Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy issues: Computer Config doesn't apply 1

Status
Not open for further replies.
xylax

xylax

MIS
Oct 14, 2005
31
US
I'm might be trying something that cannot be done. I am trying to apply 2 different computer configurations to 2 different security groups. Specifically, I'm trying to get one account to have an "account lockout policy" set to 0. Another account, logging onto the same machine, needs to have the "account lockout policy" set to 5.

My AD Structure is this:

Domain
- My Franchise
| - District Managers
| - Stores
| | · store1
| | · store2
| | · clerk
| | - Computers
| | | · All computer objects here

I have two GPOs applied applied to the STORE OU. They are STORE and CLERK. STORE applies to all the store accounts and the CLERK, which is one account used at all stores, is applied to the clerk account. The Computers OU inherits the two GPOs.

On the CLERK GPO, I have the security setting allowing only the CLERK to read and apply the GPO. On the STORE GPO, I have the security setting allowing only the STORE to read and apply the GPO.

My problem is that I cannot get any of the GPO computer settings to apply to any of the accounts. However, the GPO user settings are applied to the respective accounts according to it's GPO.

The GPO computer settings, however, do apply to the machine if "Authenticated Users" group is in the Security Filter. If I do this, it applies both GPO computer configurations to the machine, which I do not want.

If only I could get the Security Filter to work to only allow a specific group or user to apply the computer configuration, everything would work perfectly. I'm willing to restructure my AD if another structure works better. Any help would be appreciated.

Shon
Network Administrator
 
Sort by date Sort by votes
You should do this instead.

1. Put back the default security settings for each GPO. (look at any other GPO security to duplicate)

2. Setup the GPOs as follows:

In the Store GPO > Add the Clerks group and give Read and Deny Apply

In the Clerks GPO > Add the store group and give Read and Deny Apply

-----------------------------------------------------------

Another option is to only have one group, play with the precedence order and set it up as:

ORDER
1. Store GPO
2. Clerk GPO

Set the Store GPO with the following permissions: Add the Clerks group and give Read and Deny Apply

So what will happen is that the Clerks GPO will be configured for every one and only the Store group members will get any of the setting from the Store GPO (which will overwrite everything duplicated between the Store and Clerks GPO)

Hope this helps,


Gladys Rodriguez
GlobalStrata Solutions
Computer Repair, Website Design and Computer Consultant
Small Business Resources
 
Upvote 0 Downvote
Account lockout settings can only be applied at the Domain level. If you configure these settings any where else they will be ignored by the Domain Controllers.

Thus, to apply different lockout settings to different groups of users you would normally have to create a separate domain and set the default domain policy settings to meet your requirements in the new domain.

 
Upvote 0 Downvote

Hmm. Basst, can you provide information about the information you provided? I have not been able to find information saying that these setting can only be applied at the domain level. I found this article that even says:

"Define account lockout and password policies once in every domain. Ensure that these policies are defined only in the default domain policy. This helps to avoid conflicting and unexpected policy settings." - URL

I have read that if the password settings are defined at the domain level or at the Domain Controller OU level, then it is ignored since the Domain Controllers are the ones that ultimately processes this information. But maybe I misunderstood this information.

Thanks for sharing,


Gladys Rodriguez
GlobalStrata Solutions
Computer Repair, Website Design and Computer Consultant
Small Business Resources
 
Upvote 0 Downvote
This is the closest reference I could find.


globalstrata your statement is correct but you have it the wrong way around. If the policy is not defined at the domain or Domain controller OU level then they are ignored by domain accounts. They will apply to local accounts though.

I'm currently studying for my MCSE and will be taking the Active Directory exam next week. My reference material also states this fact.

At work i have password complexity set in the default domain policy and it is working just fine.
 
Upvote 0 Downvote
Thanks for the information Basst. Although, I have been certified in the Microsoft NT Operating Systems since 1995, I know there is still a lot that I do not and probably will never know due to the extensive amount of information and changes that are performed all the time for all the Windows OS and applications. In addition, if you don't use it, you lose it [bigears]

Although what you are saying makes sense, and probably correct, since as I mentioned above the Domain Controllers are the systems that ultimately processes this domain information, you should always bear in mind that not all documentation out there is correct. While you gain more and more experience with the Microsoft certifications you will see a lot of times that what you are suppose to know for the test is not always the same as the real world.

Any way thanks for the information and Good Luck with your tests. ;-)


Gladys Rodriguez
GlobalStrata Solutions
Computer Repair, Website Design and Computer Consultant
Small Business Resources
 
Upvote 0 Downvote
xylax,

The solution that I provided should take care of the issue that you said you were having
My problem is that I cannot get any of the GPO computer settings to apply to any of the accounts. However, the GPO user settings are applied to the respective accounts according to it's GPO.
Click to expand...
If you are having problems with the Lockout, you have to concider what Basst mentioned above.

Let us know if you need any further help, ;-)


Gladys Rodriguez
GlobalStrata Solutions
Computer Repair, Website Design and Computer Consultant
Small Business Resources
 
Upvote 0 Downvote
We tested your theroy and it seems you were right. This is going to put a huge kink in how I'm going to design this rollout. In testing your theroy, I did find that if the domain policy is undefined when it comes to the account lockout policy, lockouts will set to 5 times. No where does it state 5 times in any of the GPOs. This confused us until we actually defined a Lockout number.

Thanks for your help and with a speedy response! I'll have to resort to using a local account and group policy on this rollout until we get our own domain for these computers.

Shon
Network Administrator
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
356
DrB0b
DrB0b
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
444
technome
technome
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
269
juniper911
juniper911
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
345
StevenFromSouth
StevenFromSouth
Leozack
  • Locked
  • Question
MDT TS move computer OU
Replies
0
Views
221
Leozack
Leozack

Part and Inventory Search

Sponsor

Back
Top