Group Policy Isn’t Working!!!

I’ve just finished fixing a ridiculously large group policy problem where the policies would constantly not be working on just about every workstation. There are a slew of links and solutions out there – here’s the run down on mine.

Problem: The Application Event Log on Windows XP SP2 Workstations was logging events 1030 and 1058 from source Userenv. The description initially leads you to believe that it is a rights or security problem – which it is – but there were steps to get to that problem first. Here’s the description from the 1058 event:

Windows cannot access the file gpt.ini for GPO cn={7D39249B-EEFB-48D4-A3BE-A6A3FEA4217A},cn=policies,cn=system,DC=domain,DC=com. The file must be present at the location <\\%systemroot%\SysVol\\Policies\{7D39249B-EEFB-48D4-A3BE-A6A3FEA4217A}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

First – MICROSOFT HEAR THIS! We enter a description for the GPO – why can’t you use that instead of the damned GUID??!!

Okay…My Solution:

  1. Go into the GPO Editor check out the objects until you find which one the GUID is referring to.
  2. Browse to the specified location – confirm the gpt.ini file exists.
  3. Confirm that replication is occurring between your DCs.
    1. How you ask? Make a simple change to one of your logon script files in the netlogon share or add a blank text file to the share.
    2. On another DC – check to see if the change in the file showed up or if the file appeared in the other DCs netlogon share.
  4. Make sure your server(s) haven’t entered and not recovered from a journal wrap state – check the event logs.
  5. Just for precaution if they aren’t (but I’m guessing the are) – make this registry change:
    1. HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
      1. Add the Dword value: Enable Journal Wrap Automatic Restore
        1. Value of 1 = Enabled
        2. Value of 0 = Disabled
      2. Enter the value of 1.
  6. If replication is not working – you’ve got to start there first.
    1. 9 out of 10 server/domain errors, in my opinion, usually involve something awry in the DNS configuration.
    2. Make sure DNS is configured right.
    3. Jump to a command prompt, try some NSlookup functions.
    4. Check this artice out, it’s an oldie but a goodie: 10 DNS Errors That Will Kill Your Network.
    5. Open Active Directory Sites & Services on the DC.
    6. Remove and re-add the replication connectors for any DCs that are NOT replicating – DO NOT remove them from the PDC!
    7. Right click on one of the added connectors and choose to replicate now. It should be successful.
  7. Check again to make sure replication is now working.
  8. Okay go back to the SYSVOL location you were at earlier – see if your GUID folder is still there – if it’s not, that’s okay, and actually good.
    1. If it is, make a change to the permissions on it – trust me.
  9. Go back into the GPO editor.
  10. If the GPO in question is selected, select another one and then select yours again. – It should give you an error relating to either one of these:
    1. Your permissions are different than the GPO defaults or blah blah blah…OR:
    2. The file does not exist – GOOD.
  11. Delete and recreate your GPO.
  12. Force the server to update the GPO – command prompt – type: gpupdate/force
  13. Force a workstation to update the GPO – command prompt – type: gpupdate /force

That’s what did it for me generally speaking…in my experience in the world of problems on the 2000/2003 servers…I end up coming back to DNS and permissions when problems come up. Try not to have overlapping GPOs – you get tangled up in what is what – I have several and am specific in them. Make sure you are applying them to computers or users/groups.

That’s my story – it’s how I did it…

Good Day!

, , ,

No comments yet.

Powered by WordPress. Designed by Woo Themes