applying group policies

[Xplosion84]

These are the steps I took to apply the newly created group policy... Not sure If I did it correctly but it doesn't work....

Went to the Active Directory Users and Computers, went to the properties of my domain in the list, clicked on Group Policy Tab, edited the Default Domain Policy, then exited out of all windows.

Next I went over to the other computer to test it out, logged off and logged back on to the user that is on the domain. Doesn't seem that the policy was added correctly. Did I do it correctly if not how do I apply policies to users?

-Thx, Rich

 

[jgoodman00]

Is the user a member of a group which does not have the apply group policy permission?

It might be worth creating a new test user (standard user) & then try logging in with that user.

It could also be that the user is being authenticated by a different domain controller, one which has not had the updated GPO replicated to it.

What parts of the GPO did you modify?

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[Xplosion84]

On the server there is only one domain and the account isn't in a group either.

Ok... If I set the Administrator on the server(which has the domain controller) to apply and restart the server the policy works... I then created a test account called "Test". Then linked the group policy to the one and only domain I have and then went into the Group Policy security and added the "Test" account and set the option Apply Group Policy to allow and also the option Read is clicked to allow. Next I went to a remote computer and logged in with the "Test" account and the policy didn't work.. I ran out of ideas on how to get the policy to work. I never set a profile for this account either it just uses a local profile, will that cause the policy to not work? Thanks for the help so far...

-Rich

 

[jgoodman00]

Hmmm, the GPO should be applied automatically at login assuming you have a single domain controller in your domain.

It might be worth trying SECEDIT /RefreshPolicy Machine_Policy on the domain controller, after modifying the GPO, & before logging in. Then try logging in with the test user, & seeing if the policy is applied.

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[jgoodman00]

Oh, that will need to be executed from a command prompt

James Goodman MCP

http://www.angelfire.com/sports/f1pictures

 

[Xplosion84]

I did exactly what you said, i logged on using the "Test" account and the policies still aren't working.... I really don't understand why when I physically log onto the domain controller pc with that computer's administrator the policies are set.. Why is it working locally but not remotely?

-Rich

 

[es959]

Hmm. Several things need to be looked at so I will just list them out...may be some redundancy with above threads, but take a look anyway. Got these from a book a while back and wrote them down for my use as a general guide

- Check for disabled policy: both Computer and User policies need to be looked at

- Check inheritance: site, domain, OU's; note:look out for double-disabled policies (GPO->Properties 2 check boxes at bottom, then when you go in to view the GPO you will see a red X over the icon but you can still 'check' the disabled column - that policy would be double disabled then - weird, but true); also remember Local GP is applied first for a computer; double check your inheritance and No Override usage

- Check your user permissions: user has to have Read and Apply GP rights to the GPO or a member of a security group that does; check any deny attributes you may have

- Check GPC & GPT replication: see if the GPC & GPT version nums match, may hinder workstations applying them

- Check to make sure there was not a recent move of a computer account or user account to diff OU

- Check environment: Go to the cmd line and look at your environment: do a 'set' at the cmd line and look at the LOGONSERVER env variable - THAT is where he picks up his GP settings; if moved run secedit on the machine & logoff/reboot

- Check Asynch processing for Computer policies:
default is synchronous, if asynch can mess up natural order of local, site, domain, OU

- Check loopback policy: this forces everyone on the computer to use the same policies

- Check DNS config of the client: make sure client is pointed to a DC or other authoritative source for domain

- Check to make certain computer is in OU that policy is targeted; simple I know, but check anyway

- Check Event Viewer: this will log successful application of GP's and also failures

- Enable diagnostic event log in Registry: this will swell you log significantly; in HKEY>local_machine>software>microsoft>windowsnt>currentversion create a Diagnostics key, leave Class empty creating a REG_DWORD key: RunDiagnosticsLoggingGroupPolicy, set data value to 1; entries will appear in Application log and will log all GP events; there are others but this is the one you need here; DELETE the key once done to prevent your logs from filling up too fast

- Enable verbose logging on GP:creates a file called userenv.log in \winnt\debug\usermode dir; to enable edit Registry, HKEY>local_machine>software>microsoft>windowsnt>currentversion>winlogon; add REG_DWORD value called UserEnvDebugLevel, set data value to (Hex) 30002; logoff and logon as someone that has GP's applied then log back on as admin (only admins can see the file)and view the file; from that point look for verbage such as 'no client side extensions for this object'(means it was skipped) or other obvious errors as further clues to see what is wrong; you have to apply what you know to this file about the client PC for it to make sense (eg. what OU it is in, etc).

- There is a GPResult tool in the Resource Kit; have not used but supposed to tell which GPO's are applied and what settings are

- There is another tool called FAZAM and is a good tool for getting a GP centric view of the topology; free reduced version at

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam2000-o.asp;

you can do searches, backup and move policies

- There is another tool from BindView called bv-Control for Win2K and AD;

- Also can look at the GP.CHM (compiled Resource Kit Help module); good for searching for a GP that you want but cannot remember what it is called, etc, etc

Other than this, I'd try another client PC.

Hope this helps.

Earle
es@crowncentral.com

 

[Xplosion84]

Well it still isn't working and I know I did something wrong along the way.

I created a new OU, right clicked on the new OU and added a new user called "test", checked out some info of the new user and in the Member Of tab it says
Domain Users sonicsolutionsinc.ath.cx/Users, went over to the new OU called policies set and went to properties, Group Policy tab, created a new group policy called security, went to the security tab of the new group policy and linked the "test" account to it. Also the policy are linked to the following:

Authenticated Users
Creator owner
Domain Admins (SONICSOLUTIONS\Domain Admins)
Enterprise Admins (SONICSOLUTIONS\Enterprise Admins)
JOESDESK$ (SONICSOLUTIONS\JOESDESK$)
System
test test (test@sonicsolutionsinc.ath.cx)

The test account is the only user who has Apply Group Policy and Read set to Apply. JOESDESK$ is the computer that will be logging onto the test account. Should I set Apply Group Policy and Read for the computer JOESDESK$ to apply?

Right now the only the OU has a group policy set and the domain sonicsolutionsinc.ath.cx doesn't, does this make a difference?

-Rich