RE: group policy updating
It did fix it. All servers are getting the banner through Group Policy now. Thanks to everyone for the help. Free, Bob r...@pge.com 9/9/2009 3:53 PM Joe- Did you bounce the offending FRS service? Depending on the size of the replica set, all could be well in a few minutes but AFAIK you must restart FRS. Since you have it in your Local Policy which I assume makes any regulatory-types happy, I'd just leave it till you have time to troubleshoot it further if that is necessary. Fixing FRS should resolve the problem if everything else is right. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:22 PM To: NT System Admin Issues Subject: RE: group policy updating Bob, Thanks for the explanation, it makes it more logical for me. I looked in the FRS logs, and there's one error repeated over and over, from around July sometime. It's an Event ID: 13559, Source: NtFrs. It says that the FRS has detected that the replica root path has changed from c:\windows\sysvol\domain to c:\windows\sysvol\domain. Seems like the same exact path to me, but oh well. It also says that a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. I looked in that path, and that file was there...almost. There was no underline between FILE and MOVE. I've fixed that, and we'll see in the morning if FRS is working again. In the meantime, I've gone back into the client machines that weren't taking the GPO update and manually added the login banner to their Local Security Policy. Should I go back and delete that again, in hopes that the GPO does it tonight, or should I leave it until tomorrow, and see if it works then? Free, Bob r...@pge.com 9/9/2009 2:46 PM Joe- First thing you need to do is figure out what is causing the version mismatch and correct it, then tackle the client side issues. Any of your clients could be encountering the problem and not processing policy correctly. I assuming that gpotool told you something like Error: Version mismatch on DCx, DS=12345, sysvol=45678 and only one of these sysvol versions is mismatched? Further assumption is that you have a problem with FRS since a) you said your DS replication was OK, and b) that's almost always what it is IME. Look at the FRS logs on that DC and see what they say and we can take it from there. Depending on what is going on with FRS, sometimes it is as simple as making an insignificant change to the GPO, saving it, undoing said change and saving it again and waiting for the new version number to replicate out. /aside I've seen %logonserver% mentioned a couple of times, you can't put a lot of store in that evar because your GPOs are based on a DFS referral for the SYSVOL[1].The DC a client is currently communicating with (aka SecureChannel) is not necessarily the same as the server that authenticated you interactively. What is actually used can change from that server for a variety of reasons. The :logonserver% evar also isn't maintained, it is set once at logon and stays that way until you log off and log on again. So all you can really count on it for is to tell you who authenticated your interactive logon. On the box I am typing this on, all three (%logonserver, SecureChannel sysvol) are different DC's. If you want to know where you are getting your sysvol share from do: dfsutil /pktinfo and look for the entry something like [dc1.full.domain.name\sysvol] State:0x131 ( ACTIVE ) [1] The system volume is a domain-based DFS root, and each domain controller in the domain hosts a link replica of the share. To locate the system volume, a client computer queries the logon server for a list of DFS link replicas. The logon server returns a list of all servers in DFS that host the system volume. This list is in random order. Servers that are located in the same site that the client computer is located in are put at the top of the list. A user can be authenticated by one domain controller, and can download policies from another domain controller in the site. ./aside -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:31 PM To: NT System Admin Issues Subject: RE: group policy updating So, after I run the gpotool /checkacl, I ended up piping it to a text file, and the errors it finds, are version mismatches on the server I knew about. Here's where I stand: 3 DCs MoDC01 - 2K3 Virtual MoDC04 - 2K8 Virtual WSDC02 - 2K3 Physical GPMC is installed on MoDC04, and that's where I made the GP change. The change is to a policy we call Member Server Policy, and I added a login banner to it. Prior to this change, the login banner that existed was input manually, most into the Local Security Policy, and a few to the registry at: Machine\Software\Microsoft\Windows NT\Winlogin\. Immediately after applying the GPO change on MoDC04, I went back through the servers that were set manually before
RE: group policy updating
Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
That's the issue, thanks Ken. The other DC is not showing these settings within the policy in sysvol. Is there a way to check this replication, to verify that it is even setup? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
Do you have the support tools installed anywhere? You can use replmon (GUI) or repadmin (CLI) to check/force replication. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 12:30 PM To: NT System Admin Issues Subject: RE: group policy updating That's the issue, thanks Ken. The other DC is not showing these settings within the policy in sysvol. Is there a way to check this replication, to verify that it is even setup? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
That's what I'm looking at now. Should that be run on the source, or target machine, or does it matter? Also, is replmon available for 2k8? The server I've been making the changes on is 2K8, and the replication is happening to one of my 2K3 DCs, but not the other. Richard Stovall richard.stov...@researchdata.com 9/9/2009 9:34 AM Do you have the support tools installed anywhere? You can use replmon (GUI) or repadmin (CLI) to check/force replication. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 12:30 PM To: NT System Admin Issues Subject: RE: group policy updating That's the issue, thanks Ken. The other DC is not showing these settings within the policy in sysvol. Is there a way to check this replication, to verify that it is even setup? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
This site (http://www.infotechguyz.com/server2008/server2008supporttools.html) makes it seem like the Support Tools are included with 2008 but have to be added as a feature. Our DCs are 2003 SP2 so that's the version of the Support Tools I use. I've got the 2003 SP2 support tools on my XP SP3 workstation and can run both replmon and repadmin locally. This site from MS (http://blogs.technet.com/askds/archive/2009/07/01/getting-over-replmon. aspx) describes Getting over replmon and how to use repadmin effectively for many situations. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 12:45 PM To: NT System Admin Issues Subject: RE: group policy updating That's what I'm looking at now. Should that be run on the source, or target machine, or does it matter? Also, is replmon available for 2k8? The server I've been making the changes on is 2K8, and the replication is happening to one of my 2K3 DCs, but not the other. Richard Stovall richard.stov...@researchdata.com 9/9/2009 9:34 AM Do you have the support tools installed anywhere? You can use replmon (GUI) or repadmin (CLI) to check/force replication. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 12:30 PM To: NT System Admin Issues Subject: RE: group policy updating That's the issue, thanks Ken. The other DC is not showing these settings within the policy in sysvol. Is there a way to check this replication, to verify that it is even setup? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint
RE: group policy updating
So, I've now looked at this with replmon. It is showing all replications successful. It shows: DC=domain CN=Configuration,DC=domain CN=Schema,CN=Configuration,DC=domain DC=DomainDNSZones,DC=domain DC=ForestDNSZones,DC=domain All of these are showing successful, within the last 15 minutes. Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
RE: group policy updating
And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally
RE: group policy updating
One of the DCs is in a Warm site, the other two are virtualized in the same server room. All three of the DCs are listed in the same site in AD Sites Services. Replmon is showing successful replication for everything it lists. Richard Stovall richard.stov...@researchdata.com 9/9/2009 12:03 PM And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool
RE: group policy updating
If you right-click on the each of the DCs in replmon and choose Show Group Policy Object Status, do you see the same information for all three Domain Controllers? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:17 PM To: NT System Admin Issues Subject: RE: group policy updating One of the DCs is in a Warm site, the other two are virtualized in the same server room. All three of the DCs are listed in the same site in AD Sites Services. Replmon is showing successful replication for everything it lists. Richard Stovall richard.stov...@researchdata.com 9/9/2009 12:03 PM And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local
RE: group policy updating
The DC without the updates has an X in the Sync status column, and showing different version numbers between the version number and the SysVol version. The other two are the same as each other. Richard Stovall richard.stov...@researchdata.com 9/9/2009 12:31 PM If you right-click on the each of the DCs in replmon and choose Show Group Policy Object Status, do you see the same information for all three Domain Controllers? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:17 PM To: NT System Admin Issues Subject: RE: group policy updating One of the DCs is in a Warm site, the other two are virtualized in the same server room. All three of the DCs are listed in the same site in AD Sites Services. Replmon is showing successful replication for everything it lists. Richard Stovall richard.stov...@researchdata.com 9/9/2009 12:03 PM And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added
RE: group policy updating
It's far easier and more thorough to check GPOs with GPOtool.exe (ResKit). AD can be replicating fine but if FRS is having issues so can your GPO. It will evaluate both the GPT (sysvol portion replicated by FRS) and the GPC (AD portion replicated by DS replication) for any inconsistencies. It can optionally check the sysvol ACL which can also be a problem occasionally. I would run gpotool /checkacl from a system in the domain that is encountering issues. That way you can rule out any inconsistencies with the GPO plumbing on all the DCs before you start mucking around with clients. -Original Message- From: Richard Stovall [mailto:richard.stov...@researchdata.com] Sent: Wednesday, September 09, 2009 12:32 PM To: NT System Admin Issues Subject: RE: group policy updating If you right-click on the each of the DCs in replmon and choose Show Group Policy Object Status, do you see the same information for all three Domain Controllers? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:17 PM To: NT System Admin Issues Subject: RE: group policy updating One of the DCs is in a Warm site, the other two are virtualized in the same server room. All three of the DCs are listed in the same site in AD Sites Services. Replmon is showing successful replication for everything it lists. Richard Stovall richard.stov...@researchdata.com 9/9/2009 12:03 PM And you have no replication errors at all anywhere? Are all your DCs in the same site? Is there anything complex or unusual about your AD structure? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 2:47 PM To: NT System Admin Issues Subject: RE: group policy updating I have now enabled verbose logging on one of the clients not working. Under Debug\User Mode, there is a gpsvc file, showing group policy stuff. In this file, it doesn't show that the client ever found the Member Server Policy, which contains the login banner. However, when I run gpresult /S computername /V |more, it shows the Member Server Policy listed under Computer Settings - Applied Group Policy Objects. But, again, if I scroll down through the report, it shows the settings that were already part of the Member Server Policy, but not the new changes I made yesterday. This client I'm looking at now, is connecting to a DC that does have the new settings in the policy under Sysvol. Richard Stovall richard.stov...@researchdata.com 9/9/2009 10:55 AM Have you enabled verbose logging on the affected client(s)? -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:48 PM To: NT System Admin Issues Subject: RE: group policy updating For the most part, this has been the answer. For some reason, one DC is not accepting the changes that were made to the policy. However, I now have an exception. I have a 2K8 virtual box, that is connecting to the DC that I made the changes to in GPMC. The server that is definitely showing the new additions to the policy. This server is not showing the updates under RSoP. The gpupdate /force says it worked successfully, and there were no errors in the Application log. Normally, I would just wait for the change, but it has been almost a full day now, without the change coming through. Any other ideas? Ken Schaefer k...@adopenstatic.com 9/9/2009 9:17 AM If RSOP is not showing the setting, then check the DC that your client is connecting to, to see what *it* thinks the policy should be (e.g. load GPMC and target that DC). Verify that the relevant GPO objects in sysvol are present on that particular DC. Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, 10 September 2009 12:10 AM To: NT System Admin Issues Subject: RE: group policy updating Application event log shows Event Code 1704: Security policy in the Group policy objects has been applied successfully. However, running rsop.msc following this does not show the new settings. It does show other settings from that GPO, but those were already in effect prior to me adding the banner. But the banner isn't coming up. I'm guessing I'm going to have to bounce the servers that aren't taking it, at this point, as there has been plenty of time for policy updates, both manual by me, and automatically through the system. Ken Schaefer k...@adopenstatic.com 9/8/2009 9:13 PM Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined
RE: group policy updating
So, after I run the gpotool /checkacl, I ended up piping it to a text file, and the errors it finds, are version mismatches on the server I knew about. Here's where I stand: 3 DCs MoDC01 - 2K3 Virtual MoDC04 - 2K8 Virtual WSDC02 - 2K3 Physical GPMC is installed on MoDC04, and that's where I made the GP change. The change is to a policy we call Member Server Policy, and I added a login banner to it. Prior to this change, the login banner that existed was input manually, most into the Local Security Policy, and a few to the registry at: Machine\Software\Microsoft\Windows NT\Winlogin\. Immediately after applying the GPO change on MoDC04, I went back through the servers that were set manually before, and deleted the entries in Local Security Policy, and the registry (data, not the keys themselves) Yesterday afternoon, I noticed some client servers weren't updating the GPO. I tried gpupdate /force with no luck. This morning, after troubleshooting, I found that the bad clients are connected to various DCs for logonserver. Also found out that MoDC01 does not have the changes made to the GPO. MoDC04 and WSDC02 are both the same, with the latest changes. I've looked at replmon, which shows all sucesses. I've turned on verbose logging on a client server that is having issues, and it doesn't list the Member Server Policy at all. I've used gpotool, and the errors it shows are the version mismatches on MoDC01. There's nothing in that report showing lack of rights/credentials to process the GPOs. Bottom line: I have client servers that are not updating this new GPO, some trying to get it from MoDC01, some trying to get it from WSDC02, and one or two trying to get it from MoDC04. Free, Bob r...@pge.com 9/9/2009 12:45 PM It's far easier and more thorough to check GPOs with GPOtool.exe (ResKit). AD can be replicating fine but if FRS is having issues so can your GPO. It will evaluate both the GPT (sysvol portion replicated by FRS) and the GPC (AD portion replicated by DS replication) for any inconsistencies. It can optionally check the sysvol ACL which can also be a problem occasionally. I would run gpotool /checkacl from a system in the domain that is encountering issues. That way you can rule out any inconsistencies with the GPO plumbing on all the DCs before you start mucking around with clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
Joe- First thing you need to do is figure out what is causing the version mismatch and correct it, then tackle the client side issues. Any of your clients could be encountering the problem and not processing policy correctly. I assuming that gpotool told you something like Error: Version mismatch on DCx, DS=12345, sysvol=45678 and only one of these sysvol versions is mismatched? Further assumption is that you have a problem with FRS since a) you said your DS replication was OK, and b) that's almost always what it is IME. Look at the FRS logs on that DC and see what they say and we can take it from there. Depending on what is going on with FRS, sometimes it is as simple as making an insignificant change to the GPO, saving it, undoing said change and saving it again and waiting for the new version number to replicate out. /aside I've seen %logonserver% mentioned a couple of times, you can't put a lot of store in that evar because your GPOs are based on a DFS referral for the SYSVOL[1].The DC a client is currently communicating with (aka SecureChannel) is not necessarily the same as the server that authenticated you interactively. What is actually used can change from that server for a variety of reasons. The :logonserver% evar also isn't maintained, it is set once at logon and stays that way until you log off and log on again. So all you can really count on it for is to tell you who authenticated your interactive logon. On the box I am typing this on, all three (%logonserver, SecureChannel sysvol) are different DC's. If you want to know where you are getting your sysvol share from do: dfsutil /pktinfo and look for the entry something like [dc1.full.domain.name\sysvol] State:0x131 ( ACTIVE ) [1] The system volume is a domain-based DFS root, and each domain controller in the domain hosts a link replica of the share. To locate the system volume, a client computer queries the logon server for a list of DFS link replicas. The logon server returns a list of all servers in DFS that host the system volume. This list is in random order. Servers that are located in the same site that the client computer is located in are put at the top of the list. A user can be authenticated by one domain controller, and can download policies from another domain controller in the site. ./aside -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:31 PM To: NT System Admin Issues Subject: RE: group policy updating So, after I run the gpotool /checkacl, I ended up piping it to a text file, and the errors it finds, are version mismatches on the server I knew about. Here's where I stand: 3 DCs MoDC01 - 2K3 Virtual MoDC04 - 2K8 Virtual WSDC02 - 2K3 Physical GPMC is installed on MoDC04, and that's where I made the GP change. The change is to a policy we call Member Server Policy, and I added a login banner to it. Prior to this change, the login banner that existed was input manually, most into the Local Security Policy, and a few to the registry at: Machine\Software\Microsoft\Windows NT\Winlogin\. Immediately after applying the GPO change on MoDC04, I went back through the servers that were set manually before, and deleted the entries in Local Security Policy, and the registry (data, not the keys themselves) Yesterday afternoon, I noticed some client servers weren't updating the GPO. I tried gpupdate /force with no luck. This morning, after troubleshooting, I found that the bad clients are connected to various DCs for logonserver. Also found out that MoDC01 does not have the changes made to the GPO. MoDC04 and WSDC02 are both the same, with the latest changes. I've looked at replmon, which shows all sucesses. I've turned on verbose logging on a client server that is having issues, and it doesn't list the Member Server Policy at all. I've used gpotool, and the errors it shows are the version mismatches on MoDC01. There's nothing in that report showing lack of rights/credentials to process the GPOs. Bottom line: I have client servers that are not updating this new GPO, some trying to get it from MoDC01, some trying to get it from WSDC02, and one or two trying to get it from MoDC04. Free, Bob r...@pge.com 9/9/2009 12:45 PM It's far easier and more thorough to check GPOs with GPOtool.exe (ResKit). AD can be replicating fine but if FRS is having issues so can your GPO. It will evaluate both the GPT (sysvol portion replicated by FRS) and the GPC (AD portion replicated by DS replication) for any inconsistencies. It can optionally check the sysvol ACL which can also be a problem occasionally. I would run gpotool /checkacl from a system in the domain that is encountering issues. That way you can rule out any inconsistencies with the GPO plumbing on all the DCs before you start mucking around with clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
RE: group policy updating
Bob, Thanks for the explanation, it makes it more logical for me. I looked in the FRS logs, and there's one error repeated over and over, from around July sometime. It's an Event ID: 13559, Source: NtFrs. It says that the FRS has detected that the replica root path has changed from c:\windows\sysvol\domain to c:\windows\sysvol\domain. Seems like the same exact path to me, but oh well. It also says that a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. I looked in that path, and that file was there...almost. There was no underline between FILE and MOVE. I've fixed that, and we'll see in the morning if FRS is working again. In the meantime, I've gone back into the client machines that weren't taking the GPO update and manually added the login banner to their Local Security Policy. Should I go back and delete that again, in hopes that the GPO does it tonight, or should I leave it until tomorrow, and see if it works then? Free, Bob r...@pge.com 9/9/2009 2:46 PM Joe- First thing you need to do is figure out what is causing the version mismatch and correct it, then tackle the client side issues. Any of your clients could be encountering the problem and not processing policy correctly. I assuming that gpotool told you something like Error: Version mismatch on DCx, DS=12345, sysvol=45678 and only one of these sysvol versions is mismatched? Further assumption is that you have a problem with FRS since a) you said your DS replication was OK, and b) that's almost always what it is IME. Look at the FRS logs on that DC and see what they say and we can take it from there. Depending on what is going on with FRS, sometimes it is as simple as making an insignificant change to the GPO, saving it, undoing said change and saving it again and waiting for the new version number to replicate out. /aside I've seen %logonserver% mentioned a couple of times, you can't put a lot of store in that evar because your GPOs are based on a DFS referral for the SYSVOL[1].The DC a client is currently communicating with (aka SecureChannel) is not necessarily the same as the server that authenticated you interactively. What is actually used can change from that server for a variety of reasons. The :logonserver% evar also isn't maintained, it is set once at logon and stays that way until you log off and log on again. So all you can really count on it for is to tell you who authenticated your interactive logon. On the box I am typing this on, all three (%logonserver, SecureChannel sysvol) are different DC's. If you want to know where you are getting your sysvol share from do: dfsutil /pktinfo and look for the entry something like [dc1.full.domain.name\sysvol] State:0x131 ( ACTIVE ) [1] The system volume is a domain-based DFS root, and each domain controller in the domain hosts a link replica of the share. To locate the system volume, a client computer queries the logon server for a list of DFS link replicas. The logon server returns a list of all servers in DFS that host the system volume. This list is in random order. Servers that are located in the same site that the client computer is located in are put at the top of the list. A user can be authenticated by one domain controller, and can download policies from another domain controller in the site. ./aside -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:31 PM To: NT System Admin Issues Subject: RE: group policy updating So, after I run the gpotool /checkacl, I ended up piping it to a text file, and the errors it finds, are version mismatches on the server I knew about. Here's where I stand: 3 DCs MoDC01 - 2K3 Virtual MoDC04 - 2K8 Virtual WSDC02 - 2K3 Physical GPMC is installed on MoDC04, and that's where I made the GP change. The change is to a policy we call Member Server Policy, and I added a login banner to it. Prior to this change, the login banner that existed was input manually, most into the Local Security Policy, and a few to the registry at: Machine\Software\Microsoft\Windows NT\Winlogin\. Immediately after applying the GPO change on MoDC04, I went back through the servers that were set manually before, and deleted the entries in Local Security Policy, and the registry (data, not the keys themselves) Yesterday afternoon, I noticed some client servers weren't updating the GPO. I tried gpupdate /force with no luck. This morning, after troubleshooting, I found that the bad clients are connected to various DCs for logonserver. Also found out that MoDC01 does not have the changes made to the GPO. MoDC04 and WSDC02 are both the same, with the latest changes. I've looked at replmon, which shows all sucesses. I've turned on verbose logging on a client server that is having issues, and it doesn't list the Member Server Policy at all. I've used gpotool, and the errors it shows are the version mismatches on MoDC01. There's nothing
RE: group policy updating
Joe- Did you bounce the offending FRS service? Depending on the size of the replica set, all could be well in a few minutes but AFAIK you must restart FRS. Since you have it in your Local Policy which I assume makes any regulatory-types happy, I'd just leave it till you have time to troubleshoot it further if that is necessary. Fixing FRS should resolve the problem if everything else is right. -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 3:22 PM To: NT System Admin Issues Subject: RE: group policy updating Bob, Thanks for the explanation, it makes it more logical for me. I looked in the FRS logs, and there's one error repeated over and over, from around July sometime. It's an Event ID: 13559, Source: NtFrs. It says that the FRS has detected that the replica root path has changed from c:\windows\sysvol\domain to c:\windows\sysvol\domain. Seems like the same exact path to me, but oh well. It also says that a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. I looked in that path, and that file was there...almost. There was no underline between FILE and MOVE. I've fixed that, and we'll see in the morning if FRS is working again. In the meantime, I've gone back into the client machines that weren't taking the GPO update and manually added the login banner to their Local Security Policy. Should I go back and delete that again, in hopes that the GPO does it tonight, or should I leave it until tomorrow, and see if it works then? Free, Bob r...@pge.com 9/9/2009 2:46 PM Joe- First thing you need to do is figure out what is causing the version mismatch and correct it, then tackle the client side issues. Any of your clients could be encountering the problem and not processing policy correctly. I assuming that gpotool told you something like Error: Version mismatch on DCx, DS=12345, sysvol=45678 and only one of these sysvol versions is mismatched? Further assumption is that you have a problem with FRS since a) you said your DS replication was OK, and b) that's almost always what it is IME. Look at the FRS logs on that DC and see what they say and we can take it from there. Depending on what is going on with FRS, sometimes it is as simple as making an insignificant change to the GPO, saving it, undoing said change and saving it again and waiting for the new version number to replicate out. /aside I've seen %logonserver% mentioned a couple of times, you can't put a lot of store in that evar because your GPOs are based on a DFS referral for the SYSVOL[1].The DC a client is currently communicating with (aka SecureChannel) is not necessarily the same as the server that authenticated you interactively. What is actually used can change from that server for a variety of reasons. The :logonserver% evar also isn't maintained, it is set once at logon and stays that way until you log off and log on again. So all you can really count on it for is to tell you who authenticated your interactive logon. On the box I am typing this on, all three (%logonserver, SecureChannel sysvol) are different DC's. If you want to know where you are getting your sysvol share from do: dfsutil /pktinfo and look for the entry something like [dc1.full.domain.name\sysvol] State:0x131 ( ACTIVE ) [1] The system volume is a domain-based DFS root, and each domain controller in the domain hosts a link replica of the share. To locate the system volume, a client computer queries the logon server for a list of DFS link replicas. The logon server returns a list of all servers in DFS that host the system volume. This list is in random order. Servers that are located in the same site that the client computer is located in are put at the top of the list. A user can be authenticated by one domain controller, and can download policies from another domain controller in the site. ./aside -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, September 09, 2009 1:31 PM To: NT System Admin Issues Subject: RE: group policy updating So, after I run the gpotool /checkacl, I ended up piping it to a text file, and the errors it finds, are version mismatches on the server I knew about. Here's where I stand: 3 DCs MoDC01 - 2K3 Virtual MoDC04 - 2K8 Virtual WSDC02 - 2K3 Physical GPMC is installed on MoDC04, and that's where I made the GP change. The change is to a policy we call Member Server Policy, and I added a login banner to it. Prior to this change, the login banner that existed was input manually, most into the Local Security Policy, and a few to the registry at: Machine\Software\Microsoft\Windows NT\Winlogin\. Immediately after applying the GPO change on MoDC04, I went back through the servers that were set manually before, and deleted the entries in Local Security Policy, and the registry (data, not the keys themselves) Yesterday afternoon, I noticed some client servers weren't
Re: group policy updating
Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, Joseph L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
group policy updating
I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, Joseph L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: group policy updating
Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, Joseph L. Heaton Windows Server Support Group Information Technology Branch Department of Fish and Game 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: group policy updating
Check event logs for any GPO processing errors Check your DC replication status to work out whether the GPO has actually replicated to the DCs that these clients are talking to etc Cheers Ken -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, 9 September 2009 5:47 AM To: NT System Admin Issues Subject: Re: group policy updating Hmm, thanks Devin. I tried that on one of the machines, and the two settings in question are not showing as being defined at all, much less by a group policy. I don't think this is one of those changes that requires a reboot, at least the gpupdate didn't indicate it. I'll give it some time, and check it again in the morning... Thanks, Joe L. Heaton Devin Meade devin.me...@gmail.com 9/8/2009 2:33 PM Try RSOP.MSC on the machine in question. hth, Devin On Tue, Sep 8, 2009 at 4:08 PM, Joseph Heatonjhea...@dfg.ca.gov wrote: I'm updating a group policy, to add a login banner. Some of the machines in question had one, but they were added manually either to the Local Security Policy, or directly to the registry. I've gone in, deleted any entries in these two locations, I've run gpupdate /force, and logged out and back in. When I do this, some machines show the correct banner, and show it in Local Security Policy, grayed out, which tells me it's getting it from GP. Other machines don't seem to be updating, even after sitting for a while.The successes and failures vary from 2k3 to 2k8, physical, and virtual boxes. Anyone have any idea what I can look at to troubleshoot this? I've gone into GPMC, and run the Group Policy Results tool, using my account on the boxes in question, and the results come back saying that the desired group policy is supposed to be affecting it. Thanks, ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
