_Group Policy only 1 of 6 is working

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi all
I have created 6 group polices on a DC but only 1 is being updated and
enforced on any of the workstations (XP and 2k).

GPResult says that all 6 were applied to all the XP machine I've
checked. I have verified that all 6 are setup identically
(security/permissions etc.) other than the GP properties of course.

One of the policies not being updated is the password restrictions
(enforce history 6 passwords, max password age 42 days, min password
age 1 day, min password length 8 chars). However, users can change
their blank password to blank as many times a day as they wish. I need
to fix this!!

Any help will be appreciated.

Thanks
David
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

What is the config of the OUs and GPOs (links, settings, etc). Also, where
do the user and computer accounts live that are in question?

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:b5ho70psstjkbtcnhauc86vq04pg4u7k6d@4ax.com...
> Hi all
> I have created 6 group polices on a DC but only 1 is being updated and
> enforced on any of the workstations (XP and 2k).
>
> GPResult says that all 6 were applied to all the XP machine I've
> checked. I have verified that all 6 are setup identically
> (security/permissions etc.) other than the GP properties of course.
>
> One of the policies not being updated is the password restrictions
> (enforce history 6 passwords, max password age 42 days, min password
> age 1 day, min password length 8 chars). However, users can change
> their blank password to blank as many times a day as they wish. I need
> to fix this!!
>
> Any help will be appreciated.
>
> Thanks
> David
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

All GPOs reside at the domain level (AD Users and Computers / Domain.
All users are in various OUs beneath this.

There are no links
Default security (authenticated users have Read and Apply Group
Policy). I am a domain admin and these policies are not working for me
either.

Policies setup
Password Policies: (not currently working)
Computer Configuration / Windows Settings / Security Settings /
Account Policies / Password Policy
set to: 6 remembered, min age 1 day, max age 42 days, min length 8
characters
Interactive logon:prompt user to change password before expiration
set to: 5 days

LogOff Script: (Working)
User Configuration / Windows Settings / Scripts
Logoff.bat

Now I come to look at it, all the GPOs that are not working are all
Computer Configuration.

Any clues what might be going on?

Thanks
David


On Tue, 13 Apr 2004 15:00:03 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>What is the config of the OUs and GPOs (links, settings, etc). Also, where
>do the user and computer accounts live that are in question?
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"David Stal" <None@guesswhere.sk> wrote in message
>news:b5ho70psstjkbtcnhauc86vq04pg4u7k6d@4ax.com...
>> Hi all
>> I have created 6 group polices on a DC but only 1 is being updated and
>> enforced on any of the workstations (XP and 2k).
>>
>> GPResult says that all 6 were applied to all the XP machine I've
>> checked. I have verified that all 6 are setup identically
>> (security/permissions etc.) other than the GP properties of course.
>>
>> One of the policies not being updated is the password restrictions
>> (enforce history 6 passwords, max password age 42 days, min password
>> age 1 day, min password length 8 chars). However, users can change
>> their blank password to blank as many times a day as they wish. I need
>> to fix this!!
>>
>> Any help will be appreciated.
>>
>> Thanks
>> David
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Additional: This AM GPUpdate is now showing the 5 GPOs as "filtering:
Not Applied (empty) on the XP machines

And the event log is listing several Userenv errors when updating the
policies (Events 1030, 1058, 1091, 1085)

I'm really beginning to dislike group policies. :)o|

BTW, a while ago all SYSVOL contents got deleted due to a linked copy
being created via a test tape restore. I fixed it with LINKD and
recreated all polices from scratch.



On Wed, 14 Apr 2004 08:39:37 -0500, David Stal <None@guesswhere.sk>
wrote:

>All GPOs reside at the domain level (AD Users and Computers / Domain.
>All users are in various OUs beneath this.
>
>There are no links
>Default security (authenticated users have Read and Apply Group
>Policy). I am a domain admin and these policies are not working for me
>either.
>
>Policies setup
>Password Policies: (not currently working)
>Computer Configuration / Windows Settings / Security Settings /
>Account Policies / Password Policy
>set to: 6 remembered, min age 1 day, max age 42 days, min length 8
>characters
>Interactive logon:prompt user to change password before expiration
>set to: 5 days
>
>LogOff Script: (Working)
>User Configuration / Windows Settings / Scripts
>Logoff.bat
>
>Now I come to look at it, all the GPOs that are not working are all
>Computer Configuration.
>
>Any clues what might be going on?
>
>Thanks
>David
>
>
>On Tue, 13 Apr 2004 15:00:03 -0700, "Derek Melber [MVP]"
><derekm@braincore.net> wrote:
>
>>What is the config of the OUs and GPOs (links, settings, etc). Also, where
>>do the user and computer accounts live that are in question?
>>
>>--
>>Derek Melber
>>BrainCore.Net
>>derekm@braincore.net
>>"David Stal" <None@guesswhere.sk> wrote in message
>>news:b5ho70psstjkbtcnhauc86vq04pg4u7k6d@4ax.com...
>>> Hi all
>>> I have created 6 group polices on a DC but only 1 is being updated and
>>> enforced on any of the workstations (XP and 2k).
>>>
>>> GPResult says that all 6 were applied to all the XP machine I've
>>> checked. I have verified that all 6 are setup identically
>>> (security/permissions etc.) other than the GP properties of course.
>>>
>>> One of the policies not being updated is the password restrictions
>>> (enforce history 6 passwords, max password age 42 days, min password
>>> age 1 day, min password length 8 chars). However, users can change
>>> their blank password to blank as many times a day as they wish. I need
>>> to fix this!!
>>>
>>> Any help will be appreciated.
>>>
>>> Thanks
>>> David
>>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

you say there are NO LINKS? Do you really mean that? I assume not.

Do you have ANY block policy inheritance on the OUs?

I am also wondering if the SYSVOL issue is something here? Are you getting
ANY FRS problems or events on the DCs? I think we need to 100% verify FRS is
working first, then see about the GPOs. If the GPUPDATE is saying that all
GPOs are empty... that is troubling. How many DCs?

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:gtjq709svgph5kvha61mhnts071m9dv4ld@4ax.com...
> Additional: This AM GPUpdate is now showing the 5 GPOs as "filtering:
> Not Applied (empty) on the XP machines
>
> And the event log is listing several Userenv errors when updating the
> policies (Events 1030, 1058, 1091, 1085)
>
> I'm really beginning to dislike group policies. :)o|
>
> BTW, a while ago all SYSVOL contents got deleted due to a linked copy
> being created via a test tape restore. I fixed it with LINKD and
> recreated all polices from scratch.
>
>
>
> On Wed, 14 Apr 2004 08:39:37 -0500, David Stal <None@guesswhere.sk>
> wrote:
>
> >All GPOs reside at the domain level (AD Users and Computers / Domain.
> >All users are in various OUs beneath this.
> >
> >There are no links
> >Default security (authenticated users have Read and Apply Group
> >Policy). I am a domain admin and these policies are not working for me
> >either.
> >
> >Policies setup
> >Password Policies: (not currently working)
> >Computer Configuration / Windows Settings / Security Settings /
> >Account Policies / Password Policy
> >set to: 6 remembered, min age 1 day, max age 42 days, min length 8
> >characters
> >Interactive logon:prompt user to change password before expiration
> >set to: 5 days
> >
> >LogOff Script: (Working)
> >User Configuration / Windows Settings / Scripts
> >Logoff.bat
> >
> >Now I come to look at it, all the GPOs that are not working are all
> >Computer Configuration.
> >
> >Any clues what might be going on?
> >
> >Thanks
> >David
> >
> >
> >On Tue, 13 Apr 2004 15:00:03 -0700, "Derek Melber [MVP]"
> ><derekm@braincore.net> wrote:
> >
> >>What is the config of the OUs and GPOs (links, settings, etc). Also,
where
> >>do the user and computer accounts live that are in question?
> >>
> >>--
> >>Derek Melber
> >>BrainCore.Net
> >>derekm@braincore.net
> >>"David Stal" <None@guesswhere.sk> wrote in message
> >>news:b5ho70psstjkbtcnhauc86vq04pg4u7k6d@4ax.com...
> >>> Hi all
> >>> I have created 6 group polices on a DC but only 1 is being updated and
> >>> enforced on any of the workstations (XP and 2k).
> >>>
> >>> GPResult says that all 6 were applied to all the XP machine I've
> >>> checked. I have verified that all 6 are setup identically
> >>> (security/permissions etc.) other than the GP properties of course.
> >>>
> >>> One of the policies not being updated is the password restrictions
> >>> (enforce history 6 passwords, max password age 42 days, min password
> >>> age 1 day, min password length 8 chars). However, users can change
> >>> their blank password to blank as many times a day as they wish. I need
> >>> to fix this!!
> >>>
> >>> Any help will be appreciated.
> >>>
> >>> Thanks
> >>> David
> >>>
> >>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Sorry, links has
Domain
Domain/CompanyOU <- this where I applied the GPO <Blush>I
didn't hit the Find now button </BLUSH>

No Blocks at all

FRS is working (netlogon is replicating between DCs) and nothing in
the event logs.

2 DCs

Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
OK


On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>you say there are NO LINKS? Do you really mean that? I assume not.
>
>Do you have ANY block policy inheritance on the OUs?
>
>I am also wondering if the SYSVOL issue is something here? Are you getting
>ANY FRS problems or events on the DCs? I think we need to 100% verify FRS is
>working first, then see about the GPOs. If the GPUPDATE is saying that all
>GPOs are empty... that is troubling. How many DCs?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

David,

Let me make sure I understand what you have:

Domain level:
Default Domain GPO with default settings

CompanyOU:
GPO1
GPO2
GPO3
GPO4
GPO5
GPO6

User and computer accounts are scattered in the OUs, but some are in the
CompanyOU.
Only one of the GPOs from the CompanyOU level are applying to the computer
accounts that reside in the CompanyOU.
The other 5 indicate that the GPO is <empty>.

This indicates to me that you have not configured ANY GPO settings in these
other GPOs. I know that sounds strange... but this is what it is telling me.
The other possibility is that you have filtered out all user and computer
accoutns from applying these 5 GPOs? Have you checked the filters (ACL) on
the GPOs?

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:5c2r701lbpss2oco1g1ohrh13i48jmb5pq@4ax.com...
> Sorry, links has
> Domain
> Domain/CompanyOU <- this where I applied the GPO <Blush>I
> didn't hit the Find now button </BLUSH>
>
> No Blocks at all
>
> FRS is working (netlogon is replicating between DCs) and nothing in
> the event logs.
>
> 2 DCs
>
> Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
> OK
>
>
> On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
> <derekm@braincore.net> wrote:
>
> >you say there are NO LINKS? Do you really mean that? I assume not.
> >
> >Do you have ANY block policy inheritance on the OUs?
> >
> >I am also wondering if the SYSVOL issue is something here? Are you
getting
> >ANY FRS problems or events on the DCs? I think we need to 100% verify FRS
is
> >working first, then see about the GPOs. If the GPUPDATE is saying that
all
> >GPOs are empty... that is troubling. How many DCs?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

You understand it correctly, except all users are in Department OUs
under CopmanyOU

ACLs on the GPOs: Athenticated users have read and Apply Group Policy.
unless filtering is handled else where?

All of the GPOs do have settings, specifically the password policy I
detailed earlier. Unless you mean something else by that. :eek:)




On Wed, 14 Apr 2004 13:07:02 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>David,
>
>Let me make sure I understand what you have:
>
>Domain level:
>Default Domain GPO with default settings
>
>CompanyOU:
>GPO1
>GPO2
>GPO3
>GPO4
>GPO5
>GPO6
>
>User and computer accounts are scattered in the OUs, but some are in the
>CompanyOU.
>Only one of the GPOs from the CompanyOU level are applying to the computer
>accounts that reside in the CompanyOU.
>The other 5 indicate that the GPO is <empty>.
>
>This indicates to me that you have not configured ANY GPO settings in these
>other GPOs. I know that sounds strange... but this is what it is telling me.
>The other possibility is that you have filtered out all user and computer
>accoutns from applying these 5 GPOs? Have you checked the filters (ACL) on
>the GPOs?
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"David Stal" <None@guesswhere.sk> wrote in message
>news:5c2r701lbpss2oco1g1ohrh13i48jmb5pq@4ax.com...
>> Sorry, links has
>> Domain
>> Domain/CompanyOU <- this where I applied the GPO <Blush>I
>> didn't hit the Find now button </BLUSH>
>>
>> No Blocks at all
>>
>> FRS is working (netlogon is replicating between DCs) and nothing in
>> the event logs.
>>
>> 2 DCs
>>
>> Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
>> OK
>>
>>
>> On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
>> <derekm@braincore.net> wrote:
>>
>> >you say there are NO LINKS? Do you really mean that? I assume not.
>> >
>> >Do you have ANY block policy inheritance on the OUs?
>> >
>> >I am also wondering if the SYSVOL issue is something here? Are you
>getting
>> >ANY FRS problems or events on the DCs? I think we need to 100% verify FRS
>is
>> >working first, then see about the GPOs. If the GPUPDATE is saying that
>all
>> >GPOs are empty... that is troubling. How many DCs?
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ok, thanks for that info!

If you have 6 GPOs applied to one OU, all with Password policies, then you
will only get one Password policy result. The one at the top of the list
(the highest priority).

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:ul7r701d0ch8j918t5ps2m2kme4h6ae9sc@4ax.com...
> You understand it correctly, except all users are in Department OUs
> under CopmanyOU
>
> ACLs on the GPOs: Athenticated users have read and Apply Group Policy.
> unless filtering is handled else where?
>
> All of the GPOs do have settings, specifically the password policy I
> detailed earlier. Unless you mean something else by that. :eek:)
>
>
>
>
> On Wed, 14 Apr 2004 13:07:02 -0700, "Derek Melber [MVP]"
> <derekm@braincore.net> wrote:
>
> >David,
> >
> >Let me make sure I understand what you have:
> >
> >Domain level:
> >Default Domain GPO with default settings
> >
> >CompanyOU:
> >GPO1
> >GPO2
> >GPO3
> >GPO4
> >GPO5
> >GPO6
> >
> >User and computer accounts are scattered in the OUs, but some are in the
> >CompanyOU.
> >Only one of the GPOs from the CompanyOU level are applying to the
computer
> >accounts that reside in the CompanyOU.
> >The other 5 indicate that the GPO is <empty>.
> >
> >This indicates to me that you have not configured ANY GPO settings in
these
> >other GPOs. I know that sounds strange... but this is what it is telling
me.
> >The other possibility is that you have filtered out all user and computer
> >accoutns from applying these 5 GPOs? Have you checked the filters (ACL)
on
> >the GPOs?
> >
> >--
> >Derek Melber
> >BrainCore.Net
> >derekm@braincore.net
> >"David Stal" <None@guesswhere.sk> wrote in message
> >news:5c2r701lbpss2oco1g1ohrh13i48jmb5pq@4ax.com...
> >> Sorry, links has
> >> Domain
> >> Domain/CompanyOU <- this where I applied the GPO <Blush>I
> >> didn't hit the Find now button </BLUSH>
> >>
> >> No Blocks at all
> >>
> >> FRS is working (netlogon is replicating between DCs) and nothing in
> >> the event logs.
> >>
> >> 2 DCs
> >>
> >> Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
> >> OK
> >>
> >>
> >> On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
> >> <derekm@braincore.net> wrote:
> >>
> >> >you say there are NO LINKS? Do you really mean that? I assume not.
> >> >
> >> >Do you have ANY block policy inheritance on the OUs?
> >> >
> >> >I am also wondering if the SYSVOL issue is something here? Are you
> >getting
> >> >ANY FRS problems or events on the DCs? I think we need to 100% verify
FRS
> >is
> >> >working first, then see about the GPOs. If the GPUPDATE is saying that
> >all
> >> >GPOs are empty... that is troubling. How many DCs?
> >>
> >
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

All 6 policies are different. One does password restrictions, another
one does auditing, another one clears the last logged on user ID, etc.


On Wed, 14 Apr 2004 14:11:34 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>Ok, thanks for that info!
>
>If you have 6 GPOs applied to one OU, all with Password policies, then you
>will only get one Password policy result. The one at the top of the list
>(the highest priority).
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"David Stal" <None@guesswhere.sk> wrote in message
>news:ul7r701d0ch8j918t5ps2m2kme4h6ae9sc@4ax.com...
>> You understand it correctly, except all users are in Department OUs
>> under CopmanyOU
>>
>> ACLs on the GPOs: Athenticated users have read and Apply Group Policy.
>> unless filtering is handled else where?
>>
>> All of the GPOs do have settings, specifically the password policy I
>> detailed earlier. Unless you mean something else by that. :eek:)
>>
>>
>>
>>
>> On Wed, 14 Apr 2004 13:07:02 -0700, "Derek Melber [MVP]"
>> <derekm@braincore.net> wrote:
>>
>> >David,
>> >
>> >Let me make sure I understand what you have:
>> >
>> >Domain level:
>> >Default Domain GPO with default settings
>> >
>> >CompanyOU:
>> >GPO1
>> >GPO2
>> >GPO3
>> >GPO4
>> >GPO5
>> >GPO6
>> >
>> >User and computer accounts are scattered in the OUs, but some are in the
>> >CompanyOU.
>> >Only one of the GPOs from the CompanyOU level are applying to the
>computer
>> >accounts that reside in the CompanyOU.
>> >The other 5 indicate that the GPO is <empty>.
>> >
>> >This indicates to me that you have not configured ANY GPO settings in
>these
>> >other GPOs. I know that sounds strange... but this is what it is telling
>me.
>> >The other possibility is that you have filtered out all user and computer
>> >accoutns from applying these 5 GPOs? Have you checked the filters (ACL)
>on
>> >the GPOs?
>> >
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >derekm@braincore.net
>> >"David Stal" <None@guesswhere.sk> wrote in message
>> >news:5c2r701lbpss2oco1g1ohrh13i48jmb5pq@4ax.com...
>> >> Sorry, links has
>> >> Domain
>> >> Domain/CompanyOU <- this where I applied the GPO <Blush>I
>> >> didn't hit the Find now button </BLUSH>
>> >>
>> >> No Blocks at all
>> >>
>> >> FRS is working (netlogon is replicating between DCs) and nothing in
>> >> the event logs.
>> >>
>> >> 2 DCs
>> >>
>> >> Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is updating
>> >> OK
>> >>
>> >>
>> >> On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
>> >> <derekm@braincore.net> wrote:
>> >>
>> >> >you say there are NO LINKS? Do you really mean that? I assume not.
>> >> >
>> >> >Do you have ANY block policy inheritance on the OUs?
>> >> >
>> >> >I am also wondering if the SYSVOL issue is something here? Are you
>> >getting
>> >> >ANY FRS problems or events on the DCs? I think we need to 100% verify
>FRS
>> >is
>> >> >working first, then see about the GPOs. If the GPUPDATE is saying that
>> >all
>> >> >GPOs are empty... that is troubling. How many DCs?
>> >>
>> >
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

David,

The only things that I can think of that could be causing this to fail are:

1) filtering of the GPO ACL
2) no override

I can't see why anything else would be causing this behavior.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:2jbt70d9er2teec8ndtb49g43mnl00faid@4ax.com...
> All 6 policies are different. One does password restrictions, another
> one does auditing, another one clears the last logged on user ID, etc.
>
>
> On Wed, 14 Apr 2004 14:11:34 -0700, "Derek Melber [MVP]"
> <derekm@braincore.net> wrote:
>
> >Ok, thanks for that info!
> >
> >If you have 6 GPOs applied to one OU, all with Password policies, then
you
> >will only get one Password policy result. The one at the top of the list
> >(the highest priority).
> >
> >--
> >Derek Melber
> >BrainCore.Net
> >derekm@braincore.net
> >"David Stal" <None@guesswhere.sk> wrote in message
> >news:ul7r701d0ch8j918t5ps2m2kme4h6ae9sc@4ax.com...
> >> You understand it correctly, except all users are in Department OUs
> >> under CopmanyOU
> >>
> >> ACLs on the GPOs: Athenticated users have read and Apply Group Policy.
> >> unless filtering is handled else where?
> >>
> >> All of the GPOs do have settings, specifically the password policy I
> >> detailed earlier. Unless you mean something else by that. :eek:)
> >>
> >>
> >>
> >>
> >> On Wed, 14 Apr 2004 13:07:02 -0700, "Derek Melber [MVP]"
> >> <derekm@braincore.net> wrote:
> >>
> >> >David,
> >> >
> >> >Let me make sure I understand what you have:
> >> >
> >> >Domain level:
> >> >Default Domain GPO with default settings
> >> >
> >> >CompanyOU:
> >> >GPO1
> >> >GPO2
> >> >GPO3
> >> >GPO4
> >> >GPO5
> >> >GPO6
> >> >
> >> >User and computer accounts are scattered in the OUs, but some are in
the
> >> >CompanyOU.
> >> >Only one of the GPOs from the CompanyOU level are applying to the
> >computer
> >> >accounts that reside in the CompanyOU.
> >> >The other 5 indicate that the GPO is <empty>.
> >> >
> >> >This indicates to me that you have not configured ANY GPO settings in
> >these
> >> >other GPOs. I know that sounds strange... but this is what it is
telling
> >me.
> >> >The other possibility is that you have filtered out all user and
computer
> >> >accoutns from applying these 5 GPOs? Have you checked the filters
(ACL)
> >on
> >> >the GPOs?
> >> >
> >> >--
> >> >Derek Melber
> >> >BrainCore.Net
> >> >derekm@braincore.net
> >> >"David Stal" <None@guesswhere.sk> wrote in message
> >> >news:5c2r701lbpss2oco1g1ohrh13i48jmb5pq@4ax.com...
> >> >> Sorry, links has
> >> >> Domain
> >> >> Domain/CompanyOU <- this where I applied the GPO <Blush>I
> >> >> didn't hit the Find now button </BLUSH>
> >> >>
> >> >> No Blocks at all
> >> >>
> >> >> FRS is working (netlogon is replicating between DCs) and nothing in
> >> >> the event logs.
> >> >>
> >> >> 2 DCs
> >> >>
> >> >> Correction: 5 of 6 are coming back "empty" in GPUPDATE. 1 is
updating
> >> >> OK
> >> >>
> >> >>
> >> >> On Wed, 14 Apr 2004 11:44:44 -0700, "Derek Melber [MVP]"
> >> >> <derekm@braincore.net> wrote:
> >> >>
> >> >> >you say there are NO LINKS? Do you really mean that? I assume not.
> >> >> >
> >> >> >Do you have ANY block policy inheritance on the OUs?
> >> >> >
> >> >> >I am also wondering if the SYSVOL issue is something here? Are you
> >> >getting
> >> >> >ANY FRS problems or events on the DCs? I think we need to 100%
verify
> >FRS
> >> >is
> >> >> >working first, then see about the GPOs. If the GPUPDATE is saying
that
> >> >all
> >> >> >GPOs are empty... that is troubling. How many DCs?
> >> >>
> >> >
> >>
> >
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks anyway . :eek:)

I guess I'll just have to break down and call micro$oft.



On Thu, 15 Apr 2004 14:22:05 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>David,
>
>The only things that I can think of that could be causing this to fail are:
>
>1) filtering of the GPO ACL
>2) no override
>
>I can't see why anything else would be causing this behavior.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Called MS and after 2 1/2 hours and 3 levels of support later it
turned out that when the contents of SYSVOL was deleted it cleaned out
all my default domain policies. They told me password policies can
only be applied against this policy, hense it stopped working.

Anyhoo, they emailed me a fix recreateDefPol.exe and that fixed the
problem.

However it also broke my exchange server, I had to run Domain Prep to
get it back up.

Well everything is working now and I'm happy, if not $250US poorer.
:eek:)



On Fri, 16 Apr 2004 08:06:28 -0500, David Stal <None@guesswhere.sk>
wrote:

>Thanks anyway . :eek:)
>
>I guess I'll just have to break down and call micro$oft.
>
>
>
>On Thu, 15 Apr 2004 14:22:05 -0700, "Derek Melber [MVP]"
><derekm@braincore.net> wrote:
>
>>David,
>>
>>The only things that I can think of that could be causing this to fail are:
>>
>>1) filtering of the GPO ACL
>>2) no override
>>
>>I can't see why anything else would be causing this behavior.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

David,

Thanks for the update, sorry it came to this. However, I don't recall
discussing that the contents of Sysvol got deleted?

Also, can you send me a copy of that EXE? I would love to have that on hand.
Thx

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:ndtc80h1ob8j9g3f7kdo5mhf7ulpnpuim0@4ax.com...
> Called MS and after 2 1/2 hours and 3 levels of support later it
> turned out that when the contents of SYSVOL was deleted it cleaned out
> all my default domain policies. They told me password policies can
> only be applied against this policy, hense it stopped working.
>
> Anyhoo, they emailed me a fix recreateDefPol.exe and that fixed the
> problem.
>
> However it also broke my exchange server, I had to run Domain Prep to
> get it back up.
>
> Well everything is working now and I'm happy, if not $250US poorer.
> :eek:)
>
>
>
> On Fri, 16 Apr 2004 08:06:28 -0500, David Stal <None@guesswhere.sk>
> wrote:
>
> >Thanks anyway . :eek:)
> >
> >I guess I'll just have to break down and call micro$oft.
> >
> >
> >
> >On Thu, 15 Apr 2004 14:22:05 -0700, "Derek Melber [MVP]"
> ><derekm@braincore.net> wrote:
> >
> >>David,
> >>
> >>The only things that I can think of that could be causing this to fail
are:
> >>
> >>1) filtering of the GPO ACL
> >>2) no override
> >>
> >>I can't see why anything else would be causing this behavior.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

David,

Sorry, to much water under the bridge.. I now see our discussion of the
Sysvol!

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"David Stal" <None@guesswhere.sk> wrote in message
news:ndtc80h1ob8j9g3f7kdo5mhf7ulpnpuim0@4ax.com...
> Called MS and after 2 1/2 hours and 3 levels of support later it
> turned out that when the contents of SYSVOL was deleted it cleaned out
> all my default domain policies. They told me password policies can
> only be applied against this policy, hense it stopped working.
>
> Anyhoo, they emailed me a fix recreateDefPol.exe and that fixed the
> problem.
>
> However it also broke my exchange server, I had to run Domain Prep to
> get it back up.
>
> Well everything is working now and I'm happy, if not $250US poorer.
> :eek:)
>
>
>
> On Fri, 16 Apr 2004 08:06:28 -0500, David Stal <None@guesswhere.sk>
> wrote:
>
> >Thanks anyway . :eek:)
> >
> >I guess I'll just have to break down and call micro$oft.
> >
> >
> >
> >On Thu, 15 Apr 2004 14:22:05 -0700, "Derek Melber [MVP]"
> ><derekm@braincore.net> wrote:
> >
> >>David,
> >>
> >>The only things that I can think of that could be causing this to fail
are:
> >>
> >>1) filtering of the GPO ACL
> >>2) no override
> >>
> >>I can't see why anything else would be causing this behavior.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Derek
I've Attached the file.

Thanks again



On Thu, 22 Apr 2004 08:18:28 -0700, "Derek Melber [MVP]"
<derekm@braincore.net> wrote:

>David,
>
>Thanks for the update, sorry it came to this. However, I don't recall
>discussing that the contents of Sysvol got deleted?
>
>Also, can you send me a copy of that EXE? I would love to have that on hand.
>Thx
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"David Stal" <None@guesswhere.sk> wrote in message
>news:ndtc80h1ob8j9g3f7kdo5mhf7ulpnpuim0@4ax.com...
>> Called MS and after 2 1/2 hours and 3 levels of support later it
>> turned out that when the contents of SYSVOL was deleted it cleaned out
>> all my default domain policies. They told me password policies can
>> only be applied against this policy, hense it stopped working.
>>
>> Anyhoo, they emailed me a fix recreateDefPol.exe and that fixed the
>> problem.
>>
>> However it also broke my exchange server, I had to run Domain Prep to
>> get it back up.
>>
>> Well everything is working now and I'm happy, if not $250US poorer.
>> :eek:)
>>
>>
>>
>> On Fri, 16 Apr 2004 08:06:28 -0500, David Stal <None@guesswhere.sk>
>> wrote:
>>
>> >Thanks anyway . :eek:)
>> >
>> >I guess I'll just have to break down and call micro$oft.
>> >
>> >
>> >
>> >On Thu, 15 Apr 2004 14:22:05 -0700, "Derek Melber [MVP]"
>> ><derekm@braincore.net> wrote:
>> >
>> >>David,
>> >>
>> >>The only things that I can think of that could be causing this to fail
>are:
>> >>
>> >>1) filtering of the GPO ACL
>> >>2) no override
>> >>
>> >>I can't see why anything else would be causing this behavior.
>>
>