GPO not applying settings 1

[xwire]

A while back I posted on applying XP Service Pack 2 settings via Group Policy. Someone suggested I use the new Group Policy Management, and to create a Policy just for XP SP2 and just apply it to the OU. Only problem I am having is that no machine is picking up the settings I created for the policy. Seems that it only wants to pick up from the User configuration of that policy. But the actual firewall settings are in the computer configuration, both are enabled. Any suggestions?

 

[xwire]

Also, under those computer settings, under administrative templates, Network, then Network Connections, Windows Firewall, should I be putting the settings under Domain Profile or Standard Profile.

 

[aquias]

I need to research this a bit, there is a specific function in GP that will allow you to "hold" logins until the latest policy update is applied.

One thing to try, to verify whether or not there is a problem with your policy or with your policy being applied, is to run (from a command prompt) a gpupdate /force.

This will immediately bring down the latest version of group policy. Then you can run a gpresult and verify that the setting was properly applied

 

[xwire]

Ok I did the gpupdate /force and the gpresult. It does show it as applying but none of the settings I changed in the XP Firewall Policy get loaded.

 

[Loki1973]

You'll need Domain Profile for the Firewall settings.

 

[xwire]

Ok quick question, a friend of mine and I are having the same problems on two different but similar networks. We have some policies applied to the original domain profile policy. We both made separate policies for the OU we want to apply it to. Problem is it never applies the computer policies to the computers. Either is says its empty or it seems that the default domain policy is taking precedence over anything we put below it.

 

[Loki1973]

Make sure the Computer Settings are enabled.
Run RSOP (Resultant Set Of Policy) to check the status of the applied or disabled policies.

Your domain policy might be enforced causing policies below it not to apply. Check that.

Enforcing a policy overrules Block Inheritance.

 

[xwire]

You are correct, I do recall that the domain policy was set to be enforced. So I suppose this is why the policies below are not being applied. I will try this tomorrow. Thanks again.

 

[Loki1973]

Please let me know the result.

 

[xwire]

Well I un-checked the Enforced setting. According to the Group Policy results on the computers its still not applying the settings for the OU, just the default domain policy. Even though there are settings enabled on the OU policy it shows up as being Empty, under Denied GPO's in the results.

 

[Loki1973]

Have you by any chance set a Deny permission on the Apply setting, or haven't you set the Apply permission? That would cause the GPO not be applied.

 

[xwire]

are you talking about the actual setting I want to apply? On the Default Domain Policy its all set to Not Configured. On the OU policy its set to enabled. I am not sure just exactly where your mentioning to check. But I will keep searching. One thing though, The OU policy will apply the user configurations, if I set one, but I really dont need any of those settings yet. Its the computer settings that arent working for me.

 

[Loki1973]

I read back through your post. You're planning to deploy SP2 through a computer-based software GPO.

First of, before doing anything else, are you using the GPMC (Group Policy Management Console)? Have you properly LINKED the policy to the correct OU (the OU that has the computer-accounts in it and not the one containing the users)?

About the permissions issue:

* Open the GPO as if you were about to edit it.
* Right-click on the GPO's title (should be the first line in the left pane) and select Properties.
* Next, click the Security tab. Make sure the Apply permission is set for Authenticated Users and

 

[xwire]

Ok went back and looked at my AD structure, the Computer accounts are not in the OU I made the policy for, I suppose this is why I am having the problems with the computer settings, am I correct on that? And will it hurt if I moved them to the OU I want the policy under?

I also did what you said and checked the permissions for authenticated users, and it does say Apply GPO and its checked.

 

[xwire]

well dang, I moved my computer account under the OU and it worked.

 

[Loki1973]

Ok, the OU issue is the reason that the GPO's haven't been applied.

You can move out the computer-accounts to a different OU, which I would always recommend, but you need to check if there are any computer-based policies currently active on the OU the Computer accounts currently reside in.

If there are, just create a new GPO and copy those setting into the new one.

To speed up the processing time, always disable the part of the GPO that you're not using, so disable computer settings on User GPO's and disable user settings in computer GPO's.

My advice is to always make seperate GPO's for both computer and user settings.

 

[xwire]

Ok will do, thanks for your help, seems to be working really good now.