Windows 2000 Group Policy

[darwindows]

I have a home lab that I set up to play around with Windows 2000 policies. One Windows 2000 server is set up as the domain controller, I have another windows 2000 server that is simply a member server and is not a domain controller. I created an OU in Active directory called test. I added created two user accounts in it. I then created a group policy for the test OU.

I can log onto the domain controller as one of the users and the policy is implemented. However if I go over to my member server and log on as the individual, the policy is not applied.

A couple commments:

1.The member server that does not implement policy is in the stadard computers container that Active directory generates by default.

2. In the Test OU there are only the two accounts that I created and they have the standard security setup and do not belong to any groups that might cause a conflict.

3. The member server is definitely communicating with the domain as I can share resources and do other administrative tasks on it via the mmc from the domain controller.

4. I have refreshed both machine and user policy multiple times and have rebooted both servers at various times.

5. And as I said earlier, the policy is implemented on the domain controller when I login as one of the users on it.

6. Lastly there appear to be no policy conflicts. The only policy that is above the test OU policy is the default domain controllers.

Any help would be greatly appreciated.

Thank you,

Sean

 

[SelbyGlenn]

Which GPO setting have you changed? Some are machine specific whilst others are user specific. If the member server is sitting in the Computers OU then it will only get the GPO settings applied at domain level.

Type GPRESULT at command prompt on the member server to see which GPO's are being applied. I can't remember if GPRESULT comes as standard or part of the resource kit.

You could also trying moving the GPO to domain level as it's only a test rig. Mess around with it as much as possible. See if you can set the security permissions on the GPO at domain level so it only takes effect on the single member server.

Enjoy!
Glenn
BEng A+ MCSE CCA

 

[jrogersnd]

I would like to add to Glenn's advice - If you would like to enable machine specific group policy settings that apply to the user only such as login scripts you can:

[ol][li]Add the group policy to the OU that contains the computer such as the member server. (Note: you must move the member server to an OU to accomplish this since it's in the default Computers folder and not in an actual Organizational Unit)[/li][li]Edit Administrative Template in the computer configuration category > go to System > go to Group Policy > Set the "User Group Policy loopback processing mode" to Enabled. This will enforce any User Configuration Policies that are specified such as Logon/Logoff scripts and will only be effective for the machines in the OU that the policy is assigned to![/li][/ol]HTH!

--James

 

[darwindows]

You have both been a big help. I realized after writing this that I had a problem with DNS which I think affected my ability to either manage other PCs or apply group policies. Thank you both again for all of your help.

Thanks,

Sean