Group Policies don't appear to work

[jdaniels]

Hi,

I have set up a domain on a W2K server with some XP clients, and have set up a domain user, and have assigned a group policy to him (to the OU of which he is part, actually). However when I log in from the XP workstation as that user, none of the policies get applied. I figure the following is the problem:

He has a local policy that overrides anything else. The problem is, with an XP client, how do I find this local policy setting? I have already checked site and domain policies.

Is this right? How can I get any GPs to apply? The only success I have had is when setting default domain level GPs to a user, and logging onto the DC as admin...

Thanks,

Jonathan Daniels

 

[GiaBetiu]

OOps.
is not like this.
By default GPO's are applied in this order:
1. site GPOs
2. local security setings
3. domain GPOs
4. OUs GPO

So, settings from local policy will not be able to overwrite OUs ones.
Just a GPO (so not local policies) can have set "no override".
Advices:
- check security settings for your GPO. Authenticated users should be there. And your user used for log on on that workstation should be a user account from your AD.
- check the Options for that GPO
- use "gpresult" from Windows 2k Resource Kit to see which policies are applied to your user


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[GrnEyedLdy]

Jonathan,

GPO's are applies in the following order, Local, Site, Domain, OU (LSDO). Each one overriding the one before if the settings conflict. So, as you can see, if there was a Local policy it would be overridden by any policies applied at the domain level.

"The problem is, with an XP client, how do I find this local policy setting? " It's in the Administrative tools|Local Security Policy.

Your user is logging into the Domain and not the Local machine right?

Your user is listed in the OU that the GPO is applied to, correct?

Check the permissions on the GPO and make sure the user had Read and Apply permissions.

Just a few thoughts, post a little more info and maybe we can help you figure this out.

Patty

 

[jdaniels]

Hi guys,

GiaBetiu: I ran gpresult /u DOMAIN\testuser and it returned the following:
============================
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Friday, May 23, 2003 at 12:38:54 PM


Operating System Information:

Operating System Type: Domain Controller
Operating System Version: 5.0.2195.Service Pack 3
Terminal Server Mode: None

###############################################################

User Group Policy results for:

CN=Administrator,CN=Users,DC=MYDCNAME,DC=local

Domain Name: MYDOMAINNAME
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\Administrator

The user is a member of the following security groups:

MYDOMAIN\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
MYDOMAIN\Enterprise Admins
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Domain Admins
MYDOMAIN\Schema Admins


###############################################################

Last time Group Policy was applied: Friday, May 23, 2003 at 12:20:19 PM
Group Policy was applied from: MYDOMAINCONTROLLER.MYDOMAIN.local


===============================================================


The user received "Registry" settings from these GPOs:

Default Domain Policy


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

Default Domain Policy



============================

It returned nothing about 'testuser', yet that user is a domain user and can log in to the domain with no trouble.

___________________________________

Patty:

Yup the user logs into the domain, not their workstation. The user is also listed in the OU, inasmuch as when I view AD Users and Computers, they appear in the OU container, not the 'Users' container. They are of type 'user'. I have set the permissions of the user inside the GPO security settings to 'read' and 'apply'.

Incidentally, what I am initially trying to do is simply set the title on the browser to some relevant text. I am trying to do this from the DC by applying it to user settings in the GPO this user has been listed under.

Thanks guys.

Jonathan

 

[GiaBetiu]

you are logged on as administartor. so the result is the GPO's aplied for administrator account.
logon with that user, and then launch gpresult.

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[GrnEyedLdy]

Jonathan,

User settings are applied at logon, so I assume that you have logged off and back on as the user in question after configuring the GPO.

Have you run Secedit?

Is this GPO working for other users?


Patty

 

[jdaniels]

Folks,

I got it running. Turns out my DNS entry was wrong!!

Thanks for your time.

Jonathan