I have one server - 2008 R2 Enterprise, running WSUS and our KMS server - which is failing to apply any group policies from the domain. I'm out of ideas of how to get this to process. Any ideas?
My steps so far have included the following.
- verified that the secure channel is good via
netdom verify myhost
- tried
gpupdate /force
- Reviewed the gpresult /v output - which shows no computer policies what so ever
- Poked through the registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPOLink-List
only shows an entry for the local policy. - Rename the folder C:\ProgramData\Microsoft\Group Policy
- Remove the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
- Apply the steps outlined at KB310741
- triple check the event log (application, system, group policy operational) all of which don't show problems.
- triple check the location in AD computer and group membership settings - there should be about 30 policies applying.
Anything more obvious I've missed?
EDIT:
I did notice one additional item of some interest - the Distinguished-Name value on the State\Machine key described above is coming back blank. Not sure how or why. I tried pasting the correct value in but it didn't work.
After all the headaches and problems that this has caused for the last several weeks it looks like the problem was how our windows server was activated. Looks like someone inadvertently put in a KMS key via the GUI.
This resulted in the OS not activating correctly and not being fully (?) joined to the domain. This filtered down to not being able to interact with the domain controllers properly - the join domain box was greyed out - and the DN entry required for group policy to work not being populated. In the end the greyed out join domain box was the clue I needed, indicating a problem with the windows license.
When I punched in a MAK key and put in our KMS information via cscript
cscript slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
as it should have been everything started working exactly the way you would expect.Hopefully this'll help another poor soul out of a month worth of extra work.
You don't mention whether you've run RSoP, but that would be my first step. Also, does the server show any sign of "applying computer policy" during start-up?
Once you've got your RSoP results, you can at least see whether the server believes it should be applying policies (if nothing else, the default domain/user policies).
--Begin Edit-- Just re-read, and noticed you've run GPRESULT. I'd therefore continue with process monitor (below). --End Edit--
My next step would be to use Microsoft SysInternals Process Monitor in boot logging mode to see what's happening.
Also, another thing I've tried in the past is to use PsExec to launch a command prompt, running as the local SYSTEM account. You can then perform a simple directory listing of the policies area in SYSVOL. Bearing in mind that policy application/filtering is controlled by good-old NTFS ACLs. If you're able to see the policies* (and these will be the computer policies), you have another issue.
*Policies are listed in SYSVOL using their GUIDs, but these can be resolved by querying AD (or browsing around using ADSIEDIT, or similar). If you need the LDAP path, shout.