Re: GPO Not Applying
I had the same error on a single GPO recently, I managed to get rid of it by backing up the existing one, creating a new one, and importing the settings back into it from the original. After that, the output was fine. On 1 April 2011 03:01, Sean Martin seanmarti...@gmail.com wrote: They're all wired. I think the policy might be a red herring. I finally got a list of servers they're having problems collecting logs from and they're not all in the previously mentioned OU and gpresult from the others shows no oddities. I advised them to engage the deployment engineer from symantec since the product hasn't even been fully implemented yet. I appreciate all of the assistance. - Sean On Mar 31, 2011, at 5:35 PM, Jonathan ncm...@gmail.com wrote: Just for kicksare the affected clients wired or wireless. Also, are other machine policies being applied properly? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Mar 31, 2011 2:24 PM, Sean Martin seanmarti...@gmail.com seanmarti...@gmail.com wrote: Thanks for the advice. Gpotool indicates the policy is ok. Gpresult /v results seem ok, but the policy in question displays oddly in the results. The policy settings are under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options: Eventlog: Security descriptor for Application event log With additional settings for each log were collecting. The results from gpresult show the following: GPO: policy name Policy: N/A ValueName: machine\system\currentcontrolset\services\eventlog\directory service\customsd Computer Setting: the settings What is odd is that the policy is only referenced once, even though it should configuring up to 6 settings. Also, the policyname shows N/A. I tried comparing gpresults to a server where the policy apppears to apply correctly, but the only one I'm aware of is a domain controller and the format of the results are completely different. Please bear with me if I'm not providing enough information. We're blocking GMail at %work% until we get patch 2524375 deployed, so I'm doing this from my iPhone. On Mar 31, 2011, at 9:32 AM, Free, Bob r...@pge.comr...@pge.com wrote: First I would check the overall health of the GPO components with gpotool including checking the ACL- gpotool /gpo:GUID od suspect GPO /checkacl Then I would check it locally on an affected server with grpesult /v to see what is going on in more detail and also see if you get something better than (unknown reason) I usually do something like gpresult /v gp.txt notepad gp.txt -Original Message- From: Sean Martin [mailto: seanmarti...@gmail.com seanmarti...@gmail.com] Sent: Thursday, March 31, 2011 10:10 AM To: NT System Admin Issues Subject: GPO Not Applying Windows 2003 AD Windows 2003/2008 member servers I've got a GPO that configures security descriptors on event logs for Symantec SSIM to do log collection. I have a security group containing the computer accounts used for security filtering on the GPO. The GPO is linked to 2 OUs where these computer accounts reside. There's a top level OU with multiple sub OUs. One of the sub OUs blocks inheritance for other reasons so the policy is linked directly to that OU. We're having problems collecting logs from computers that reside in the sub OU. Group Policy is being singled out because RSOP lists the following: Policy Name Filtering: Not Applied (Unknown Reason) However, the policy also appears under Applied Group Policy Objects. I haven't been able to identify anything that would prevent the GPO from applying. Other GPOs linked directly to the sub OU apply without issue. The only difference is the problem GPO uses more granular security filtering, where the others default to authenticated users. I'm going to create a separate GPO that can be applied to only the sub OU and not modify security filtering. I'm not entirely convinced this is specifically a GPO problem because there are other environmental differences that make members of this OU unique. Anyone have any ideas on the GPO scenario? Does it sound like there's an issue? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/
RE: GPO Not Applying
First I would check the overall health of the GPO components with gpotool including checking the ACL- gpotool /gpo:GUID od suspect GPO /checkacl Then I would check it locally on an affected server with grpesult /v to see what is going on in more detail and also see if you get something better than (unknown reason) I usually do something like gpresult /v gp.txt notepad gp.txt -Original Message- From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Thursday, March 31, 2011 10:10 AM To: NT System Admin Issues Subject: GPO Not Applying Windows 2003 AD Windows 2003/2008 member servers I've got a GPO that configures security descriptors on event logs for Symantec SSIM to do log collection. I have a security group containing the computer accounts used for security filtering on the GPO. The GPO is linked to 2 OUs where these computer accounts reside. There's a top level OU with multiple sub OUs. One of the sub OUs blocks inheritance for other reasons so the policy is linked directly to that OU. We're having problems collecting logs from computers that reside in the sub OU. Group Policy is being singled out because RSOP lists the following: Policy Name Filtering: Not Applied (Unknown Reason) However, the policy also appears under Applied Group Policy Objects. I haven't been able to identify anything that would prevent the GPO from applying. Other GPOs linked directly to the sub OU apply without issue. The only difference is the problem GPO uses more granular security filtering, where the others default to authenticated users. I'm going to create a separate GPO that can be applied to only the sub OU and not modify security filtering. I'm not entirely convinced this is specifically a GPO problem because there are other environmental differences that make members of this OU unique. Anyone have any ideas on the GPO scenario? Does it sound like there's an issue? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: GPO Not Applying
Thanks for the advice. Gpotool indicates the policy is ok. Gpresult /v results seem ok, but the policy in question displays oddly in the results. The policy settings are under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options: Eventlog: Security descriptor for Application event log With additional settings for each log were collecting. The results from gpresult show the following: GPO: policy name Policy: N/A ValueName: machine\system\currentcontrolset\services\eventlog\directory service\customsd Computer Setting: the settings What is odd is that the policy is only referenced once, even though it should configuring up to 6 settings. Also, the policyname shows N/A. I tried comparing gpresults to a server where the policy apppears to apply correctly, but the only one I'm aware of is a domain controller and the format of the results are completely different. Please bear with me if I'm not providing enough information. We're blocking GMail at %work% until we get patch 2524375 deployed, so I'm doing this from my iPhone. On Mar 31, 2011, at 9:32 AM, Free, Bob r...@pge.com wrote: First I would check the overall health of the GPO components with gpotool including checking the ACL- gpotool /gpo:GUID od suspect GPO /checkacl Then I would check it locally on an affected server with grpesult /v to see what is going on in more detail and also see if you get something better than (unknown reason) I usually do something like gpresult /v gp.txt notepad gp.txt -Original Message- From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Thursday, March 31, 2011 10:10 AM To: NT System Admin Issues Subject: GPO Not Applying Windows 2003 AD Windows 2003/2008 member servers I've got a GPO that configures security descriptors on event logs for Symantec SSIM to do log collection. I have a security group containing the computer accounts used for security filtering on the GPO. The GPO is linked to 2 OUs where these computer accounts reside. There's a top level OU with multiple sub OUs. One of the sub OUs blocks inheritance for other reasons so the policy is linked directly to that OU. We're having problems collecting logs from computers that reside in the sub OU. Group Policy is being singled out because RSOP lists the following: Policy Name Filtering: Not Applied (Unknown Reason) However, the policy also appears under Applied Group Policy Objects. I haven't been able to identify anything that would prevent the GPO from applying. Other GPOs linked directly to the sub OU apply without issue. The only difference is the problem GPO uses more granular security filtering, where the others default to authenticated users. I'm going to create a separate GPO that can be applied to only the sub OU and not modify security filtering. I'm not entirely convinced this is specifically a GPO problem because there are other environmental differences that make members of this OU unique. Anyone have any ideas on the GPO scenario? Does it sound like there's an issue? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: GPO Not Applying
Just for kicksare the affected clients wired or wireless. Also, are other machine policies being applied properly? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Mar 31, 2011 2:24 PM, Sean Martin seanmarti...@gmail.com wrote: Thanks for the advice. Gpotool indicates the policy is ok. Gpresult /v results seem ok, but the policy in question displays oddly in the results. The policy settings are under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options: Eventlog: Security descriptor for Application event log With additional settings for each log were collecting. The results from gpresult show the following: GPO: policy name Policy: N/A ValueName: machine\system\currentcontrolset\services\eventlog\directory service\customsd Computer Setting: the settings What is odd is that the policy is only referenced once, even though it should configuring up to 6 settings. Also, the policyname shows N/A. I tried comparing gpresults to a server where the policy apppears to apply correctly, but the only one I'm aware of is a domain controller and the format of the results are completely different. Please bear with me if I'm not providing enough information. We're blocking GMail at %work% until we get patch 2524375 deployed, so I'm doing this from my iPhone. On Mar 31, 2011, at 9:32 AM, Free, Bob r...@pge.com wrote: First I would check the overall health of the GPO components with gpotool including checking the ACL- gpotool /gpo:GUID od suspect GPO /checkacl Then I would check it locally on an affected server with grpesult /v to see what is going on in more detail and also see if you get something better than (unknown reason) I usually do something like gpresult /v gp.txt notepad gp.txt -Original Message- From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Thursday, March 31, 2011 10:10 AM To: NT System Admin Issues Subject: GPO Not Applying Windows 2003 AD Windows 2003/2008 member servers I've got a GPO that configures security descriptors on event logs for Symantec SSIM to do log collection. I have a security group containing the computer accounts used for security filtering on the GPO. The GPO is linked to 2 OUs where these computer accounts reside. There's a top level OU with multiple sub OUs. One of the sub OUs blocks inheritance for other reasons so the policy is linked directly to that OU. We're having problems collecting logs from computers that reside in the sub OU. Group Policy is being singled out because RSOP lists the following: Policy Name Filtering: Not Applied (Unknown Reason) However, the policy also appears under Applied Group Policy Objects. I haven't been able to identify anything that would prevent the GPO from applying. Other GPOs linked directly to the sub OU apply without issue. The only difference is the problem GPO uses more granular security filtering, where the others default to authenticated users. I'm going to create a separate GPO that can be applied to only the sub OU and not modify security filtering. I'm not entirely convinced this is specifically a GPO problem because there are other environmental differences that make members of this OU unique. Anyone have any ideas on the GPO scenario? Does it sound like there's an issue? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: GPO Not Applying
They're all wired. I think the policy might be a red herring. I finally got a list of servers they're having problems collecting logs from and they're not all in the previously mentioned OU and gpresult from the others shows no oddities. I advised them to engage the deployment engineer from symantec since the product hasn't even been fully implemented yet. I appreciate all of the assistance. - Sean On Mar 31, 2011, at 5:35 PM, Jonathan ncm...@gmail.com wrote: Just for kicksare the affected clients wired or wireless. Also, are other machine policies being applied properly? Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Mar 31, 2011 2:24 PM, Sean Martin seanmarti...@gmail.com wrote: Thanks for the advice. Gpotool indicates the policy is ok. Gpresult /v results seem ok, but the policy in question displays oddly in the results. The policy settings are under Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options: Eventlog: Security descriptor for Application event log With additional settings for each log were collecting. The results from gpresult show the following: GPO: policy name Policy: N/A ValueName: machine\system\currentcontrolset\services\eventlog\directory service\customsd Computer Setting: the settings What is odd is that the policy is only referenced once, even though it should configuring up to 6 settings. Also, the policyname shows N/A. I tried comparing gpresults to a server where the policy apppears to apply correctly, but the only one I'm aware of is a domain controller and the format of the results are completely different. Please bear with me if I'm not providing enough information. We're blocking GMail at %work% until we get patch 2524375 deployed, so I'm doing this from my iPhone. On Mar 31, 2011, at 9:32 AM, Free, Bob r...@pge.com wrote: First I would check the overall health of the GPO components with gpotool including checking the ACL- gpotool /gpo:GUID od suspect GPO /checkacl Then I would check it locally on an affected server with grpesult /v to see what is going on in more detail and also see if you get something better than (unknown reason) I usually do something like gpresult /v gp.txt notepad gp.txt -Original Message- From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Thursday, March 31, 2011 10:10 AM To: NT System Admin Issues Subject: GPO Not Applying Windows 2003 AD Windows 2003/2008 member servers I've got a GPO that configures security descriptors on event logs for Symantec SSIM to do log collection. I have a security group containing the computer accounts used for security filtering on the GPO. The GPO is linked to 2 OUs where these computer accounts reside. There's a top level OU with multiple sub OUs. One of the sub OUs blocks inheritance for other reasons so the policy is linked directly to that OU. We're having problems collecting logs from computers that reside in the sub OU. Group Policy is being singled out because RSOP lists the following: Policy Name Filtering: Not Applied (Unknown Reason) However, the policy also appears under Applied Group Policy Objects. I haven't been able to identify anything that would prevent the GPO from applying. Other GPOs linked directly to the sub OU apply without issue. The only difference is the problem GPO uses more granular security filtering, where the others default to authenticated users. I'm going to create a separate GPO that can be applied to only the sub OU and not modify security filtering. I'm not entirely convinced this is specifically a GPO problem because there are other environmental differences that make members of this OU unique. Anyone have any ideas on the GPO scenario? Does it sound like there's an issue? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/