It's far easier and more thorough to check GPOs with GPOtool.exe (ResKit). AD can be replicating fine but if FRS is having issues so can your GPO.
It will evaluate both the GPT (sysvol portion replicated by FRS) and the GPC (AD portion replicated by DS replication) for any inconsistencies. It can optionally check the sysvol ACL which can also be a problem occasionally. I would run gpotool /checkacl from a system in the domain that is encountering issues. That way you can rule out any inconsistencies with the GPO plumbing on all the DCs before you start mucking around with clients. -----Original Message----- From: Richard Stovall [mailto:richard.stov...@researchdata.com] Sent: Wednesday, September 09, 2009 12:32 PM To: NT System Admin Issues Subject: RE: group policy updating If you right-click on the each of the DCs in replmon and choose "Show Group Policy Object Status", do you see the same information for all three Domain Controllers? -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:17 PM To: NT System Admin Issues Subject: RE: group policy updating One of the DCs is in a Warm site, the other two are virtualized in the same server room. All three of the DCs are listed in the same site in AD Sites & Services. Replmon is showing successful replication for everything it lists. >>> "Richard Stovall" <richard.stov...@researchdata.com> 9/9/2009 12:03 PM >>> And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. >>> "Richard Stovall" <richard.stov...@researchdata.com> 9/9/2009 10:55 AM >>> Have you enabled verbose logging on the affected client(s)? -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? >>> Ken Schaefer <k...@adopenstatic.com> 9/9/2009 9:17 AM >>> If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. >>> Ken Schaefer <k...@adopenstatic.com> 9/8/2009 9:13 PM >>> Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton >>> Devin Meade <devin.me...@gmail.com> 9/8/2009 2:33 PM >>> Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heaton<jhea...@dfg.ca.gov> wrote: > I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. > > Anyone have any idea what I can look at to troubleshoot this? > > I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. > > Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
