Active Directy gurus - I have a GPO issue that is making me crazy

[john]

I get this on our terminal server:

Name Link Location Reason Denied
{0EAF8FCF-B2C6-4300-8A5A-FFEE8C12035F} wgrusers.com Blocked SOM
{31B2F340-016D-11D2-945F-00C04FB984F9} wgrusers.com Blocked SOM
{E1FB0D1C-CE9F-4AEB-AF00-BDEC1113E596} wgrusers.com/Terminal Servers Inaccessible

But on other servers I get all applied GPO's  These ID's are for the standard  Default domain user policy, a terminal server printer policy, and a terminal server user policy.  I created the printer policy 6 months ago, and the other two are built in policies I believe.

I am really at a loss.  If anybody here has any ideas I sure would like to know.  Everything was working fine until about 2 weeks ago.

[adidasguy]

You've got Lance's email. Send him a note. he should know. (He's on vacation but does check email regularly.)

[john]

You've got Lance's email. Send him a note. he should know. (He's on vacation but does check email regularly.)

I will NOT call somebody out on their vacation.  That's just wrong.  We are dealing with the missing printers by having most people VPN into their local machine instead of using our terminal server if they need to print on our main printer.

Now when Lance gets back from vacation, I may still need help.  On a lark I am going to reboot all of our DC's tonight just in case one of them is causing the trouble.  I am no expert on GPO's and really don't know what the final authority is, or is all the DC's share handling the objects (which I suspect).  I have made so many tweaks, so many gpupdate /force commands, and no luck.

My brain hurts.

[Kiwingenuity]

Hi John,

My brother who works with these such things sent me the following:

Generally a read permission isn't applied to the system volume
\\DomainNameHere\SYSVOL\Policies

You'll need each server to have the ability to read (literally, make sure the server or account on the server have effective read rights to that location).
http://msdn.microsoft.com/en-us/library/aa374180%28VS.85%29.aspx

Other than that, could also be a blocked inheritance within AD, which will also generate the error message. Someone might have blocked an inheritance higher up, and made a new include lower down, missing some servers.

I'd look at change control and see if anyone made any changes (and now would be time to own up) that sound along these lines.

Another good reference - http://serverfault.com/questions/224357/diagnosing-why-a-group-policy-object-is-inaccessible 

[pliskin]

I did a little searching and others have reported the same or similar errors.
I found this on loopback processing of GPO's. http://support.microsoft.com/kb/231287.

Also this:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c8d89dfa-1138-4ebc-84af-bad1041dd984/default-domian-policy-is-not-getting-applied-getting-error-blocked-som

***Begin rant***
I hate Microsoft, active directory, and GPO's. I don't know how they ever got the market share of networking. I'm from the Novell school. Microsoft took what Novell did and screwed it up royally. Novell Netware with it's Directory Services (Microsoft calls it active directory) was, and is, still far superior to AD IMO. It never breaks down and it's easy. I work with a lot of network admins in a very large environment that was mostly Netware until about 5 or 10 years ago. Then some young, brainwashed, fresh out school MS junkie from India started messing with everything. Against what all the veteran network admins advised the new CIO decided to scrap Novell and integrate 10's of thousands of users into one giant AD domain with Google. And  what a mess it has turned into. We went from having some type of downtime once a month to having downtime once a day. Our CIO left and went back to India after convincing our leaders to spend MILLIONS on a project he never intended to see through to completion.
*****End Rant*****

[Janx101]

Our CIO left and went back to India after convincing our leaders to spend MILLIONS on a project he never intended to see through to completion.
*****End Rant*****

And thus the 'silent revolution' of India's future domination/takeover plans began! ... I dont trust them from top echelon to bottom feeding telemarketers!! ... Nor those Sneaky chinese Pricks!!!   

[john]

It was blocked inheritance.  Somebody put our terminal server into a new OU.  I kept not noticing it until I started looking at everything that has to do with the TS.  Not sure why inheritance was blocked, as I see no restrictions or differences with it blocked or not.  In fact I have no clue why it was done.

For now I allowed inheritance again and things seem to be working again.  I think.  I'll see when people start logging into the box tomorrow.  My test account shows our office printer again.

I love working on my day off.

I really need to get a better grasp on GPO's.  It just seems like such a mess.  Or should I say when people mess with stuff it BECOMES a mess real fast.

[Janx101]

while i have no friggin idea on what the hell this stuff is........

... sounds like a win!! .. win for Kiwi info and win for john doing the searchdown 

might need a sign on the machines John? . .. "dear 'clever-ass' ... you dont need to change this!! .. no really!!!!! .. it's mine so leave it alone!! - John" 

[yamahonkawazuki]

while i have no friggin idea on what the hell this stuff is........

... sounds like a win!! .. win for Kiwi info and win for john doing the searchdown 

might need a sign on the machines John? . .. "dear 'clever-ass' ... you dont need to change this!! .. no really!!!!! .. it's mine so leave it alone!! - John" 

And the blocked inheritance, sounds like a nigerian scam