locked
GPResult "Computer Settings"

    Question

  • Where are these derived from?  I mean where RSOP thinks it's getting the GPO settings from, not the GPO settings themselves i.e (in bold):

    RSOP data for testadservs\xilan on PC1 : Logging Mode
    ---------------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.1.7600
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\xilan

    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=PC1,CN=Computers,DC=testadservs,DC=net
        Last time Group Policy was applied: 1/5/2010 at 9:27:46 PM
        Group Policy was applied from:      OLDDC1.testadservs.net
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        PC1
        Domain Type:                        <Local Computer>


    OLDDC1 was from a legacy installation of 2008R2/AD.  It has never existed in this implementation, and as such, I am curious where PC1 is getting that as a a server which the "Group Policy was applied from: " if it doesn't exist.  The current DC (only one in the environment) is DC1.    I also am wondering why it does not show the domain that it is clearly a member of given I'm logged in with domain credentials as we speak.  I cannot get the GPOs to actually apply and I suspect strongly that it is due to this information being either incorrect or not being legitimately obtained by the member server.

    I've asked this question on a couple different boards and no one seems to have the answer.

    In addition, user GPOs work as anticipated.. only computer objects seem to be failing.

    Wednesday, January 06, 2010 2:32 AM

All replies

  • Hi,

    So OLDDC1 never existed in the Domain or was it a part of Domain earlier and was removed later ?

    If a Machine is still taking the Policies from that Server than it means we have some records of this Machine in AD and DNS. Can you please refer to this Article (http://support.microsoft.com/kb/216498) and check if there are no Stale Reords of this Machine existing in the Domain.

    Similarly, under DNS Console drill down and check if there are any records pertaining to thie DC.

    Also provide us with the additional info -- 

    How many Domain Controllers are there at present in the Domain ?
    Is this issue occuriong on all the Machines some specific ones ?
    Are you getting any Group Policy Events in the Event Viewer ?

    Revert back with the info.

    Thanks,
    Nitin
    Wednesday, January 06, 2010 4:00 PM
  •  

    Hello,

     

    Thank you for your post here.

     

    Sloth8 is right. If you are not sure about whether there is a ghost DC in the domain, you may consider to run Dcdiag and Netdiag to verify whether there are stale NTDS records and SRV records in the domain.

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

     

     

     

     

    Thursday, January 07, 2010 5:23 AM
  • Hi,

    So OLDDC1 never existed in the Domain or was it a part of Domain earlier and was removed later ?

    If a Machine is still taking the Policies from that Server than it means we have some records of this Machine in AD and DNS. Can you please refer to this Article (http://support.microsoft.com/kb/216498 ) and check if there are no Stale Reords of this Machine existing in the Domain.

    Similarly, under DNS Console drill down and check if there are any records pertaining to thie DC.

    Also provide us with the additional info -- 

    How many Domain Controllers are there at present in the Domain ?
    Is this issue occuriong on all the Machines some specific ones ?
    Are you getting any Group Policy Events in the Event Viewer ?

    Revert back with the info.

    Thanks,
    Nitin

    Hi guys,

    OLDDC1 was never part of the existing domain.  It was the PDC of the former domain, before reinstalling Windows.  I dcpromo'd/demoted/deleted the domain before the reinstall, however.

    There is only one domain controller.  The issue is on all machines.  The only group policy event is GP Core failed on the machines.

    I reinstalled Windows (unfortunately over an old instance, didn't have any option at the time) and this issue persists.  It is the reason I reinstalled Windows 2008 R2 to begin with.

    Netdiag is not included in this version so unfortunately, I can't run it.  DCDiag reports no errors whatsoever.  There is one error that I cannot get rid of in the DNS - eventid 4010, "The DNS server was unable to create a resource record for c9ba306f-70cc-468b-bde0-6c4433308fc0._msdcs.testadservs.net in zone testadservs.net."  I manually created the entry and it does resolve to the PDC.


    Thanks for your help.
    Thursday, January 07, 2010 9:06 PM
  •  

    Hello,

     

    Thank you for your post here.

     

    Sloth8 is right. If you are not sure about whether there is a ghost DC in the domain, you may consider to run Dcdiag and Netdiag to verify whether there are stale NTDS records and SRV records in the domain.

     

    If you have any questions or concerns, please do not hesitate to let us know.

     

     

     

     

     

     

    Additionally, metadata cleanup reveals no entry of OLDDC1.  When selecting operation targets, I only see DC1 (the current PDC).  No other sites/domains/etc. besides those that belong.  Basically, there's nothing residual found here.
    Thursday, January 07, 2010 9:08 PM
  • Hi,

    Can you post the Full Gpresult /v from a Client Machine here. I  would like to take a look at it.

    Also try this on Client Machine --

    Rename 'Ntuser.pol' file present in the User Profile and reboot the Client Machine. See of it makes any difference. Sometimes the Old Group Policies gets tattooed in this File.

    Please confirm this statement once again --  "You reinstalled Windows 2008 R2, promoted the Server as a DC in a New Forest and then added the Client Machines to the Domain".

    Revert back with the info.

    cheers,
    Nitin
    Friday, January 08, 2010 9:44 AM
  • Hi,

    Can you post the Full Gpresult /v from a Client Machine here. I  would like to take a look at it.

    Also try this on Client Machine --

    Rename 'Ntuser.pol' file present in the User Profile and reboot the Client Machine. See of it makes any difference. Sometimes the Old Group Policies gets tattooed in this File.

    Please confirm this statement once again --  "You reinstalled Windows 2008 R2, promoted the Server as a DC in a New Forest and then added the Client Machines to the Domain".

    Revert back with the info.

    cheers,
    Nitin


    Hi Nitin,

    Here's the GPResult -

    PS C:\Users\adm-xilan> gpresult /v

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 1/8/2010 at 5:36:40 PM


    RSOP data for testadservs\adm-xilan on PC5 : Logging Mode
    ---------------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.0.6002
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\adm-xilan
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=PC5,CN=Computers,DC=testadservs,DC=net
        Last time Group Policy was applied: 1/8/2010 at 5:32:18 PM
        Group Policy was applied from:      N/A
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        26L2233A3-11
        Domain Type:                        WindowsNT 4

        Applied Group Policy Objects
        -----------------------------
            N/A

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            NT AUTHORITY\Authenticated Users
            System Mandatory Level

        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                N/A

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                N/A

                N/A

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A


    USER SETTINGS
    --------------
        CN=Xilan Admin,OU=UserOrganization,DC=testadservs,DC=net
        Last time Group Policy was applied: 1/8/2010 at 5:32:18 PM
        Group Policy was applied from:      PDC1.testadservs.net
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        testadservs
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            N/A

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            testadservs Default Domain Policy
                Filtering:  Disabled (GPO)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            RemoteAccess
                Filtering:  Disabled (GPO)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            PLUS ADMINS
            BUILTIN\Administrators
            BUILTIN\Users
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Group Policy Creator Owners
            Domain Admins
            LentechWindowsAdmins
            Schema Admins
            Enterprise Admins
            DHCP Administrators
            Denied RODC Password Replication Group
            DnsAdmins
            High Mandatory Level

        The user has the following security privileges
        ----------------------------------------------


        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A

    It is not pulling user policy because there is not one currently present - if I change any values, it pulls them down.

    I reinstalled Windows 2008 R2 (over an old installation, unfortunately, renaming the old instance to Windows.old).  I installed AD DS and promoted PDC1 (which was OLDDC1 as well) in a brand new forest (though of the same name as the original) and then readded client machines to the new domain.  Everything else about the domain works - authentication, etc.

    There was no ntuser.pol file to change. Renamed ntuser.dat, trying that now. 

    Friday, January 08, 2010 10:45 PM
  • Renaming NTUSER.DAT had no effect. :(
    Friday, January 08, 2010 10:58 PM