Group Policies Applying Issues
IT Explorer
Member Posts: 59 ■■□□□□□□□□
I'm facing some Issues on applying computer configuration plicies !
Password lockout policies( some attempts to lock the account )
Software Installations ,
and other user configuration plicies,
I did one GPO for computers and other GPO for Users
when applying these policies, executing "gpupdate /force" on clients & Server
and rebooting clients, I see that nothing is happening especially computer configuration policies, user configuration policies are working very well,
I tried to use "Group Policy Results Wizard" for a specific user and specific computer , It shows that computer GPO is not applied "Denied" for an error,
also I'm suffering that I cannot apply " "Group Policy Results Wizard" on other computers due to the messege "RPC is not available" , it instruct me to run wmi service on the target client, but it is already running in all machines,
Could any one here help me to solve these issue
Password lockout policies( some attempts to lock the account )
Software Installations ,
and other user configuration plicies,
I did one GPO for computers and other GPO for Users
when applying these policies, executing "gpupdate /force" on clients & Server
and rebooting clients, I see that nothing is happening especially computer configuration policies, user configuration policies are working very well,
I tried to use "Group Policy Results Wizard" for a specific user and specific computer , It shows that computer GPO is not applied "Denied" for an error,
also I'm suffering that I cannot apply " "Group Policy Results Wizard" on other computers due to the messege "RPC is not available" , it instruct me to run wmi service on the target client, but it is already running in all machines,
Could any one here help me to solve these issue
Comments
-
Jander1023 Member Posts: 160Well, the first error says denied and gives an error. Did you try using Google with the error message and error number? Honestly, I find Google to be very useful for solving GP issues.
Same with the 2nd error. The RPC not available error should include an error number. Google it and I bet you will find an answer.
I could probably take a guess but that wouldn't help you become a better admin. It's important to learn to be resourceful on your own. I know that isn't the "easy button" answers you were looking for. However, I almost always find an answer to GP errors online with a Google search. -
IT Explorer Member Posts: 59 ■■□□□□□□□□the computer group policy erro is stating some thing about time between client and server, but I ensured that every thing is fine with time and both are synchronized with time.microsoft.com
I'm really doing google search too, but I'll appreciate any suggestion from members here,
I'm also appreciating your advise Mr. Jander1023. -
crrussell3 Member Posts: 561First off lets start with the basics:
1. Where are the gpo's linked? Are user gpo settings linked to an OU that contains users? Are the computer gpo settings linked to an OU that contains computers?
2. Did you Disable User/Computer configuration settings on the wrong gpo (ie disable user settings on a gpo that contains user settings)?
3. Did you apply any Security Filtering, or specifically set a Deny to any user/security group?
4. Your Account lockout settings, are they configured in the Default Domain Policy (this is required/best practice)? You can set them up in another gpo, assign said gpo to the domain level, and give it precedence over the DDP, but I highly advise against it.
5. Your RPC errors, are you blocking port 135 on any firewalls? I would start there. Also check your local firewall logs on computers having issues.
6. Have you enabled debug logging for gpo? Google how to do it and parse the logs it generates.
7. Are your clients syncing with your DC, and your DC syncing with a time server? You should not have clients syncing with an external source, best to use DC for this. Have you modified the time variance in gpo to something other than the default 5 minutes? If it is less it could be causing issues.
8. Have you tried creating a brand new gpo, and changing some setting you would notice changing on the target user/computer, and have it along with the DDP the ONLY gpo's assigned? This will help to eliminate issues with another gpo. I had an issue once where a bad proxy exception in gpo cause all other gpo settings not to apply and took FOREVER to debug.
Also, you did create backups of your gpo's before making changes correct? If not do it ASAP in case you need to roll back changes.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
IT Explorer Member Posts: 59 ■■□□□□□□□□I googled about RPC and now it is solved, it was firewall issue , when enabling rules below on the target client, rpc issue disappeared:
Remote Service Management (NP-In)
Windows Management Instrumentation (WMI-In)
now the other problem that I cannot apply computer configuration gpo is still there ,
crrussell3,
1. I had 2 gpo's , one for user configuration which is applied to myusers OU, and other gpo for the computer configuratin which is applied to mycomputers OU.
2. MYUsers gpo is working fine , the problem is that the mycomputers gpo is not function,
3. after executing the GPRW On the xp computer that is one of the targeted computers, MyComputers policy didn't apply and failed with the following event Id's: 1054, 1030, 1097.
the same for windows 7 computer, MyComputers policy didn't apply and failed with the following event Id's: 101, 103, 108.
That is all till now, I hope to get help on this issue , cos it is freezing me now. -
crrussell3 Member Posts: 561IT Explorer wrote: »I googled about RPC and now it is solved, it was firewall issue , when enabling rules below on the target client, rpc issue disappeared:
Remote Service Management (NP-In)
Windows Management Instrumentation (WMI-In)
now the other problem that I cannot apply computer configuration gpo is still there ,
crrussell3,
1. I had 2 gpo's , one for user configuration which is applied to myusers OU, and other gpo for the computer configuratin which is applied to mycomputers OU.
2. MYUsers gpo is working fine , the problem is that the mycomputers gpo is not function,
3. after executing the GPRW On the xp computer that is one of the targeted computers, MyComputers policy didn't apply and failed with the following event Id's: 1054, 1030, 1097.
the same for windows 7 computer, MyComputers policy didn't apply and failed with the following event Id's: 101, 103, 108.
That is all till now, I hope to get help on this issue , cos it is freezing me now.
Off the top of my head, event id errors 101, 103 and 108 typically point to ntfs issues with the gpsi. Do the COMPUTER accounts have share/ntfs access to the unc path of the installer you are calling in gpsi?
I believe your other three event id 1054, 1030 and 1097 point to DNS issues, if their source is gp.
Troubleshooting Microsoft Windows Event Logs is a great resource to figure out what a lot of them mean.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
IT Explorer Member Posts: 59 ■■□□□□□□□□crrussell3 wrote: »Off the top of my head, event id errors 101, 103 and 108 typically point to ntfs issues with the gpsi. Do the COMPUTER accounts have share/ntfs access to the unc path of the installer you are calling in gpsi?
I believe your other three event id 1054, 1030 and 1097 point to DNS issues, if their source is gp.
Troubleshooting Microsoft Windows Event Logs is a great resource to figure out what a lot of them mean.
I shared folder that contain the software package, and gave "read permission" for everyone , and pointed to it from the gpo using unc path
I can ping the server from the client pcs with the name of that server, so dns is working fine, isn't it?
I also can open the share from windows xp and 7,
Is there any further investigation I can do ? -
Jander1023 Member Posts: 160Quick question - is the "MyComputer" OU an OU that you created? Or did somebody else create the OU? Or, is it the default Computer OU that was renamed to MyComputer?
-
Jander1023 Member Posts: 160IT Explorer wrote: »I shared folder that contain the software package, and gave "read permission" for everyone , and pointed to it from the gpo using unc path
I can ping the server from the client pcs with the name of that server, so dns is working fine, isn't it?
I also can open the share from windows xp and 7,
Is there any further investigation I can do ?
Did you check to see if the COMPUTER accounts have the appropriate NTFS permissions? Although the share permissions allow read for everyone, the NTFS could be more restrictive. Specifically, you should verify if the "domain computers" have NTFS permissions on the folder. -
crrussell3 Member Posts: 561IT Explorer wrote: »I shared folder that contain the software package, and gave "read permission" for everyone , and pointed to it from the gpo using unc path
I can ping the server from the client pcs with the name of that server, so dns is working fine, isn't it?
I also can open the share from windows xp and 7,
Is there any further investigation I can do ?
Have you verified that the installer itself isn't corrupt? I have had what looked like permission issues before that were actually due to a corrupt installer package.
Again, I would enable gpsi logging and see what you can come up with.
Fixing Group Policy problems by using log files: Group PolicyMCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
IT Explorer Member Posts: 59 ■■□□□□□□□□I disabled the gpsi package and tried to apply the other pwd lockout policies, and there was not progress in the Group Policy Result Wizard,
so it wasn't permissions issue, computer policy is still denied,
but when applying security filter to the computer gpo for the domain computers ( I know that this is not typical ) the computer gpo is applied now in the GPRW, also when I use gpresult command on the client machine, It reports that computer gpo is applied ( the error events are still there with the mentioned events ids in the policy events tab of gprw) , but settingss of gpo doesn't really take effect,
I also enabled this policy:
CompConf\AdmTempl\System\Logon\ - "Always wait for the network at computer startup and logon"but nothing happens, computer policies still not applied -
crrussell3 Member Posts: 561The only other advice I can give at this time is what I have given twice: You will need to enable advanced group policy logging and then parse the log files after performing a reboot and logging on to see what they tell you. That will give you greater insight as to what your issue is.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration