JSI Tip 8910. Your Windows XP clients don't get Group Policy setting that are applied to an OU on a Windows 2000 domain controller?

If you inspect the Application event log on the Windows XP client, you see:

Event ID: 1101
Source: Userenv
User: NT AuthoritySystem
Description: Windows cannot access the object OU=OU name, DC=domain name, DC=domain, DC=com in Active Directory. The access to the object may be denied. Group Policy processing aborted.

Event ID: 1030
Source: Userenv
User: NT AUTHORITYSYSTEM
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

To resolve this behavior:

On the domain controller:

01. Open Active Directory Users and Computers.

02. Check Advanced Features on the View menu.

03. Right-click the affected OU and press Properties.

04. Select the Security tab.

05. Select Authenticated Users and make sure that Read is allowed in the Permissions box.

06. Select the Group Policy tab.

07. Press Properties.

08. Select the Security tab.

09. Select Authenticated Users and make sure that Read and Apply Group Policy is allowed.

10. Press OK and OK.

11. Select Console and press Exit.

12. Open a CMD.EXE window.

13. Type secedit /refreshpolicy user_policy /enforce and press Enter.

14. Type secedit /refreshpolicy machine_policy /enforce and press Enter.

15. Type exit and press Enter.

On the Windows XP clients:

1. Open a CMD.EXE prompt.

2. Type gpupdate and press Enter.

3.Type exit and press Enter.

NOTE: You can use PsExec.exe to run gpupdate remotely.