question

Andreas-9700 avatar image
0 Votes"
Andreas-9700 asked LimitlessTechnology-2700 answered

GPO not working

Hi,

We have 2 machines, they have the same applications, and are on the same network segment.
One on these machines with noticed that we dont get the GPO assigned. Also I guess it is related, but some other error messages from LSA when I reboot the machine.
I am able to login to the machine, but no GPO is applied like for example disk mapping.

  • Have tried to rejoin the domain, change ip, change hostname

  • Have tried to reset the SPN

  • No firewall

  • Tried several other users, with local admin

  • There is no problem with DNS, and also repadmin shows ok.

  • The machine object is replicated between our dc`s

Here are some of the error messages, I guess they are related. But not sure what is causing the problem.
The first image referes to credential manager, but there are no stored passwords if I go and look.

200269-1.png
200228-2.png
200279-3.png


Thanks for any reply.

/R
Andy

windows-group-policy
1.png (77.7 KiB)
2.png (99.1 KiB)
3.png (218.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

5 Answers

yannara avatar image
0 Votes"
yannara answered

Probably Gpupdate /force will display you some errors. You should disjoin and rejoin the computer to domain. Make sure you know local admin password of the machine or create new one. It would be best to delete the AD computer account and let the rejoin process to create new one. Remember then to transfer new account to production OU.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andreas-9700 avatar image
0 Votes"
Andreas-9700 answered

Hi @yannara

Thanks for reply.

gpupdate /force screenshot below. It complains about a spesific GPO, but if I remove that GPO, it just complain about the next one, and so on...
I already have tried to rejoin, and also delete the AD object, but same problem :(

Any other suggestions ?

200488-4.png

/R
Andy



4.png (318.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered

Are you exactly sure that this is only one computer problem? I had the same behavior with all computers and it was DCs replication issue around sysvol.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andreas-9700 avatar image
0 Votes"
Andreas-9700 answered

Hi,

Yes no problem located with other machines. Do you want me to provide some dcdiag, repadmin information ?

/R
Andy

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi Andreas-9700,

Usually, you will find that this issue is caused by one of the list below::

  1. SYSVOL replication is broken and the GPO's contents in SYSVOL are not replicated to every DC. If this issue is only affecting one PC, then it's unlikely to be this.

  2. The GPO is truly corrupt in SYSVOL and missing one or more key files. I would imagine as above.

  3. The client can't resolve the DFS path to SYSVOL. I've seen this caused by disabling the "TCP/IP NetBIOS Helper" service, so I would check that. This is quite likely in my experience.

  4. If it's per-computer policy that is generating this message, it could be a network stack timing issue as the machine starts up. You can tweak the client's policy at Computer Configuration\Admin Templates\System\Group Policy\Specify startup policy processing wait time.

Also, just note, the Default Domain Policy can be "restored". Microsoft provides the DCGPOFix.exe tool (http://technet.microsoft.com/en-us/library/hh875588.aspx) that lets you reset the DDP and DDCP GPOs to their default settings, if these GPOs are truly corrupt. In the case of these tools, you would have to recreate any settings that you had in these GPOs.


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.