is that it may confuse you when you examine the logs because it
> will log lots of events that may not have anything to do with your
> specific
> problem. Think carefully before turning this one on-it could increase your
> workload.
> Hope it helps,
> P.
>
>
> "Jack Black" <JackBlack@hat.com> wrote in message
> news:uW4QM8f3EHA.1152@TK2MSFTNGP14.phx.gbl...
>> Greetings AD Guru's
>>
>> Suddenly, my GPO (single site, single domain) is no longer being applied
> to
>> my 200 users.
>> So, I can't change password expiration, lockout threshold, etc.
>>
>> I've check DNS, etc. but still no luck.
>>
>> Any ideas?
>>
>> Thank you, Jack
>>
>>
>
>
Related resources
Anonymous
December 13, 2004 3:37:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

There are a couple of test that you can perfrom - one is to actually enable
userenv debug logging on the client mahchine that is not processing group
policy. More information on how to enable this logging can be found here:

http://support.microsoft.com/kb/221833

I would be happy to take a look at the log file and help you decrypt its
information and try to help identify the problem.

Please provide more detailed infromation on how you determined why policies
are not being applied to this client.

Thanks,


John Powell








"Jack Black" wrote:

> Greetings AD Guru's
>
> Suddenly, my GPO (single site, single domain) is no longer being applied to
> my 200 users.
> So, I can't change password expiration, lockout threshold, etc.
>
> I've check DNS, etc. but still no luck.
>
> Any ideas?
>
> Thank you, Jack
>
>
>
Anonymous
December 13, 2004 9:55:46 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

A quick and good test is to install the support tools (located on the
cd-rom of 2000 server cd) and once that is installed go to a command
prompt and run "gpresult /v".

See what happens - this should show what GP<s> is being applied. Maybe
only part of your GP<s> is being applied and not all for some reason.
After this follow the tips given above by other posters, however in my
experience if affecting your entire network then it's more likely than
not a replication problem. Check the event logs thoroughly on your DCs
for events that might be stopping your DCs acting as DCs.

Also please supply more details of your GP - is it the default domain
policy alone that should be applied to your workstations/users for
example?

I just fixed a similar problem with one Terminal server just by
rebooting it. For some reason it had stopped processing the GPs applied
to it and therefore everyone lost their proxy settings. However a
reboot fixed it. I believe the term used for that sort of problem is
"Microsoft".