Group Policy windows 2k

[tester125]

Hi All,

Am creating a group policy for the first time. I have 4 group policy object created for various users. Unfortunately the lower group policy object is overriding the upper policy, my understanding is that the upper policy object should take precedence over the lower object. I even tried the no override feature but still the lower policy is overriding the upper policy.

Is this something am doing wrong?

Any help is great.

Thanks in advance.

 

[markdmac]

Did you verify the security settings on the higher policy? Make sure it is actually being applied to your users.

You can use GPRESULT to verify what policies are hitting the user.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Thanks for the post Mark, yes I check the setting. As a test I created a user that's in both the upper and lower group policy. In the security setting I have read and apply group policy checked off on both policy for that user. Unfortunately the lower policy is taking precedence.
I tried no overide and Block policy inheritance, still no luck.

Any other suggestions will be great.

 

[markdmac]

can you detail the AD layout? List your structure and what policies are at what location.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey Mark,

All the policy are being applied at the parent container level, In order words I don't have any policy being applied to the child or container level. Their all being applied at the same level.

On the group policy for example I have several group policy object, I have for example
DOMAIN ADMINS - user "test is being applied to this poicy" - this is full access
DEFAULT DOMAIN POLICY - user "test is being applied to this policy - no run command,etc.

now when I log in the default domain policy is being applied.


Thanks again.

 

[markdmac]

What about additional groups in the security settings? Is it possible your test user has more than one group membership that is giving the other policy?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey Mark,

Nah I doubled checked that several times. The only users that "test" have membership to is the domain users.

Thanks.

 

[markdmac]

OK, and you are specifically adding the Apply to the user object and not a group right?

Have you done a policy refresh ont he workstations?

For Win2K it is 2 commands:

secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

For XP it is easier:

GRUPDATE /FORCE

After running those commands, log off and back on as the test user and run GPRESULT to see what policies the User ID knows are hitting it.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey Mark

Yes for now am applying it to the "test" user but eventually want to add it to for group access

Here's the result of the GPresult.


Last time Group Policy was applied: Tuesday, April 27, 2004 at 12:
Group Policy was applied from: work.olmhs.org


===============================================================


The user received "Registry" settings from these GPOs:

Default Domain Policy



###############################################################

Computer Group Policy results for:

CN=TESTERWORK,OU=VIR,OU=Workstations,DC=work,DC=org

Domain Name: OLMDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
OLMDOMAIN\TESTERWORK$
OLMDOMAIN\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, April 27, 2004 at 12:
Group Policy was applied from: olmpdc.olmhs.org


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
SUS


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy


Thanks again

 

[markdmac]

OK, so the GPRESULT verifies that your usr isn't even seeing your Domain Admins policy.

How many DCs do you have? Have you verified that the policy exists on each one. Let's make sure we are not troubleshooting the wrong problem and ensure your replication is happening.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey Mark,

I checked the log and replication is okay. I know the "test" user is getting the policy from the DC's, cause whatever changes I make on the policy it reflects on the user logon.

Thanks again.

 

[markdmac]

We must be missing somethign simple here.

Can you plese post the entire security settings for both of your GPOs?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey,

Group policy object links (two policy in question) In order:
DOMAIN ADMINS
DEFAULT DOMAIN POLICY

Security settings for Domain Admins
boxes checked off
Authenticated users - Read
Creator Owner - no boxes checked off
Domain Admins - Read,write,create all child objects, delete all child objects, Apply Group policy
Enterprise Admins - same as Domain Admins
Test Users - Read, Apply Group Policy

Security settings for Default Group Policy
boxes checked off
Authenticated users - Read
Creator Owner - no boxes checked off
Domain Admins - Read,Write,create all child objects
delete all child objects.
Enterprise Admins - Same as Domain Admins
Test Users - Read, Apply Group Policy

Thanks again Mark

 

[markdmac]

Hi Tester125,

OK, looking at your settings here I have to question the way you are testing this.

In your production environment you would never want to restrict your Domain Admins from doing anything right? As such I'd suggest that you add the DENY to be set for Domain Admins and Enterprise Admins on your Default Policy where you are restricting the run command.



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[tester125]

Hey Mark,

yes I am testing this in a production environment. But am not applying the policy to the default user group, even thou I don't have the apply policy box checked off, you think this might create a problem.
Also does this have any bearing on the problem that am having with the test user?