+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 26

Thread: Not pulling GPO

  1. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #1

    Default Not pulling GPO

    Hi

    I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me

    Q. One of our 2000 clients in my school will not pull the gpo (mandatory start menu etc....) nor will it get a DNS entry, one maybe causing the other????. It has been dropped off the network and put back on several times with different names but will not pull the gpo, it gets a full start menu when logging in as a test user.

    Any ideas would be great, to solve this we are going to re-image the client but i am curious why its happening.

    Lee H
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2005
    Location
    PA
    Posts
    1,343

    Certifications
    A+ / Net+ / MCP (270 / 290) - up next 70-291 enroute to MCSA 2003
    #2
    did you try gpupdate...........
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #3
    First of all I guess you should solve the DNS problem.

    The problem as I understand it is that the computer doesn't register itself in DNS (and therefore can't get the policy applied).
    Is it in a domain? Getting its IP from the DHCP server (with presumably the DNS settings configured)? Are any other computers on its subnet having the same problems?
    Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
    Can you ping the DNS server? The DC? Any problem with the computer account in AD? Tried rejoining it?
    ...
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2004
    Posts
    179

    Certifications
    MCSA2008R2, MCTS: SCCM 2007, MCTS:SCVMM, MCSA 2k/2k3-Messaging, MCSE 2k/2k3,MCTS:Vista Configuration,
    #4
    Quote Originally Posted by _omni_
    Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
    ...
    To update machine policy, enter: secedit /refreshpolicy machine_policy
    To update user policy, enter: secedit /refreshpolicy user_policy

    Note: By default secedit will only load changes to the GPO.
    To refresh the entire GPO regardless of changes made,
    add the /enforce switch to the end of the command.

    Kind regards.
    Eastp.
    Reply With Quote Quote  

  6. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #5
    Quote Originally Posted by eastp
    Quote Originally Posted by _omni_
    Did you try an ipconfig /registerdns and then a gpupdate (or whatever the cmd is in win2k)?
    ...
    To update machine policy, enter: secedit /refreshpolicy machine_policy
    To update user policy, enter: secedit /refreshpolicy user_policy

    Note: By default secedit will only load changes to the GPO.
    To refresh the entire GPO regardless of changes made,
    add the /enforce switch to the end of the command.

    Kind regards.
    Eastp.
    That is correct for Windows 2000 and 2000 Server but not XP and Server 2003. gpupdate replaces secedit.

    Since it is a Domain we are dealing with (aren't we?) then I would think we need to use gpupdate /appropriate switch on the Windows Server 2003 Domain Controller. If it is a workgroup then you will need to use secedit /appropriate switch on the windows 2000 client.

    Need more info as _omni_ is probing for in order to help on this.
    Reply With Quote Quote  

  7. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #6
    He is having problems with a W2K client, so the command would be secedit... However, if renaming and rebooting don't help there is another problem and secrdit/gpupdate won't make much difference.

    What do your event logs on the client tell you? That will help a lot. Most likely you will find a clue to the problem there.

    What happens when you ping the domain? If your domain name is "mydomain" try "ping mydomain" and see if a DC replies.
    Reply With Quote Quote  

  8. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #7

    Default Re: Not pulling GPO

    Quote Originally Posted by Lee H
    Hi

    I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me
    Hi Lee,
    I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
    Hope that helps.
    Reply With Quote Quote  

  9. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #8
    Quote Originally Posted by sprkymrk
    He is having problems with a W2K client, so the command would be secedit...
    I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.

    Also it depends on where your GP is being applied and if the object you are applying it to is in the correct OU if that is how you are applying your GP.

    Again......there are too many unknowns to pinpoint the exact cause of your problem.

    Details Please!!!

    I scrolled through the 70-290 forum and found the post you have posted and found that you are getting replies, you are just not giving enough info or doing enough of the legwork yourself as sprkymrk has already said.
    Reply With Quote Quote  

  10. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #9
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by sprkymrk
    He is having problems with a W2K client, so the command would be secedit...
    I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.
    The command for a W2K client is secedit, regardless of the DC OS. If you try to run gpupdate on a W2K box it will error out with the message of unrecognized command. I know, I've done it... I have a mixed environment of W2K and WXP on a AD 2003 domain.
    Reply With Quote Quote  

  11. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #10
    Quote Originally Posted by sprkymrk
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by sprkymrk
    He is having problems with a W2K client, so the command would be secedit...
    I agree if it is a Workgroup....otherwise if it is a domain then then those commands will need to be ran at the domain level since the GP is applied at the Domain Level in a Domain environment. In which if it is a domain then the command will be gpupdate since he said he is running Server 2003.
    The command for a W2K client is secedit, regardless of the DC OS. If you try to run gpupdate on a W2K box it will error out with the message of unrecognized command. I know, I've done it... I have a mixed environment of W2K and WXP on a AD 2003 domain.
    I'm not arguing the fact that secedit is the command to use on a Windows 2k client. I AM saying that in a domain environment you run the command at the domain level, not the client level. If you had to run around to every client to enforce a group policy update in a domain environment then that would make for 1 heck of a job. Having said that.....since he already said that he is using Windows Server 2003, and at this point one can only assume that he is operating in a domain, then the command will be gpupdate and it will need to be ran on the Server, not the clients computer.
    Reply With Quote Quote  

  12. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #11
    If he is only having trouble with a single client, that's where you start trouble shooting (assuming everyone else is okay). It doesn't appear that the whole domain is experiencing problems, just this one lonely little W2K workstation. I see where you were going now though. I may be slow, but at least I do poor work.
    Reply With Quote Quote  

  13. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #12
    Well I still think that if this is the only user that isn't getting the group policy then the problem is with his setup in AD. Either the object isn't in the correct container or whatever. If it is just a user then it could just be that the user is not in the OU that the GP is being applied.

    Nothing was ever said that if he tried to log on with another user account that is known to be getting the GP applied. He did mention some vague DNS problem but who knows.

    For all we know at this point.....the user is logging on with a local account using the restaurant's open wireless connection across the street.
    Reply With Quote Quote  

  14. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #13
    Quote Originally Posted by Silver Bullet
    For all we know at this point.....the user is logging on with a local account using the restaurant's open wireless connection across the street.
    That would explain where he is then, since he hasn't posted back anything since his original question at 2:30PM today*. Right now it's you and me trying to solve a problem we actually know very little about. Let's just say we fixed it and move on to the next one SilverB, deal?


    * Of course, to be fair, the time difference (5-6 hours) might have something to do with it too.
    Reply With Quote Quote  

  15. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #14
    Quote Originally Posted by sprkymrk
    Let's just say we fixed it and move on to the next one SilverB, deal?
    Next
    Reply With Quote Quote  

  16. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #15
    Here is one that we can move on to:
    http://techexams.net/forums/viewtopic.php?t=14531
    Reply With Quote Quote  

  17. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #16
    I belive some clarification is in order.

    Client will log onto domain, but not pull the GPO
    Client pulls default local profile instead of mandatory profile from server
    This is the only one that its happening to
    Other colleague has noticed it does not get a DNS entry
    Other colleague has ran GPupdate but to no avail
    Client has been renamed and re joined to network but still no GPO
    Why is the server authenticating a user but not pulling the mandatory GPO

    64 million dollar question is Why is the server authenticating a user but not pulling the mandatory GPO but instead the client gives the default local profile????????

    Appologies for vague information it was not me who was trying to fix this problem it was a colleague and that was all he told me, thanks for everyone's input i appreciate everyone comments helpfull or not.

    Lee H
    Reply With Quote Quote  

  18. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #17
    At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?
    Reply With Quote Quote  

  19. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #18
    Quote Originally Posted by Silver Bullet
    At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?
    GPO is applied to the Pupils folder which our test account resides
    Test account works on every other machine

    This issue has now been resolved with a re-image but we have an ongoing problem in our school and i have spent hours trawling wesites for an answer. It has happened quite a lot mainly over our wireless internet that when a user logs on to the laptop using their domain log in it doesnt pull the GPO but the fact that their actually logging in suggest that they are being authenticated but then the GPO fails to apply so they get the default local profile. Then they have full access to the local laptop which we dont want.

    Lee H
    Reply With Quote Quote  

  20. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #19
    Quote Originally Posted by Lee H
    Quote Originally Posted by Silver Bullet
    At what level are you applying the GP? Is it being applied to an OU? If so, have you made sure that this user is in the correct OU? Have you logged on to the same computer with another User Account that is getting the GP applied? Can the user log on to a different machine and get the GP?
    GPO is applied to the Pupils folder which our test account resides
    Test account works on every other machine

    This issue has now been resolved with a re-image but we have an ongoing problem in our school and i have spent hours trawling wesites for an answer. It has happened quite a lot mainly over our wireless internet that when a user logs on to the laptop using their domain log in it doesnt pull the GPO but the fact that their actually logging in suggest that they are being authenticated but then the GPO fails to apply so they get the default local profile. Then they have full access to the local laptop which we dont want.

    Lee H
    This might be due to whatever wireless cards the client is using. Keep in mind that the wireless client utility (which ever you might be using) might not startup until after Windows has completely booted and AFTER group policy would be applied (during the logon process). If no network connection is detected, they will log on with cached domain credentials or local default settings. Due to the fact that you say this is only happening to the wireless clients, It's probably where you're having the problem. You need to change when group policy is applied by modifying Computer Configuration\Administrative Templates\System\netlogon. In here you will need to configure the "expected dial-up delay on logon" option. This should do it for you.
    Reply With Quote Quote  

  21. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #20

    Default Re: Not pulling GPO

    Quote Originally Posted by sprkymrk
    Quote Originally Posted by Lee H
    Hi

    I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me
    Hi Lee,
    I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
    Hope that helps.
    Firstly i search many sites finding solutions to my problems, about 1 in 10 i ask on Techexams through no result of this.

    Secondly i am guilty of not providing enough information but at the time that was all i knew

    Thirdly i dont assume that people on this forum will know the answer, same reason why when i read questions that other people have posted if i dont know the answer i dont reply.

    and lastly this site IS about certification AND also about sharing knowledge with other people alike around the world who may have your solution, after posting that comment dont contradict yourself by finding a solution to one of YOUR problems by posting on this site.

    If this site was full of people with your attitude then it would not exist.
    Reply With Quote Quote  

  22. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #21
    And Leeh, as always post back results, as it might help someone in the future who might me in your same situation.

    Keatron.
    Reply With Quote Quote  

  23. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #22

    Default Re: Not pulling GPO

    Quote Originally Posted by Lee H
    Quote Originally Posted by sprkymrk
    Quote Originally Posted by Lee H
    Hi

    I post many questions here and dont get many replies, either the people who visit this particular forum cant answer or its in the wrong forum, anyway i post here because we use server 2003 in my workplace if anyone knows of a better forum for this question please tell me
    Hi Lee,
    I think it could be a lot of reasons. Sometimes if it seems someone has not tried to find the answer themselves (which can usually be discerned from the question) people may not respond to it. It's like expecting everyone else to do your work for you. Not saying this is the case, just one possibility. Second, are you including enough info with your questions? I personally don't like to have to beg a guy for details when he was too lazy to post the obvious details the first time. Third, maybe we don't know the answer. You didn't, so why expect someone else to know without having been involved like you were. And last, this thread is actually about certification and the 70-290 exam specifically, not trouble shooting someone else's production environment. Anyway, hopefully the answers here will give you a place to start solving the problem. Everyone is glad to help out a fellow tech.
    Hope that helps.
    Firstly i search many sites finding solutions to my problems, about 1 in 10 i ask on Techexams through no result of this.

    Secondly i am guilty of not providing enough information but at the time that was all i knew

    Thirdly i dont assume that people on this forum will know the answer, same reason why when i read questions that other people have posted if i dont know the answer i dont reply.

    and lastly this site IS about certification AND also about sharing knowledge with other people alike around the world who may have your solution, after posting that comment dont contradict yourself by finding a solution to one of YOUR problems by posting on this site.

    If this site was full of people with your attitude then it would not exist.
    Not sure what part of my answer offended you Lee. Was it the part where I said this is just a possibility and necessarily true in your case? Or was it my suggestion to provide enough information for everyone else to go on? Maybe the part about being glad to help fellow techs? The smiley face emoticons are actually used to convey information that cannot be easily conveyed using only the written word. Thus the little yellow face with a smile at the end of my answer was supposed to mean "no hard feelings" or "no offence intended". I'm not a good word smith, so if my answer was too hard or offensive, it was not intended that way.

    I find that most people read the part that applies to themselves and ignore the rest. Regarding my attitude, just check some of my other posts. I doubt you'll find too many contradictions.

    Yes, this SITE is about helping others, but this specific thread is about the 70-290 exam, which I only mentioned since you indicated that you weren't sure if this was the right forum for your specific question.

    Anyway, I agree the wireless part is probably where the problem lies. Let us know if keatron's suggestion works. Thanks and take care.
    Reply With Quote Quote  

  24. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #23
    Lee another thing to consider is make sure that the user and/or computer have the read & apply group policy permission on the GPO.
    Reply With Quote Quote  

  25. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #24
    Quote Originally Posted by keatron
    Lee another thing to consider is make sure that the user and/or computer have the read & apply group policy permission on the GPO.
    Not sure what that last post meant, your first explanation sounds like the answer, will alter the gpo to include a login delay for those laptops, i wont know if it has solved the problem cos it will take time to see that it hasnt happened again, it didnt happen every week but enough to need a fix for it. Thanks for you help

    Lee H
    Reply With Quote Quote  

  26. Hugh Jarse Lee H's Avatar
    Join Date
    May 2005
    Location
    Liverpool, England
    Posts
    1,134

    Certifications
    C&G Networking Level 2, C&G Networking Level3, MS 70-270
    #25
    Hi

    3 more suggestions regarding this issue, i thought i knew most of the objects in AD as i have a printout of all of them in list form and have scanned them a few times to familiarise myself with them but i missed these 2

    1. Computer Configuration\Admin Templates\System\User Profiles - Do not detect slow network connections.

    If we asume our issue is directly related to slow wireless then after being authenticated over a slow connection the profile would take too long so by default the local one is pulled.


    2. Computer Configuration\Admin Templates\System\Logon - Always wait for the network at computer startup and logon.

    By default, Windows XP does not wait for the network to be fully initialized at startup and logon.

    3rd option just to be sure it will never happen is to copy our profile to the laptop and make that the default laptop as it will have all restrictions thus protecting the laptop from unsavoury pupils.

    Thanks for everyones input i appreciate it, will impliment all these and let you know if it works

    Lee H
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks