I've had a similar problem. In digging through the problem, I found some of the following, usually by tracing through the eventlog on the respective machine.
- Computer account had a problem in the domain - just needed to be removed and put back in
- GPO policy processing - changed respective templates to always apply even if no changes had occurred
- NIC/Switch Port config - Found that there were cases that the computer would come up for login before the network connection was fully initialized. Once discovered it was simple to test. Simply boot up, logon..wait for everything to settle down. Then unplug the NIC and plug it back in. The network connection should come back immediately. If it doesn't then its possible that the computer may also be starting up before there's an available connection to a DC. This would cause inconsistent processing of user policies and prevent application of computer policies, other than those that had already been applied
- Local Policies on the computer - Local policies seem inert and possibly unimportant once on the AD domain, but....not in our environment. It was a 'twisted' implementation of local policies...scripts...and other things to ensure that local polices applied, reapplied...and couldn't be unapplied. So when we migrated the machines to AD, we experienced an unbelievable series of unpredictable results. Needless to say, one of which, was the lack of consistent GPO application - One of the permanent fixes was to automate the application of "Setup Security.inf" to all the respective clients upon their migration of AD
The biggest problem by far was simply getting consistent failures to troubleshoot or getting the exact details of the respective occurrence from the desktop people in the field.
When all else fails...turn up GPO and Winlogon logging, turn on failure auditing...get a fine tooth comb and settle in for a nice long debug session...
Hope this helps.
Eric Jones, Senior SE
Intel Server Group
(W) 336.424.3084
(M) 336.457.2591
www.vfc.com
| <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 10/04/2004 11:52 AM
|
|
Hey Mark...
You can try /computer configuration/administrative templates/system/group
policy/scripts policy processing
You can set to always process over slow connections, and even if the GPO
hasn't changed.
HTH
John
Mark Orlando
<[EMAIL PROTECTED]
com> To
Sent by: Active Directory Mailing List
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
ail.activedir.org cc
Subject
10/04/2004 10:46 [ActiveDir] GPO's not always
AM applied.
Please respond to
[EMAIL PROTECTED]
tivedir.org
I am having issues with GPO's not being fully applied at every login.
I need to change this. I know it might have something to do with the
volume of LAN traffic but I need to find away around this.
I also have some add printer login scripts that don't always work
either. I have the scripts running synchronously and slow link
detection set to 0. Does anyone have any ideas?
Mark Orlando
Systems Administrator
I.T. Department
Linden Public Schools
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
