none
Hello Everyone, I have some problem in group policy in server 2008 r2 after reformatting the Primary Domain Controller.

    Question

  • Hi there,

    I am hoping to have some suggestions from experts. Here is the story of my problem.

    I had 3 domain controllers. I had to format my primary dc to add hardisk because MBR partition style does not support more than 2 TB so I had to change it in to GPT. I gracefully transferred all FSMO roles to dc2 and reformatted the dc1 primary dc, restored all data and joined to the domain as secondary dc with same computer name. Again I transferred all fsmo roles from dc2 to dc1 gracefully. All was going well but now I realized that I am having problem with Group Policy when I remove any policy from dc1, it works but adding new group policy is not replicated to the clients who are joined to the domain before I formatted the primary DC. I have deployed many software via group policy. Whenever I remove policy it take effects on all client computer but adding new only works on new client machines (fresh to the domain).

    Need help.

    Thank you
    Satish.


    Tuesday, February 24, 2015 11:22 AM

Answers

  • Hi Satish,

    Did you run gpupdate /force command in the server and then monitor the result? Just a confirmation, thanks for your understanding. 

    -->Do I need to delete old profile of domain user from the client computer?

    You can only create a new test domain user account, then use this new user account to logon a client computer and monitor the result.

    In addition, please collect the Gpsvc.log file and check if find more clues.

    How to enable GPO logging on windows 7 /2008 r2 ?

    If any update, please feel free to let us know.

    Best regards,

    Justin Gu


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Satish Dangol Monday, March 2, 2015 7:30 AM
    Thursday, February 26, 2015 10:40 AM
    Moderator

All replies

  • have you manually force the gpupdate to the client pcs?
    Tuesday, February 24, 2015 11:41 AM
  • Yes, many times. Whenever I run rsop.msc on client machines, it shows the old group policies only which is actually deleted from primary DC.
    Tuesday, February 24, 2015 11:44 AM
  • coming out of domain and rejoining to domain should resolves the issue. 

    have you tried to delete old GPOs on clients ?

    Tuesday, February 24, 2015 12:09 PM
  • Yes, I had tried rejoining the domain many times but did not resolve the problem. I had tried to remove currently applied policies from registry but did not work. Is there any other way to remove old group policy from client?
    Tuesday, February 24, 2015 5:05 PM
  • Yes, I had tried rejoining the domain many times but did not resolve the problem. I had tried to remove currently applied policies from registry but did not work. Is there any other way to remove old group policy from client?

    Could you try this one ?

    This solution is dependent upon the machine-in-question being dis-joined from the domain. If it is NOT dis-joined from the domain via the OS, then this will NOT work.After the machine is dis-joined from the DC (Domain Controller),

    login using the local (machine) administrator account.

    Go to Start>Run, and type 'cmd' (without the quotes) and press Enter

    Type 'gpupdate /force /boot' and press Enter.

    Once it's complete, reboot. The old group policy is gone.

    Tuesday, February 24, 2015 7:02 PM
  • I had removed the client computer from the domain to workgroup, logged in with local administrator account, did gpudate /force /boot and restarted and logged in with administrator account and then again joined to the domain with the account of domain user but still no new polices have been applied. I looked at the applied policies (rsop.msc) again same old polices. Again ran gpupdate /force from client from domain user account, no changes. Do I need to delete old profile of domain user from the client computer? If I need to delete profile and rejoin the domain, it will take huge time for me to do this on all client machine.
    Wednesday, February 25, 2015 4:29 AM
  • Hi Satish,

    Did you run gpupdate /force command in the server and then monitor the result? Just a confirmation, thanks for your understanding. 

    -->Do I need to delete old profile of domain user from the client computer?

    You can only create a new test domain user account, then use this new user account to logon a client computer and monitor the result.

    In addition, please collect the Gpsvc.log file and check if find more clues.

    How to enable GPO logging on windows 7 /2008 r2 ?

    If any update, please feel free to let us know.

    Best regards,

    Justin Gu


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Satish Dangol Monday, March 2, 2015 7:30 AM
    Thursday, February 26, 2015 10:40 AM
    Moderator
  • Hi Justin,

    I created new user and logged in with the account as you suggested, all the policies were applied from the new account then I logged in back to the old account, surprisingly all the policies were applied. This gave me some relief, thank you for that.

    But when I tried to log the group policy as suggested in the link, I could not put the value 0x30002  on server nor on client, it did not allow me to put x in the box and the value changes automatically when I close the box so that I was unable to log gpo.

    Your suggestion is very close to resolution of my problem. But still I am wondering about the actual cause for this problem and preventive steps for future.

    Thank you
    Satish

    Friday, February 27, 2015 5:47 AM