Group Policies

[rgrise]

I have one Windows 2000 Server with SP3. It has been configured as the PDC of our organization. The problem is that I want to set up a group policy for the clients that are using windows 2000 Professional. I can create the policy and tell it which users I want it to affect then I goto the command line and type

secedit /refreshpolicy machine_policy /Enforce

I type that but when I goto a Windows 2000 Pro computer and log in with once of the names that is "supposed" to be under the Group Policy, the rights that I have taken away are still there. What do I do?

 

[btnet]

The reskit has a tool called GPResult which will show you what has been applied and such. Might be worth seeing what is happening on the client side...

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Are these COMPUTER or USER settings(sounds like user)?

 

[rgrise]

I have attempted to do both user and computer configurations on the GPO

 

[mcconmw]

Where are you creating the GPO if it is in the computer container you must set Loopback processing for the user settings to take place. I have found that if you make too many changes to a GPO at one time it presents this behaviour. I haven't researched it enough to tell you what too many is, but I typically make a few changes, exit the GPO, and then reopen it. This has prevented further occurrences of the problem. Thanks.

Mike

 

[rgrise]

I created a new organization unit and with that new OU, I put the users in it, and even put the group that these users belong to in the OU. Then I created a GPO for that particular OU, then type the secedit command.

Then btnet told me about the GPresult.exe. I downloaded that, and ran it on a computer, and it told me that this user didn't belong to a security group, etc. So now, I don't know what to do.

 

[btnet]

Via gpresult you are looking for "Applied Group Policy Objects" which would appear under COMPUTER SETTINGS and USER SETTINGS. You should see the name of the policy(s) if any are indeed being applied. Are you saying there is nothing listed under Applied Group Policy Settings or the security groups section?

 

[rgrise]

I printed out what it tells me in command line, and here's what it says.

User Group Policy results for:

Domain name
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile
local profile

The user is a member of the following security groups:

Lastime time Group Policy was applied: Tuesday, 17, 2003 at 1:51:40

Computer Group Policy results for:

Domain Name:
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

The computer is a member of the following security groups:

BULTIN\Adminstrators
\Everyone
NT AUTHORITY\Authenticated Users

The computer received "Registry" settings from these GPOs:

Local Group Policy

The computer received "EFS recovery" settings from these GPos:
Local Group Policy.

What do you suggest.

 

[mcconmw]

I just ran across some information from a colleague. Both the machine account and the user account must be a member of the group assigned apply rights. This is true by default of the group Authenticated Users but is not as evident in the documentation for refining the policies further. Thanks.

Mike

 

[rgrise]

I finally figured it out. The professional computers were looking to the wrong server. I corrected that problem and the GPO is now enforced. Thanks for all of your help

 

[btnet]

Just curious for future reference, but what do you mean by looking to the wrong server?

 

[rgrise]

We have two servers here. A linux box and the box with windows 2000 server. For some reason, the professional boxes were looking to the linux server.