Not pulling GPO

Hi

I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me

Q. One of our 2000 clients in my school will not pull the gpo (mandatory start menu etc....) nor will it get a DNS entry, one maybe causing the other????. It has been dropped off the network and put back on several times with different names but will not pull the gpo, it gets a full start menu when logging in as a test user.

Any ideas would be great, to solve this we are going to re-image the client but i am curious why its happening.

Lee H

Find more posts tagged with

Comments

jescab

did you try gpupdate...........

eurotrash

First of all I guess you should solve the DNS problem.

The problem as I understand it is that the computer doesn't register itself in DNS (and therefore can't get the policy applied).
Is it in a domain? Getting its IP from the DHCP server (with presumably the DNS settings configured)? Are any other computers on its subnet having the same problems?
Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
Can you ping the DNS server? The DC? Any problem with the computer account in AD? Tried rejoining it?
...

eastp

_omni_ wrote:

Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
...

To update machine policy, enter: secedit /refreshpolicy machine_policy
To update user policy, enter: secedit /refreshpolicy user_policy

Note: By default secedit will only load changes to the GPO.
To refresh the entire GPO regardless of changes made,
add the /enforce switch to the end of the command.

Kind regards.
Eastp.

Silver Bullet

eastp wrote:

_omni_ wrote:

Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
...

To update machine policy, enter: secedit /refreshpolicy machine_policy
To update user policy, enter: secedit /refreshpolicy user_policy

Note: By default secedit will only load changes to the GPO.
To refresh the entire GPO regardless of changes made,
add the /enforce switch to the end of the command.

Kind regards.
Eastp.

That is correct for Windows 2000 and 2000 Server but not XP and Server 2003. gpupdate replaces secedit.

Since it is a Domain we are dealing with (aren't we?) then I would think we need to use gpupdate /appropriate switch on the Windows Server 2003 Domain Controller. If it is a workgroup then you will need to use secedit /appropriate switch on the windows 2000 client.

Need more info as _omni_ is probing for in order to help on this.

sprkymrk

He is having problems with a W2K client, so the command would be secedit... However, if renaming and rebooting don't help there is another problem and secrdit/gpupdate won't make much difference.

What do your event logs on the client tell you? That will help a lot. Most likely you will find a clue to the problem there.

What happens when you ping the domain? If your domain name is "mydomain" try "ping mydomain" and see if a DC replies.

sprkymrk

Lee H wrote:

Hi

I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me

Hi Lee,
I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
Hope that helps.

Silver Bullet

sprkymrk wrote:

He is having problems with a W2K client, so the command would be secedit...

I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.

Also it depends on where your GP is being applied and if the object you are applying it to is in the correct OU if that is how you are applying your GP.

Again......there are too many unknowns to pinpoint the exact cause of your problem.

Details Please!!!

I scrolled through the 70-290 forum and found the post you have posted and found that you are getting replies, you are just not giving enough info or doing enough of the legwork yourself as sprkymrk has already said.

sprkymrk

Silver Bullet wrote:

sprkymrk wrote:

He is having problems with a W2K client, so the command would be secedit...

I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.

The command for a W2K client is secedit, regardless of the DC OS. If you try to run gpupdate on a W2K box it will error out with the message of unrecognized command. I know, I've done it... I have a mixed environment of W2K and WXP on a AD 2003 domain.

Silver Bullet

sprkymrk wrote:

Silver Bullet wrote:

sprkymrk wrote:

He is having problems with a W2K client, so the command would be secedit...

I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.

The command for a W2K client is secedit, regardless of the DC OS. If you try to run gpupdate on a W2K box it will error out with the message of unrecognized command. I know, I've done it... I have a mixed environment of W2K and WXP on a AD 2003 domain.

I'm not arguing the fact that secedit is the command to use on a Windows 2k client. I AM saying that in a domain environment you run the command at the domain level, not the client level. If you had to run around to every client to enforce a group policy update in a domain environment then that would make for 1 heck of a job. Having said that.....since he already said that he is using Windows Server 2003, and at this point one can only assume that he is operating in a domain, then the command will be gpupdate and it will need to be ran on the Server, not the clients computer.

sprkymrk

If he is only having trouble with a single client, that's where you start trouble shooting (assuming everyone else is okay). It doesn't appear that the whole domain is experiencing problems, just this one lonely little W2K workstation. I see where you were going now though. I may be slow, but at least I do poor work.

Silver Bullet

Well I still think that if this is the only user that isn't getting the group policy then the problem is with his setup in AD. Either the object isn't in the correct container or whatever. If it is just a user then it could just be that the user is not in the OU that the GP is being applied.

Nothing was ever said that if he tried to log on with another user account that is known to be getting the GP applied. He did mention some vague DNS problem but who knows.

For all we know at this point.....the user is logging on with a local account using the restaurant's open wireless connection across the street.

sprkymrk

Silver Bullet wrote:

For all we know at this point.....the user is logging on with a local account using the restaurant's open wireless connection across the street.

That would explain where he is then, since he hasn't posted back anything since his original question at 2:30PM today*. Right now it's you and me trying to solve a problem we actually know very little about.

Let's just say we fixed it and move on to the next one SilverB, deal?

* Of course, to be fair, the time difference (5-6 hours) might have something to do with it too.

Silver Bullet

sprkymrk wrote:

Let's just say we fixed it and move on to the next one SilverB, deal?

Silver Bullet

Here is one that we can move on to:
http://techexams.net/forums/viewtopic.php?t=14531

Lee H

I belive some clarification is in order.

Client will log onto domain, but not pull the GPO
Client pulls default local profile instead of mandatory profile from server
This is the only one that its happening to
Other colleague has noticed it does not get a DNS entry
Other colleague has ran GPupdate but to no avail
Client has been renamed and re joined to network but still no GPO
Why is the server authenticating a user but not pulling the mandatory GPO

64 million dollar question is Why is the server authenticating a user but not pulling the mandatory GPO but instead the client gives the default local profile????????

Appologies for vague information it was not me who was trying to fix this problem it was a colleague and that was all he told me, thanks for everyone's input i appreciate everyone comments helpfull or not.

Lee H

Silver Bullet

At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?

Lee H

Silver Bullet wrote:

At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?

GPO is applied to the Pupils folder which our test account resides
Test account works on every other machine

This issue has now been resolved with a re-image but we have an ongoing problem in our school and i have spent hours trawling wesites for an answer. It has happened quite a lot mainly over our wireless internet that when a user logs on to the laptop using their domain log in it doesnt pull the GPO but the fact that their actually logging in suggest that they are being authenticated but then the GPO fails to apply so they get the default local profile. Then they have full access to the local laptop which we dont want.

Lee H

keatron

Lee H wrote:

Silver Bullet wrote:

At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?

GPO is applied to the Pupils folder which our test account resides
Test account works on every other machine

This issue has now been resolved with a re-image but we have an ongoing problem in our school and i have spent hours trawling wesites for an answer. It has happened quite a lot mainly over our wireless internet that when a user logs on to the laptop using their domain log in it doesnt pull the GPO but the fact that their actually logging in suggest that they are being authenticated but then the GPO fails to apply so they get the default local profile. Then they have full access to the local laptop which we dont want.

Lee H

This might be due to whatever wireless cards the client is using. Keep in mind that the wireless client utility (which ever you might be using) might not startup until after Windows has completely booted and AFTER group policy would be applied (during the logon process). If no network connection is detected, they will log on with cached domain credentials or local default settings. Due to the fact that you say this is only happening to the wireless clients, It's probably where you're having the problem. You need to change when group policy is applied by modifying Computer Configuration\Administrative Templates\System\netlogon. In here you will need to configure the "expected dial-up delay on logon" option. This should do it for you.

Lee H

sprkymrk wrote:

Lee H wrote:

Hi

I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me

Hi Lee,
I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
Hope that helps.

Firstly i search many sites finding solutions to my problems, about 1 in 10 i ask on Techexams through no result of this.

Secondly i am guilty of not providing enough information but at the time that was all i knew

Thirdly i dont assume that people on this forum will know the answer, same reason why when i read questions that other people have posted if i dont know the answer i dont reply.

and lastly this site IS about certification AND also about sharing knowledge with other people alike around the world who may have your solution, after posting that comment dont contradict yourself by finding a solution to one of YOUR problems by posting on this site.

If this site was full of people with your attitude then it would not exist.

keatron

And Leeh, as always post back results, as it might help someone in the future who might me in your same situation.

Keatron.

sprkymrk

Lee H wrote:

sprkymrk wrote:

Lee H wrote:

Hi

I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me

Hi Lee,
I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
Hope that helps.

Firstly i search many sites finding solutions to my problems, about 1 in 10 i ask on Techexams through no result of this.

Secondly i am guilty of not providing enough information but at the time that was all i knew

Thirdly i dont assume that people on this forum will know the answer, same reason why when i read questions that other people have posted if i dont know the answer i dont reply.

and lastly this site IS about certification AND also about sharing knowledge with other people alike around the world who may have your solution, after posting that comment dont contradict yourself by finding a solution to one of YOUR problems by posting on this site.

If this site was full of people with your attitude then it would not exist.

Not sure what part of my answer offended you Lee. Was it the part where I said this is just a possibility and necessarily true in your case? Or was it my suggestion to provide enough information for everyone else to go on? Maybe the part about being glad to help fellow techs? The smiley face emoticons are actually used to convey information that cannot be easily conveyed using only the written word. Thus the little yellow face with a smile at the end of my answer was supposed to mean "no hard feelings" or "no offence intended". I'm not a good word smith, so if my answer was too hard or offensive, it was not intended that way.

I find that most people read the part that applies to themselves and ignore the rest. Regarding my attitude, just check some of my other posts. I doubt you'll find too many contradictions.

Yes, this SITE is about helping others, but this specific thread is about the 70-290 exam, which I only mentioned since you indicated that you weren't sure if this was the right forum for your specific question.

Anyway, I agree the wireless part is probably where the problem lies. Let us know if keatron's suggestion works. Thanks and take care.

keatron

Lee another thing to consider is make sure that the user and/or computer have the read & apply group policy permission on the GPO.

Lee H

keatron wrote:

Lee another thing to consider is make sure that the user and/or computer have the read & apply group policy permission on the GPO.

Not sure what that last post meant, your first explanation sounds like the answer, will alter the gpo to include a login delay for those laptops, i wont know if it has solved the problem cos it will take time to see that it hasnt happened again, it didnt happen every week but enough to need a fix for it. Thanks for you help

Lee H

Lee H

Hi

3 more suggestions regarding this issue, i thought i knew most of the objects in AD as i have a printout of all of them in list form and have scanned them a few times to familiarise myself with them but i missed these 2

1. Computer Configuration\Admin Templates\System\User Profiles - Do not detect slow network connections.

If we asume our issue is directly related to slow wireless then after being authenticated over a slow connection the profile would take too long so by default the local one is pulled.

2. Computer Configuration\Admin Templates\System\Logon - Always wait for the network at computer startup and logon.

By default, Windows XP does not wait for the network to be fully initialized at startup and logon.

3rd option just to be sure it will never happen is to copy our profile to the laptop and make that the default laptop as it will have all restrictions thus protecting the laptop from unsavoury pupils.

Thanks for everyones input i appreciate it, will impliment all these and let you know if it works

Lee H

Trailerisf

I always find arguing with the people trying to help you gets you faster answers in the future.

I posted a question I needed help with in off-topic over a month ago... Not one reply. Guess no one knew the answer. Life goes on.

The issue seems to lie within AD. The "other" client login that you are using... Has it logged into that machine when everything was working? If so, profile is saved.... Try nuking all the local profiles (assuming there is a server copy still so you don't lose data)

Confirm that the permission for the profiles folders are set correctly. If you can't access the profile, you can't pull it.

Have you checked the event logs on the DC?
Have you checked the event logs on the local machine?
Checked DNS for errors?