none
Computers not applying Group Policy

    Question

  • I have an issue that is pretty strange. I have created a new GPO that runs a startup script and has been in place for a couple days now. All computers show that the policy was applied when using the gpresult /v /scope computer command. However the script does not actually run at startup. I have other computers in the same domain that run the script just fine. But these computers reside in a different site though. Not sure why but when running Group Policy Results on the DC in the site where the script does not run I get an alert that says..

    "AD / SYSVOL Version Mismatch,Inaccessible, Empty or Disabled,Enforced"

    When I run the same Group Policy Results on the DC in the site where the scripts do run I get the alert message...
    "AD / SYSVOL Version Mismatch,Enforced"

    Any ideas on what is going on?

    Thanks!


    Chad Guiney

    Monday, January 30, 2017 2:32 PM

All replies

  • Hi,

    Are you sure the GPO isnt working ? There is a known issue where this error is showing even if sysvol isnt mismatching :

    Get more infos and hotfix here : hotfix 2866345

    If it doesnt work then,  do you use a WMI query to filter on wich computer the GPO had to run ?

    Monday, January 30, 2017 2:44 PM
  • If you are using WMI filtering, it might be an authorisation error. Check that the group "authenticated user" are still having read permission on policies and "apply group policy" permissions.

    If permissions are well configured and you still have the issue, check this

    You should also check the below locations to make sure there is no deleted or conflict references for the fSMORoleOwner Attribute. You would get the same errors if you have a bad entry for this attribute reference.
    
    Places to be checked:
    
    1. Open ADSIEdit and connect to DC=DomainDNSZones,DC=Domain,DC=com.
    
    Right click the object CN=InfraStructure
    
    Look for the attribute fSMORoleOwner and verify it is pointing to the right FSMO holder.
    
    2. Connect to DC=DomainDNSZones,DC=Domain,DC=com.
    
    Right click the object CN=InfraStructure
    
    Look for the attribute fSMORoleOwner and verify it is pointing to the right FSMO holder.
    
    3. Connect to DC=DC=Domain,DC=com.
    
    Right click the object CN=InfraStructure
    
    Look for the attribute fSMORoleOwner and verify it is pointing to the right FSMO holder.

    Monday, January 30, 2017 2:52 PM
  • Thanks for the quick reply Pierre. Looking at this setting in ADSIEDIT the server name listed in the fSMORoleOwner attribute is not the same as the server listed when I right click on "ADUC"/Domain name/Operations Masters/Infrastructure tab. Should the server be the same?

    Thanks.


    Chad Guiney

    Monday, January 30, 2017 5:01 PM
  • Hi Chad,
    What about permissions on the share where the script resides?
    Here is an article regarding to troubleshoot startup script not running, you could take a look and use for reference:
    https://technet.microsoft.com/en-us/library/cc978369.aspx
    In addition, regarding error “AD / SYSVOL Version Mismatch”, please track down which GPO is causing this error and under the sysvol folder on your DCs, navigate to its folder (\DC\sysvol\policies{GUID}) and check the GPT.INI file on both the DCs. It will have a version number in it, and the version number will be different on the different DCs - this is the version mismatch it's complaining about. Correcting it depends on what exactly caused the mismatch - you may be able to correct it by editing the version number in GPT.ini, or it may be a result of some bigger problem, like faulty FRS replica sets, ACL settings on that particular GPO, etc. Not enough information to determine what exactly the root cause is.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 02, 2017 8:18 AM
    Moderator
  • Thanks for the response Wendy. I looked at the article but the script is a startup script that runs under the computer instead of user. Reading the results of gpresult it says the script has not run yet. The script is stored in the GPO itself which the users should have access to. Another interesting thing is that this only seems to be affecting Windows 7 Pro computers.

    Chad Guiney

    Thursday, February 02, 2017 1:26 PM
  • Hi,
    Please check the following hotfix and see if it helps:
    Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2
    https://support.microsoft.com/en-us/help/2550944/group-policy-logon-scripts-do-not-run-in-windows-7-or-in-windows-server-2008-r2
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 06, 2017 2:16 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 8:42 AM
    Moderator