Local group policy implementation erratic-why?

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Created domain Group Policy with Computer Config for workstations however it is not being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User but not another. The only difference being that on the workstation, the policy is successful:

On the workstation I have a;

- desktop workstation
- user has local admin rights

On the other units on which the policy is unsuccessful;

-laptop
-standard user rights

I've checked rights for Authenticated Users and it has Read and Apply Policy. No Deny rights imposed anywhere.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

What gpo settings are you trying to change?

Phil

"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
> Created domain Group Policy with Computer Config for workstations however
it is not being applied across all workstations.
>
> For some unknown reason it applies the policy to one Authenticated User
but not another. The only difference being that on the workstation, the
policy is successful:
>
> On the workstation I have a;
>
> - desktop workstation
> - user has local admin rights
>
> On the other units on which the policy is unsuccessful;
>
> -laptop
> -standard user rights
>
> I've checked rights for Authenticated Users and it has Read and Apply
Policy. No Deny rights imposed anywhere.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

This could be a myriad of problems. Most of the time, it is a DNS issue.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
> Created domain Group Policy with Computer Config for workstations however
it is not being applied across all workstations.
>
> For some unknown reason it applies the policy to one Authenticated User
but not another. The only difference being that on the workstation, the
policy is successful:
>
> On the workstation I have a;
>
> - desktop workstation
> - user has local admin rights
>
> On the other units on which the policy is unsuccessful;
>
> -laptop
> -standard user rights
>
> I've checked rights for Authenticated Users and it has Read and Apply
Policy. No Deny rights imposed anywhere.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am a bit confused as your post states "Local Group Policy" which would be
configured on the local machine via gpedit.msc yet you discuss read and apply policy
which would indicate a domain membership policy??

Computer configuration applies to computers - not users so the read/apply for
authenticated users would only have bearing on the fact that computers are members of
the authenticated users group.

If you are using domain/OU policy then the computers themselves must be within the
scope of influence of the policy such as if this is an OU GPO, the computers must
reside in that OU structure.

Computers must be configured properly in regards to dns and having a machine account
in good standing in the domain if this is a domain issue. Most problems are due to a
domain computer not having only AD domain controllers as their preferred dns server
in tcp/ip properties. Laptops will initially need to connect to a domain controller
to have their Group Policy configured and it the user logs on later with cached
credentials the last policy configuration will remain. You can use netdiag and
gpresult to troubleshoot Group Policy problems. Run netdiag first to make sure there
are not any pertinent failed tests/fatal errors in regards to dns, domain membership,
or dclist. If netdiag looks good then try gpresult. If laptops have software firewall
enabled, be sure it is disabled when connected to the lan or configured to not block
traffic to the domain controllers. --- Steve


"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
> Created domain Group Policy with Computer Config for workstations however it is not
being applied across all workstations.
>
> For some unknown reason it applies the policy to one Authenticated User but not
another. The only difference being that on the workstation, the policy is successful:
>
> On the workstation I have a;
>
> - desktop workstation
> - user has local admin rights
>
> On the other units on which the policy is unsuccessful;
>
> -laptop
> -standard user rights
>
> I've checked rights for Authenticated Users and it has Read and Apply Policy. No
Deny rights imposed anywhere.
>
>
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm trying to(have changed) Security settings in Computer configuration. I can see the changes in the workstation local policy but they do not appear to be applied, i.e. message text on login does not appear.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

DNS appears to be fine. Ran netsh diag and ipconfig locally and the client laptop has a host record in DNS.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I worded that badly - you are correct. I'm new to W2K and the manner in which MS implemented Group Policy. Both machines are in the Computers container. I have no special delegation permissions set for groups other than the defaults and Authenticated users.

My domain policy security config is being applied to the Local Security policy at the workstation(I can see it) but with different results, i.e., message text will appear on one workstation but not another and gpresults indicates GPO Denied - Local Policy (empty) on the latter while it appears as an Applied Group Policy Object on the former.

Other than the two machines being different there is fundamentally no difference that I can see in AD between them.

I'm stumped!
DNS is fine, ran netsh diag, ipconfig and reviewed DNS - the workstation is updated in DNS correctly.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

How many domain controllers are in your environment.
Make sure replication is occuring between them as it should and DNS is
configured on the DC's correctly.

Aimme
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:6C873F03-CECC-4BE5-B864-780CA0817451@microsoft.com...
> I'm trying to(have changed) Security settings in Computer configuration. I
can see the changes in the workstation local policy but they do not appear
to be applied, i.e. message text on login does not appear.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Two controllers replicating fine. DNS is fine.

What I don't understand is that the Group Policy Security config is being applied to the workstation on some items but not others. I can see the policy at the workstation and I can change a setting in the Local/Security Config through the Domain policy and it will be applied to the workstation. Yet it does not apply the Message text setting on any system but mine so far and running gpresult on any workstation but mine indicates that the GPO is denied - Local Policy(empty) where mine is applied.

We're all in the same domain and the computers are all in the same container. The domain policy covers the entire domain.

What could be different about my computer that allows the policy to be applied on it and not others and why only partially applied on others? Makes no sense whatsoever.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Can you post the gpresult from your workstation and from another?

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:B95AC42F-6A87-4FE8-B4F0-1B3E4DA54E2F@microsoft.com...
> Two controllers replicating fine. DNS is fine.
>
> What I don't understand is that the Group Policy Security config is being
applied to the workstation on some items but not others. I can see the
policy at the workstation and I can change a setting in the Local/Security
Config through the Domain policy and it will be applied to the workstation.
Yet it does not apply the Message text setting on any system but mine so far
and running gpresult on any workstation but mine indicates that the GPO is
denied - Local Policy(empty) where mine is applied.
>
> We're all in the same domain and the computers are all in the same
container. The domain policy covers the entire domain.
>
> What could be different about my computer that allows the policy to be
applied on it and not others and why only partially applied on others? Makes
no sense whatsoever.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Did you run netdiag and if so did it pass all tests? Also try pasting a copy of
your gpresult from that machine in a reply. -- Steve


"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:72BE463B-BD8A-4BB4-A6E5-2A338FE692BC@microsoft.com...
> I worded that badly - you are correct. I'm new to W2K and the manner in which
MS implemented Group Policy. Both machines are in the Computers container. I
have no special delegation permissions set for groups other than the defaults
and Authenticated users.
>
> My domain policy security config is being applied to the Local Security policy
at the workstation(I can see it) but with different results, i.e., message text
will appear on one workstation but not another and gpresults indicates GPO
Denied - Local Policy (empty) on the latter while it appears as an Applied Group
Policy Object on the former.
>
> Other than the two machines being different there is fundamentally no
difference that I can see in AD between them.
>
> I'm stumped!
> DNS is fine, ran netsh diag, ipconfig and reviewed DNS - the workstation is
updated in DNS correctly.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The first(bbergman) gpresult output is obviously on the system where the policy is fully applied. The second(jyoung) is does not appear to be receiving the policy.

Single domain. All computers in same container and all on the same net. DNS appears to be configured correctly.


RSOP results for HQ\bbergman on BBERGMAN-DT : Logging Mode
---------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\bbergman.001
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=BBERGMAN-DT,CN=Computers,DC=hq,DC=mycompany,DC=com
Last time Group Policy was applied: 5/26/2004 at 8:19:12 AM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BBERGMAN-DT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Bill Bergman,OU=Information Systems,DC=hq,DC=mycompany,DC=com
Last time Group Policy was applied: 5/26/2004 at 8:12:31 AM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
IT
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

--------------------------------------------------------------------------------------------------------------------

RSOP results for HQ\jyoung on JYOUNG-LT : Logging Mode
-------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\jyoung
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=JYOUNG-LT,CN=Computers,DC=hq,DC=bader-rutter,DC=com
Last time Group Policy was applied: 5/26/2004 at 9:18:26 AM
Group Policy was applied from: wulfgar.hq.bader-rutter.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
JYOUNG-LT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Jane Young,OU=Account Services,DC=hq,DC=bader-rutter,DC=com
Last time Group Policy was applied: 5/26/2004 at 9:22:41 AM
Group Policy was applied from: grendel.hq.bader-rutter.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
AcctSvcs
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The first(bbergman) gpresult output is obviously on the system where the policy is fully applied. The second(jyoung) is does not appear to be receiving the policy.

Single domain. All computers in same container and all on the same net. DNS appears to be configured correctly.


RSOP results for HQ\bbergman on BBERGMAN-DT : Logging Mode
---------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\bbergman.001
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=BBERGMAN-DT,CN=Computers,DC=hq,DC=mycompany,DC=com
Last time Group Policy was applied: 5/26/2004 at 8:19:12 AM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BBERGMAN-DT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Bill Bergman,OU=Information Systems,DC=hq,DC=mycompany,DC=com
Last time Group Policy was applied: 5/26/2004 at 8:12:31 AM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
IT
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

--------------------------------------------------------------------------------------------------------------------

RSOP results for HQ\jyoung on JYOUNG-LT : Logging Mode
-------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\jyoung
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=JYOUNG-LT,CN=Computers,DC=hq,DC=bader-rutter,DC=com
Last time Group Policy was applied: 5/26/2004 at 9:18:26 AM
Group Policy was applied from: wulfgar.hq.bader-rutter.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
JYOUNG-LT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Jane Young,OU=Account Services,DC=hq,DC=bader-rutter,DC=com
Last time Group Policy was applied: 5/26/2004 at 9:22:41 AM
Group Policy was applied from: grendel.hq.bader-rutter.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
AcctSvcs
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Did have a DcList fail on the test system. The I set the message title as you suggested and now it work on all systems!!!

What the hell is that about?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Failure of dclist may mean the machine password has expired due to not being
connected to the domain for more than thirty days or other problems communicating
with the domain controllers/computer account. As far as message title, I remember
reading somewhere that it is required in order to use text message. --- Steve


"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:24AF8A58-92E4-4896-B507-4D6AA90693EE@microsoft.com...
> Did have a DcList fail on the test system. The I set the message title as you
suggested and now it work on all systems!!!
>
> What the hell is that about?
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The machine I was getting the dclist failure on has been up and connected nearly every day. Other than the DClist failure there is no hint that the laptop has any trouble.

As for the message test problem - it was popping up just fine on my system without the title bar. Another MS mystery?

I am still getting in the Computer Config gpresult the GPO Denied on the Local Policy (empty) on the laptop but it comes up applied on my workstation. Although it seems to be applied on both. I'm at a loss.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

ARe the users on these two systeme on the same acess (security) levels? I have seem policies fit cooly on systems with high rights and never applied on systems with users with only user rights.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Shouldn't matter. It's the Computer Configuration\Security settings that don't appear to be applied at the workstation according to gpresult output. In fact they do apply, so why does gpresult tell me my Local Policy is applied on one and not the other?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am not sure why you consistently get the dclist failure if your dns is
configured correctly and you have network communications to the domain
controller. As long as you do not get a fatal error in the trust
relationship test, you still should have a computer account in good standing
in the domain. I have never seen the GPO denied for Local Group Policy
before, particulary for computer configuration which is configured by
default. So at this point I am at a loss also but will keep thinking about
it. --- Steve


"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:93E552D0-D83A-4EBB-8617-E6E6C10ADD94@microsoft.com...
> The machine I was getting the dclist failure on has been up and connected
nearly every day. Other than the DClist failure there is no hint that the
laptop has any trouble.
>
> As for the message test problem - it was popping up just fine on my system
without the title bar. Another MS mystery?
>
> I am still getting in the Computer Config gpresult the GPO Denied on the
Local Policy (empty) on the laptop but it comes up applied on my
workstation. Although it seems to be applied on both. I'm at a loss.
 

bill

Distinguished
Mar 30, 2004
1,834
0
19,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

This particular issue is driving me batty, since it does seem to be applying the Computer Config security setting to the box's Local Policy. The DCList failures are corrected so that avenue is a dead-end. Since I'm new to this flavor of MS Server I've gotta think I'm missing something but don't know enough yet to ID it.

I have taken the machines out of the default Computers container and moved them to thier respective OUs and I'm going do some troubleshooting. Because I used the Default Domain policy rather than creating a new default I'm going to restore the original with Dcgpofix(just the domain not the domain controller policy) and create a new one from scratch and see if I can't at least get it to work and report properly at the OU level before I apply it to the domain.

Can't think of anything else to do at this point.

Thanks for your help. If you have an epiphany let me know.