Group Policy Replication

CoXeY · 30 May 2006 at 16:51

Right time to consult the AD bods around here...

I have added the URL for our intranet site to the GP on one of our domain controllers but for some reason the setting does not seem to be replicating to the other DC's?

I have added the URL to "User Configuration \ Windows Settings \ Internet Explorer Maintenance \ Secuirty \ Security Zones and Content Ratings" and have applied this specifically to the OU that contains the relevant users. I made the change last week and as yet the setting has still not replicated - any ideas?

Dan.

mr.bond · 30 May 2006 at 19:48

CoXeY said:
Right time to consult the AD bods around here...

I have added the URL for our intranet site to the GP on one of our domain controllers but for some reason the setting does not seem to be replicating to the other DC's?

I have added the URL to "User Configuration \ Windows Settings \ Internet Explorer Maintenance \ Secuirty \ Security Zones and Content Ratings" and have applied this specifically to the OU that contains the relevant users. I made the change last week and as yet the setting has still not replicated - any ideas?

Dan.

Have you checked the other DC's in your org to see if the policy is present via ADU&C?

Just out of interest (and you've probably tried this) can you check to ensure that the OU does not have ticked 'block policy inheritance'

google gpresult or gpotool and run it on one of the clients not receiving the policy (/u switch IIRC), ensure the output shows the policy you applied.

failing that check your event logs, post back errors here.

Win2k or 2k3 AD btw?

L33 · 31 May 2006 at 11:58

EDIT: must read the full post.............

Spider · 31 May 2006 at 12:22

RSOP (resultant set of polidy) is a handly little tool. Will run on a client and show you all GPO's being applied, what policy settings are in effect and more importantly which settings are applied from which group policy objects.

Could be helpful in tracing what is defining the browser settings........

CoXeY · 1 Jun 2006 at 13:42

Thanks for the replies guys!

As yet i still have not got to the bottom of this one. The configuration is set on DC1 but does not appear in ADU&C on DC2, i have also made sure that 'block policy inheritance' is not ticked.

Running RSOP shows me that the intranet site settings are not being propagated to any client machines.

I'm thinking that perhaps i have gone about this in the wrong way?! Basically what i am trying to do is add http://intranet.domain.com to each users Local Intranet Zone within IE - i could apply it manually to each machine but that kinda defeats the object of GP in the first place :rolleyes:

tonyyeb · 1 Jun 2006 at 16:14

CoXeY said:
Thanks for the replies guys!

As yet i still have not got to the bottom of this one. The configuration is set on DC1 but does not appear in ADU&C on DC2, i have also made sure that 'block policy inheritance' is not ticked.

Running RSOP shows me that the intranet site settings are not being propagated to any client machines.

I'm thinking that perhaps i have gone about this in the wrong way?! Basically what i am trying to do is add http://intranet.domain.com to each users Local Intranet Zone within IE - i could apply it manually to each machine but that kinda defeats the object of GP in the first place

You will notice that you have added this setting in 'User Configuartion' and as it is a user setting it cannot be added to the local machine as such. Have you checked that replication is working using dcdiag?

Have you tried forcing replication in ADS&S?

Have you tried running GPresult as a user who is in that OU?

Are permissions set on the GPO? Are the users denied 'apply settings'? Is there another GP that changes the Intranet Zone settings?

Have you tried creating a dummy user, a blank ou at the top of the tree and a new GP that does just that and seeing if it works?

Hopefully this helps you on your way

^^Gord^^ · 1 Jun 2006 at 17:15

CoXeY said:
As yet i still have not got to the bottom of this one. The configuration is set on DC1 but does not appear in ADU&C on DC2, i have also made sure that 'block policy inheritance' is not ticked.

You mean that the GPO does not appear on DC2 but does on DC1? If the GPO is not appearing on DC2 then you have a replication problem within AD.

Check the event logs on both DCs and also take a look at using a MS utility called Ultrasound to check the health of AD.

tonyyeb · 1 Jun 2006 at 17:30

Check out this link for a great doc about Group Policy:

http://technet2.microsoft.com/Windo...699b-4c49-abcc-e3526dbecc0e1033.mspx?mfr=true

Particulary the bit about group policy processing order.