Be Careful with Group Policies....

Puff... I was in a great problem recently....

We have Microsoft Dynamics CRM 2011 deployment over here, which stopped working unexpectedly and started to throw, when trying to access it using URL, error which said:

Business Management Error

"You are attempting to create a user with a domain logon that does not exist."

Secondly I noticed, that some of users were having problems of Trust relationship with the domain. We have only one Domain Controller.

The Third thing I found was the error while updating Group Policies.

Whenever I used gpupdate /force to update policies on workstation I would get:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Another problem I came across was a user had his password expired and he was unable to change it.

All of this happened within one hour and I was on my knees to find the root of problem.

One thing I noticed was everything has something to do with the connectivity with Domain Controller.

So in order to find root cause of these, I temporarily disabled all links of Group Policies that would be applicable to the Domain Controller Server itself, somehow.

Then ran a gpupdate /force on DC itself. Bravo! It all started to work like charm. Then I checked those Group Policies I disabled, and found the problem.

The DC locked himself because the wrongly applied policy was in:

Computer Configuration=>Windows Settings=>Security Options=>User Rights Assignment

"Access this computer from network"

This policy will restrict access to that computer through network for only those users which are defined in it.

So be careful while configuring new Group Policies.