Machine Policy not being applied

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hey all,

Well I am finally going insane. I have built a custom ADM file for testing
and it appears to work well for the USER settings but I could not get it to
work with the Machine settings.

I created a new policy off the Domain and applied it to my user account.
GPResults shows it being blocked - security

I created a new OU and moved my user account into the OU. Created a GPO and
applied it to Authenticated users. Same results as above.

I added the template to the Default Domain Policy - IT WORKED FINE. Anyone
have any ideas of what to do now.

Thanks in Advance.

John Price
JWP@Beco.com
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi John

I'm not totally clear on what you're doing but for the machine settings to
apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"John Price" <jwp@beco.com> wrote in message
news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
> Hey all,
>
> Well I am finally going insane. I have built a custom ADM file for testing
> and it appears to work well for the USER settings but I could not get it
> to
> work with the Machine settings.
>
> I created a new policy off the Domain and applied it to my user account.
> GPResults shows it being blocked - security
>
> I created a new OU and moved my user account into the OU. Created a GPO
> and
> applied it to Authenticated users. Same results as above.
>
> I added the template to the Default Domain Policy - IT WORKED FINE. Anyone
> have any ideas of what to do now.
>
> Thanks in Advance.
>
> John Price
> JWP@Beco.com
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Mark,
Thanks for the help. Here is (hopefully) a better explanation.

I open the properties oat the root of the domain - Right under Active
Directory Users and Computers. In our case Firm.BEC.com. Under Group Policy
I added a new policy object. In the new policy I install my addin which
makes changes to both [USER] and [MACHINE] registry settings - these changes
are preferences. I then apply the GPO security to only the group that uses
the software that we are trying to configure rgistry settings for. Under
this scenario the [USER] settings are applied but the [MACHINE] settings are
blocked by security. If u edit the Default Domain Policy and add the new ADM
template here both [USER] and [MACHINE] settings work fine.

We can do this but would prefer to have the settings only apply to users
of the software not all users in the domain.

Thanks again.

John

"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:uv$oYIKaEHA.996@TK2MSFTNGP12.phx.gbl...
> Hi John
>
> I'm not totally clear on what you're doing but for the machine settings to
> apply, the computer account must be in the OU to which the policy is
> applying, the computer configuration settings must not be disabled and the
> computer account must have read and apply group policy permissions
> (authenticated users takes care of this).
>
> HTH
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "John Price" <jwp@beco.com> wrote in message
> news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
> > Hey all,
> >
> > Well I am finally going insane. I have built a custom ADM file for
testing
> > and it appears to work well for the USER settings but I could not get it
> > to
> > work with the Machine settings.
> >
> > I created a new policy off the Domain and applied it to my user account.
> > GPResults shows it being blocked - security
> >
> > I created a new OU and moved my user account into the OU. Created a GPO
> > and
> > applied it to Authenticated users. Same results as above.
> >
> > I added the template to the Default Domain Policy - IT WORKED FINE.
Anyone
> > have any ideas of what to do now.
> >
> > Thanks in Advance.
> >
> > John Price
> > JWP@Beco.com
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The bottom line is that the computer account does not have permissions to
read/apply the policy like they do with the Default Domain Policy. If there
are a group of machines that use this software you could create a group and
add the machine accounts to that group with read and apply permissions to
the policy as well as the users that use the policy (or add the machines to
the same group with the users). Or you can put those machines in an OU and
apply the machine portion of the policy to that OU.

Beyond those 2 ways there isn't a great answer.

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


"John Price" <jwp@beco.com> wrote in message
news:uDmB0WcaEHA.3016@tk2msftngp13.phx.gbl...
> Mark,
> Thanks for the help. Here is (hopefully) a better explanation.
>
> I open the properties oat the root of the domain - Right under Active
> Directory Users and Computers. In our case Firm.BEC.com. Under Group
Policy
> I added a new policy object. In the new policy I install my addin which
> makes changes to both [USER] and [MACHINE] registry settings - these
changes
> are preferences. I then apply the GPO security to only the group that uses
> the software that we are trying to configure rgistry settings for. Under
> this scenario the [USER] settings are applied but the [MACHINE] settings
are
> blocked by security. If u edit the Default Domain Policy and add the new
ADM
> template here both [USER] and [MACHINE] settings work fine.
>
> We can do this but would prefer to have the settings only apply to
users
> of the software not all users in the domain.
>
> Thanks again.
>
> John
>
> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
> news:uv$oYIKaEHA.996@TK2MSFTNGP12.phx.gbl...
> > Hi John
> >
> > I'm not totally clear on what you're doing but for the machine settings
to
> > apply, the computer account must be in the OU to which the policy is
> > applying, the computer configuration settings must not be disabled and
the
> > computer account must have read and apply group policy permissions
> > (authenticated users takes care of this).
> >
> > HTH
> > --
> > Mark Renoden [MSFT]
> > Windows Platform Support Team
> > Email: markreno@online.microsoft.com
> >
> > Please note you'll need to strip ".online" from my email address to
email
> > me; I'll post a response back to the group.
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "John Price" <jwp@beco.com> wrote in message
> > news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
> > > Hey all,
> > >
> > > Well I am finally going insane. I have built a custom ADM file for
> testing
> > > and it appears to work well for the USER settings but I could not get
it
> > > to
> > > work with the Machine settings.
> > >
> > > I created a new policy off the Domain and applied it to my user
account.
> > > GPResults shows it being blocked - security
> > >
> > > I created a new OU and moved my user account into the OU. Created a
GPO
> > > and
> > > applied it to Authenticated users. Same results as above.
> > >
> > > I added the template to the Default Domain Policy - IT WORKED FINE.
> Anyone
> > > have any ideas of what to do now.
> > >
> > > Thanks in Advance.
> > >
> > > John Price
> > > JWP@Beco.com
> > >
> > >
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Gary,
Well at least I know why it does not work. It is not the end of the world
to apply the settings to everyone. It just violates my sense of aesthetics.

Thanks

John Price

"Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
news:%23rl9idcaEHA.2488@tk2msftngp13.phx.gbl...
> The bottom line is that the computer account does not have permissions to
> read/apply the policy like they do with the Default Domain Policy. If
there
> are a group of machines that use this software you could create a group
and
> add the machine accounts to that group with read and apply permissions to
> the policy as well as the users that use the policy (or add the machines
to
> the same group with the users). Or you can put those machines in an OU
and
> apply the machine portion of the policy to that OU.
>
> Beyond those 2 ways there isn't a great answer.
>
> --
> Gary Mudgett, MCSE, MCSA
> Windows 2000/2003 Directory Services
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "John Price" <jwp@beco.com> wrote in message
> news:uDmB0WcaEHA.3016@tk2msftngp13.phx.gbl...
> > Mark,
> > Thanks for the help. Here is (hopefully) a better explanation.
> >
> > I open the properties oat the root of the domain - Right under Active
> > Directory Users and Computers. In our case Firm.BEC.com. Under Group
> Policy
> > I added a new policy object. In the new policy I install my addin which
> > makes changes to both [USER] and [MACHINE] registry settings - these
> changes
> > are preferences. I then apply the GPO security to only the group that
uses
> > the software that we are trying to configure rgistry settings for. Under
> > this scenario the [USER] settings are applied but the [MACHINE] settings

> are
> > blocked by security. If u edit the Default Domain Policy and add the new
> ADM
> > template here both [USER] and [MACHINE] settings work fine.
> >
> > We can do this but would prefer to have the settings only apply to
> users
> > of the software not all users in the domain.
> >
> > Thanks again.
> >
> > John
> >
> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
> > news:uv$oYIKaEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Hi John
> > >
> > > I'm not totally clear on what you're doing but for the machine
settings
> to
> > > apply, the computer account must be in the OU to which the policy is
> > > applying, the computer configuration settings must not be disabled and
> the
> > > computer account must have read and apply group policy permissions
> > > (authenticated users takes care of this).
> > >
> > > HTH
> > > --
> > > Mark Renoden [MSFT]
> > > Windows Platform Support Team
> > > Email: markreno@online.microsoft.com
> > >
> > > Please note you'll need to strip ".online" from my email address to
> email
> > > me; I'll post a response back to the group.
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > "John Price" <jwp@beco.com> wrote in message
> > > news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
> > > > Hey all,
> > > >
> > > > Well I am finally going insane. I have built a custom ADM file for
> > testing
> > > > and it appears to work well for the USER settings but I could not
get
> it
> > > > to
> > > > work with the Machine settings.
> > > >
> > > > I created a new policy off the Domain and applied it to my user
> account.
> > > > GPResults shows it being blocked - security
> > > >
> > > > I created a new OU and moved my user account into the OU. Created a
> GPO
> > > > and
> > > > applied it to Authenticated users. Same results as above.
> > > >
> > > > I added the template to the Default Domain Policy - IT WORKED FINE.
> > Anyone
> > > > have any ideas of what to do now.
> > > >
> > > > Thanks in Advance.
> > > >
> > > > John Price
> > > > JWP@Beco.com
> > > >
> > > >
> > >
> > >
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi John

Is this software installed everywhere or just on a few machines? As Gary
said, you could restrict the application of the policy to those machines
which are used for this purpose by putting them in a common OU or applying
security specific to the computer accounts.

If it's a case where users move from machine to machine and the software is
applied everywhere, perhaps you could create two GPO's, one for the user
settings (and have that apply only to the users) and one for the computer
settings that applies everywhere.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"John Price" <jwp@beco.com> wrote in message
news:e7ZbjAdaEHA.3596@tk2msftngp13.phx.gbl...
> Gary,
> Well at least I know why it does not work. It is not the end of the
> world
> to apply the settings to everyone. It just violates my sense of
> aesthetics.
>
> Thanks
>
> John Price
>
> "Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
> news:%23rl9idcaEHA.2488@tk2msftngp13.phx.gbl...
>> The bottom line is that the computer account does not have permissions to
>> read/apply the policy like they do with the Default Domain Policy. If
> there
>> are a group of machines that use this software you could create a group
> and
>> add the machine accounts to that group with read and apply permissions to
>> the policy as well as the users that use the policy (or add the machines
> to
>> the same group with the users). Or you can put those machines in an OU
> and
>> apply the machine portion of the policy to that OU.
>>
>> Beyond those 2 ways there isn't a great answer.
>>
>> --
>> Gary Mudgett, MCSE, MCSA
>> Windows 2000/2003 Directory Services
>>
>> =====================================================
>> When responding to posts, please "Reply to Group" via
>> your newsreader so that others may learn and benefit
>> from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>>
>> "John Price" <jwp@beco.com> wrote in message
>> news:uDmB0WcaEHA.3016@tk2msftngp13.phx.gbl...
>> > Mark,
>> > Thanks for the help. Here is (hopefully) a better explanation.
>> >
>> > I open the properties oat the root of the domain - Right under
>> > Active
>> > Directory Users and Computers. In our case Firm.BEC.com. Under Group
>> Policy
>> > I added a new policy object. In the new policy I install my addin which
>> > makes changes to both [USER] and [MACHINE] registry settings - these
>> changes
>> > are preferences. I then apply the GPO security to only the group that
> uses
>> > the software that we are trying to configure rgistry settings for.
>> > Under
>> > this scenario the [USER] settings are applied but the [MACHINE]
>> > settings
>
>> are
>> > blocked by security. If u edit the Default Domain Policy and add the
>> > new
>> ADM
>> > template here both [USER] and [MACHINE] settings work fine.
>> >
>> > We can do this but would prefer to have the settings only apply to
>> users
>> > of the software not all users in the domain.
>> >
>> > Thanks again.
>> >
>> > John
>> >
>> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
>> > news:uv$oYIKaEHA.996@TK2MSFTNGP12.phx.gbl...
>> > > Hi John
>> > >
>> > > I'm not totally clear on what you're doing but for the machine
> settings
>> to
>> > > apply, the computer account must be in the OU to which the policy is
>> > > applying, the computer configuration settings must not be disabled
>> > > and
>> the
>> > > computer account must have read and apply group policy permissions
>> > > (authenticated users takes care of this).
>> > >
>> > > HTH
>> > > --
>> > > Mark Renoden [MSFT]
>> > > Windows Platform Support Team
>> > > Email: markreno@online.microsoft.com
>> > >
>> > > Please note you'll need to strip ".online" from my email address to
>> email
>> > > me; I'll post a response back to the group.
>> > >
>> > > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> > >
>> > > "John Price" <jwp@beco.com> wrote in message
>> > > news:ufdFx1DaEHA.712@TK2MSFTNGP11.phx.gbl...
>> > > > Hey all,
>> > > >
>> > > > Well I am finally going insane. I have built a custom ADM file for
>> > testing
>> > > > and it appears to work well for the USER settings but I could not
> get
>> it
>> > > > to
>> > > > work with the Machine settings.
>> > > >
>> > > > I created a new policy off the Domain and applied it to my user
>> account.
>> > > > GPResults shows it being blocked - security
>> > > >
>> > > > I created a new OU and moved my user account into the OU. Created a
>> GPO
>> > > > and
>> > > > applied it to Authenticated users. Same results as above.
>> > > >
>> > > > I added the template to the Default Domain Policy - IT WORKED FINE.
>> > Anyone
>> > > > have any ideas of what to do now.
>> > > >
>> > > > Thanks in Advance.
>> > > >
>> > > > John Price
>> > > > JWP@Beco.com
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>