Cant Get my Screen Saver Timeout Group Policy to work right
I have the following environment:
2 DC servers
1 Win 2008 R2 x64 (this server holds all the FSMO roles)
1 Win 2003 x64
15 workstation PC's running all win 7 professional except for one win xp professional.
I have an active directory environment with all my users in the CSI Employees OU and my computer accounts in the CSI Computers OU.
I have created this policy in the default domain policy and it is applied/inherited everywhere.
I set the policy as follows
in GPMC
User Settings/policy/administra
Enable Screen Saver = Enabled
Prevent Changing the Screen Saver = Enabled
Password Protect Screen Saver = Enabled
Screen Saver Timeout = Enabled set for 600 seconds
Force Specific Screen Saver = Enabled set to "scrnsave.scr"
Everything else is Not Configured
For some reason some of my workstation's screen saver timeout is happening almost immediately like 1 or 2 minutes instead of the specified 600 seconds in the policy
I have troubleshooted these workstations and they are applying both computer and user settings when i run a gpupdate /force.
ive also tried rebooting them with no success.
I have had to remove these policy settings until i can figure out whats going on.
please help.
2 DC servers
1 Win 2008 R2 x64 (this server holds all the FSMO roles)
1 Win 2003 x64
15 workstation PC's running all win 7 professional except for one win xp professional.
I have an active directory environment with all my users in the CSI Employees OU and my computer accounts in the CSI Computers OU.
I have created this policy in the default domain policy and it is applied/inherited everywhere.
I set the policy as follows
in GPMC
User Settings/policy/administra
Enable Screen Saver = Enabled
Prevent Changing the Screen Saver = Enabled
Password Protect Screen Saver = Enabled
Screen Saver Timeout = Enabled set for 600 seconds
Force Specific Screen Saver = Enabled set to "scrnsave.scr"
Everything else is Not Configured
For some reason some of my workstation's screen saver timeout is happening almost immediately like 1 or 2 minutes instead of the specified 600 seconds in the policy
I have troubleshooted these workstations and they are applying both computer and user settings when i run a gpupdate /force.
ive also tried rebooting them with no success.
I have had to remove these policy settings until i can figure out whats going on.
please help.
ASKER
oh i forgot to mention that i have everyone pointed to my 2008 DC already.
I will try what you mentioned, but do you really think that my 2003 is causing the issue?
what is your reasoning for this? just curious.
I have been planning to take the 2003 dc down for an upgrade to 2008 but have not gotten to it yet
I will try what you mentioned, but do you really think that my 2003 is causing the issue?
what is your reasoning for this? just curious.
I have been planning to take the 2003 dc down for an upgrade to 2008 but have not gotten to it yet
ASKER
as far as i can see, my 2003 DC has all the Group Policy updates that i set on my 2008 DC.
everything is the same.
everything is the same.
I have seen this in the past where the domain was running originally on 2003 and a 2008 server was introduced as a DC (with FSMO roles in it) and caused all kinds of problems. This is how I fixed it after conferencing with Microsoft. It also forced us to get the domain upgraded to 2008 faster. Makes sense?
ASKER
yes thank you for explaining that. That is probably my problem.
Do you think i should just wait untill i upgrade my 2003 dc to 2008 r2 before i even bother with this?
Do you think i should just wait untill i upgrade my 2003 dc to 2008 r2 before i even bother with this?
ASKER
question.
if i remove a workstation from the Domain and re add it, wont that cause a problem with domain user accounts?
for example the users already have a cached domain user profile on these workstations if i remove then re-add the workstations to the domain, when they log in again wont it create another user profile and cause issues?
if i remove a workstation from the Domain and re add it, wont that cause a problem with domain user accounts?
for example the users already have a cached domain user profile on these workstations if i remove then re-add the workstations to the domain, when they log in again wont it create another user profile and cause issues?
It shouldn't because the files are staying on the C: drive under the folder Users. So when you join back to the domain and log in using the same user in AD, you should be fine.
Tip: Backup users folders if it makes it more secure. I have disjoined and rejoined servers and workstations to domains since Server 2000 and XP and unless the profile is messed up, I have not seen a problem. Backup backup backup. That's your friend.
Tip: Backup users folders if it makes it more secure. I have disjoined and rejoined servers and workstations to domains since Server 2000 and XP and unless the profile is messed up, I have not seen a problem. Backup backup backup. That's your friend.
ASKER
but should i just wait and upgrade my 2003 DC?
You could do that and wait. The whole point is to prevent this from happening while you are still on the 2003 domain level.
Thinking more about this, you could create a GPO that is specific to this and not put it in the DDP (Default Domain Policy). You can create an OU just for this and put one machine in it and apply the GPO and see if you get the desired results.
I can't stress this enough. When you are going to raise the domain functional level, be careful. Do good backups of your AD my friend. I'm putting a Technet article here so you have it in case you have not researched it. http://technet.microsoft.com/en-us/library/cc772570.aspx
Let me know if this helps.
Thinking more about this, you could create a GPO that is specific to this and not put it in the DDP (Default Domain Policy). You can create an OU just for this and put one machine in it and apply the GPO and see if you get the desired results.
I can't stress this enough. When you are going to raise the domain functional level, be careful. Do good backups of your AD my friend. I'm putting a Technet article here so you have it in case you have not researched it. http://technet.microsoft.com/en-us/library/cc772570.aspx
Let me know if this helps.
ASKER
Thanks,
i actually already raised my Domain Functional level and Forest Preped and Domain Prepped everything.
Had to do it when i first introduced the win 2008 r2 DC into our environment.
I also did a Group Policy prep or GPprep.
You think this is why i am having this problem?
Oh and the reason why i am using the Default Domain Policy is because i first had tried creating a new policy just for the screen saver and applying it to the necessary OU's and this had no effect whatsoever. When i made the changes to the Default Domain Policy, i started to get some results but am having the issue described in this thread.
i actually already raised my Domain Functional level and Forest Preped and Domain Prepped everything.
Had to do it when i first introduced the win 2008 r2 DC into our environment.
I also did a Group Policy prep or GPprep.
You think this is why i am having this problem?
Oh and the reason why i am using the Default Domain Policy is because i first had tried creating a new policy just for the screen saver and applying it to the necessary OU's and this had no effect whatsoever. When i made the changes to the Default Domain Policy, i started to get some results but am having the issue described in this thread.
That's odd. Putting a screensaver GP and enforcing it should have done the trick. Hmm. Like I said, we saw this problem (not screensaver specifically but GPO issues) when we raised all server but still had older servers in the forest.
ASKER
damn i did'nt enforce it. maybe that would of done it.
i did not think i had to since the default domain policy had everything set to not configured and i thought gpo's at the ou level would supersead the default gpo
i did not think i had to since the default domain policy had everything set to not configured and i thought gpo's at the ou level would supersead the default gpo
I assumed it was enforced. This is why sometimes it's good to create specific GPO's for company specific things.
For example:
You want to enforce all 15 machines to have a sleep pattern on power settings. You create it on the default policy. Then your CEO comes and tells you that he hates it and he doesn't want his computer or any other C level executive to have it. Now you have to put those computers in a different OU with a different GPO.
Default is great for password enforcement, password history and the big broad things, including a time to put the screensaver. You also don't want to go so granular with a bunch of GPO's that maintenance becomes a nightmare. Keeping it simple is good but creating GPO's for different things, for example a GPO called "Desktop settings" where you put the background color, screensaver, power saving options, what they can and cannot do on IE, installation of software, etc.
Cheers!
Esteban
For example:
You want to enforce all 15 machines to have a sleep pattern on power settings. You create it on the default policy. Then your CEO comes and tells you that he hates it and he doesn't want his computer or any other C level executive to have it. Now you have to put those computers in a different OU with a different GPO.
Default is great for password enforcement, password history and the big broad things, including a time to put the screensaver. You also don't want to go so granular with a bunch of GPO's that maintenance becomes a nightmare. Keeping it simple is good but creating GPO's for different things, for example a GPO called "Desktop settings" where you put the background color, screensaver, power saving options, what they can and cannot do on IE, installation of software, etc.
Cheers!
Esteban
ASKER
okay i did the following:
pointed my workstations to my win 2008 dns
i created a test OU and moved all my user groups to that ou and linked a Screen Saver GPO and enforced it.
lets see what happens
pointed my workstations to my win 2008 dns
i created a test OU and moved all my user groups to that ou and linked a Screen Saver GPO and enforced it.
lets see what happens
Sweet.
ASKER
Damn, still not working.
okay the new OU seemed to work.
I moved one user account to it and tested it and it worked. When i ran Gpresult on that workstation i could see the screen saver policy being applied to the user settings.
However we still have a problem cause when i re-made that same user account a member of the user group CSI Employees and then moving that user group to the Test OU, the GPO is not getting applied.
it seems to only be working for a single user account and not affecting a user Group.
i did everything you said, what else do you think may be causing the problem?
okay the new OU seemed to work.
I moved one user account to it and tested it and it worked. When i ran Gpresult on that workstation i could see the screen saver policy being applied to the user settings.
However we still have a problem cause when i re-made that same user account a member of the user group CSI Employees and then moving that user group to the Test OU, the GPO is not getting applied.
it seems to only be working for a single user account and not affecting a user Group.
i did everything you said, what else do you think may be causing the problem?
ASKER
and yes i rebooted and ran a gpupdate /force after every change i made
It has to be a setting on the GPO. Let me do some thinking tomorrow my friend and see if I can come up with a solution.
Can you send me all the settings please? Screenshots as well please?
Esteban Blanco
Can you send me all the settings please? Screenshots as well please?
Esteban Blanco
ASKER
I may have said it wrong.
Create a new policy for the screen saver and enforce it to that OU only. Don't link it to the Default one. Create one that is for screen saver only to that OU and let's see what happens. Enforce it.
Create a new policy for the screen saver and enforce it to that OU only. Don't link it to the Default one. Create one that is for screen saver only to that OU and let's see what happens. Enforce it.
ASKER
what are you referring to?
I did crate a stand alone policy called Screen Saver and linked it to that Test OU.
OF course it is still inheriting the Default Domain GPO.
should i uncheck link enabled?
I did crate a stand alone policy called Screen Saver and linked it to that Test OU.
OF course it is still inheriting the Default Domain GPO.
should i uncheck link enabled?
Yes. Do not let it inherit because the default policy will take precedence.
ASKER
ASKER
ok,
I unchecked "Link Enabled"
No luck.
There is nothing configured in the Default Domain GPO that would take precedence over the Screen Saver GPO.
And besides, the Screen Saver GPO gets applied no problem when i just have a single user account in that OU. Its just not applying to the User Group for some reason
I unchecked "Link Enabled"
No luck.
There is nothing configured in the Default Domain GPO that would take precedence over the Screen Saver GPO.
And besides, the Screen Saver GPO gets applied no problem when i just have a single user account in that OU. Its just not applying to the User Group for some reason
I am about to pull my hair and I am bold right now because of Movember. Let me keep digging. This is not normal.
Any other expert is welcome to chime in! I'm running out of ideas.
Any other expert is welcome to chime in! I'm running out of ideas.
ASKER
i think i mentioned it earlier in the thread description but,
when i configure the screen saver settings in the Default Domain GPO it works the way as described in the thread where instead of 600 seconds for the screen saver to kick in, it happens in 2 minutes.
Mind you this is after removing the workstation from the domain and re-adding it making sure the dns is pointing to my win 2008 r2 DC. (I dont see how this would do anything as its the user settings in the policy we are concerned about and not the computer settings.)
And yes when i crate a test OU and put just one single user account in that OU and apply the Screen Saver GPO to it, everything works fine. IF i remember correctly, i did not even have to enforce it. When i run GPresult /r, i can see both the default domain policy and the Screen Saver policy being applied.
So basically for now it seems that i will have to move every single user account in that OU!
lol
when i configure the screen saver settings in the Default Domain GPO it works the way as described in the thread where instead of 600 seconds for the screen saver to kick in, it happens in 2 minutes.
Mind you this is after removing the workstation from the domain and re-adding it making sure the dns is pointing to my win 2008 r2 DC. (I dont see how this would do anything as its the user settings in the policy we are concerned about and not the computer settings.)
And yes when i crate a test OU and put just one single user account in that OU and apply the Screen Saver GPO to it, everything works fine. IF i remember correctly, i did not even have to enforce it. When i run GPresult /r, i can see both the default domain policy and the Screen Saver policy being applied.
So basically for now it seems that i will have to move every single user account in that OU!
lol
ASKER
before i introduced my win 2008 r2 server into the mix, we were just running one win 2003 DC and it held all the FSMO roles.
Then i installed a brand new 2008 r2 DC and moved all the Roles(yes including the Schema)over to this server.
After a month now i want to get this damn screen saver gpo working right and these are the problems im having.
Do you think that the domain functional level has anything to do with it? right now its stuck at win 2003
Then i installed a brand new 2008 r2 DC and moved all the Roles(yes including the Schema)over to this server.
After a month now i want to get this damn screen saver gpo working right and these are the problems im having.
Do you think that the domain functional level has anything to do with it? right now its stuck at win 2003
I do. I think it has everything to do with it but I wanted to see if we could find a solution with what you have right now. If that domain controller doesn't hold any roles that will impact production, we could try turning it off.
Something just came to mind. Are the clients hard coded to go to that DC for authentication and DNS?
The problem I see is that the 2003 server is taking over the 2008 server. Ideally, you want to run your forest and all FSMO roles in the same domain functional level as you know. This 2003 server seems to be the issue but in order to ensure that the screen saver (and all GPO policies for that matter) work, we are taking a chance by decommissioning the 2003 box. If all clients are DHCP and there is nothing hard coded on them to always favor the 2003 server AND you are sure you can run the enterprise from the 2008 DC, then I would say we turn it off and see if that makes it work.
We have looked at the policies and have applied the policies correctly as far as I can tell.
What do you think J?
QUESTION FOR MODERATORS:
Am I allowed to give this user my phone number to speak to him and assist him? I don't want to break the rules hence why I am asking.
Esteban
Something just came to mind. Are the clients hard coded to go to that DC for authentication and DNS?
The problem I see is that the 2003 server is taking over the 2008 server. Ideally, you want to run your forest and all FSMO roles in the same domain functional level as you know. This 2003 server seems to be the issue but in order to ensure that the screen saver (and all GPO policies for that matter) work, we are taking a chance by decommissioning the 2003 box. If all clients are DHCP and there is nothing hard coded on them to always favor the 2003 server AND you are sure you can run the enterprise from the 2008 DC, then I would say we turn it off and see if that makes it work.
We have looked at the policies and have applied the policies correctly as far as I can tell.
What do you think J?
QUESTION FOR MODERATORS:
Am I allowed to give this user my phone number to speak to him and assist him? I don't want to break the rules hence why I am asking.
Esteban
I haven't seen anywhere here where you ran RSOP(resultant set of policy)
on the client machines run mmc, resultant set of policy, this machine, current user(assuming you're logged in as the user), see which GPO is applying the Screen Saver policy or if it's being denied.
Also run it from the servers selecting another computer and user(select client pc and user). What are the results?
on the client machines run mmc, resultant set of policy, this machine, current user(assuming you're logged in as the user), see which GPO is applying the Screen Saver policy or if it's being denied.
Also run it from the servers selecting another computer and user(select client pc and user). What are the results?
That's a good idea from ktaczala. I could have sworn this was done but it's worth the try. Would you agree with my statement above that 2003 server could be causing issues? We have been working on this for over 48 hours. I'm glad another expert is chiming in.
Very well could be, from what I remember windows 2003 you got to the policy thru group policy object editor, where as 2008 you use GPMC, I would verify that only the 2008 policies are being implemented.
Ok. I'm glad I am not going crazy here. That's what I have said from the get go that the 2003 server could be the cause because of the differences between them. That's why I suggested turning it off and forcing the clients to the 2008 server with the right policies applied with the caveat that the 2003 server is ready for decommissioning.
ASKER
yeah i am planning to do that.
All my clients are hard coded with a static dns of my windows 2008 r2 server.
I will try RSOP as i have not tried that yet.
I will be taking this 2003 Server down this weekend just to be safe with no users complaining if something goes wrong.
thanks for all the help!
i will get this working one way or another
All my clients are hard coded with a static dns of my windows 2008 r2 server.
I will try RSOP as i have not tried that yet.
I will be taking this 2003 Server down this weekend just to be safe with no users complaining if something goes wrong.
thanks for all the help!
i will get this working one way or another
You are welcome bro. I am glad another expert agreed with my assessment. Let me know how it goes this weekend and don't forget to reward points. :)
Cheers!
Esteban
Cheers!
Esteban
ASKER
Hey,
I have one quick question. Ive never had to decommission a DC before.
DO i demote it first before i take it offline?
I have one quick question. Ive never had to decommission a DC before.
DO i demote it first before i take it offline?
ASKER
mind you, this windows 2003 DC holds absolutely no FSMO roles
yes dcpromo make it domain member, then remove from domain
Correct.
Here is an article with step-by-step instructions on how to do it. Since you moved the FSMO roles already, you may be able to skip some parts. This is how to do it cleanly.
http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx
Here is an article with step-by-step instructions on how to do it. Since you moved the FSMO roles already, you may be able to skip some parts. This is how to do it cleanly.
http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx
ASKER
ok,
did that,
i tested it again.
i applied the screen saver gpo to the Test OU and blocked policy inheritance. and i also enforced it.
i put the CSI Employees User group which contains all my users in the test OU.
I went ahead and took a computer account and removed it from the domain and re-joined it. even though it probably doesn't matter.
I logged in with one of the user accounts from the group CSI Employees and opened up a command prompt and ran GPupdate /force
then i ran gpresult /r
same crap.
only the default domain policy is being applied!!!
i am going to run RSOP next and see WTF is going on!
did that,
i tested it again.
i applied the screen saver gpo to the Test OU and blocked policy inheritance. and i also enforced it.
i put the CSI Employees User group which contains all my users in the test OU.
I went ahead and took a computer account and removed it from the domain and re-joined it. even though it probably doesn't matter.
I logged in with one of the user accounts from the group CSI Employees and opened up a command prompt and ran GPupdate /force
then i ran gpresult /r
same crap.
only the default domain policy is being applied!!!
i am going to run RSOP next and see WTF is going on!
ASKER
i think there is something seriously wrong with group policy!!!
i ran an RSOP using my domain admin account and under user settings, i dont see an administrative templates folder listed.
but all the settings in my default domain policy have a red X on them like if they are not getting applied. I think this is normal because i blocked inheritance. But again my Screen Saver GPO does not exist according to RSOP and GPresult.
PLEASE HELP!
what do you think is going on?
i decommissioned my win 2003 dc and removed all traces of it from AD. Is there a command i can run to see if any traces of it are still left maybe in the schema?
i ran an RSOP using my domain admin account and under user settings, i dont see an administrative templates folder listed.
but all the settings in my default domain policy have a red X on them like if they are not getting applied. I think this is normal because i blocked inheritance. But again my Screen Saver GPO does not exist according to RSOP and GPresult.
PLEASE HELP!
what do you think is going on?
i decommissioned my win 2003 dc and removed all traces of it from AD. Is there a command i can run to see if any traces of it are still left maybe in the schema?
ASKER
its the weridest thing!
again i tested a single user account in that OU and my Screen Saver GPO applies perfectly
I even tried deleting the Policy from GPO objects in GPMC and re creating it.
It only applies to single user accounts and not User Groups!
I was going to try to delete the group from AD and recreate it adding all my user accounts to it again and test it that way.
any ideas?
again i tested a single user account in that OU and my Screen Saver GPO applies perfectly
I even tried deleting the Policy from GPO objects in GPMC and re creating it.
It only applies to single user accounts and not User Groups!
I was going to try to delete the group from AD and recreate it adding all my user accounts to it again and test it that way.
any ideas?
ASKER
ok,
ive narrowed it down to my GPO just not applying to User groups whatsoever!!
I dont know WTF is going on!
Ive tried deleting and re-creating the group
ive tried moving the domain users group to the OU
ive tried adding just one user to my user group.
The gpo just wont effect groups at all!
i have to put every stinkin user group individually in that OU for it to apply my damn GPO!
but the default domain policy always gets applied without fail!
ive narrowed it down to my GPO just not applying to User groups whatsoever!!
I dont know WTF is going on!
Ive tried deleting and re-creating the group
ive tried moving the domain users group to the OU
ive tried adding just one user to my user group.
The gpo just wont effect groups at all!
i have to put every stinkin user group individually in that OU for it to apply my damn GPO!
but the default domain policy always gets applied without fail!
Did you decommission the 2003 server?
ASKER
If you read my posts you will see that I did. Yes of course
My mistake. Using my phone. Didn't see the comment. The last thing I can think of is to disjoin one test client from the domain, delete it from AD, join it back to the domain and see what happens. I'm almost to the point where I may recommend calling Microsoft. My apologies in advance if you already did this. Just trying to help.
ASKER
yes of course i already did this, and again. How would that do any good if the settings in the policy we are concerned with are the user settings and not the computer settings.
This screen saver GPO only affects the user settings. So disjoining a test client from the domain would do nothing. Am i right with this logic?
This screen saver GPO only affects the user settings. So disjoining a test client from the domain would do nothing. Am i right with this logic?
ASKER
interesting link.
Do i have to add my CSI Employees Security group to the screen saver GPO Security settings?
Do i have to add my CSI Employees Security group to the screen saver GPO Security settings?
ASKER
just tried it.
no luck.
same issue
no luck.
same issue
Something is really weird. If I had a Gmail account I would use my username from this website as my email. I wish I could help you over the phone and do a remote control session to see if it jumps at me but I cannot provide you my phone number or email here.
With a remote session, I may be able to at least take a look and see if we can figure this out but you know...
Esteban
With a remote session, I may be able to at least take a look and see if we can figure this out but you know...
Esteban
Try putting a computer in the security group instead of a user, then remove authenticated users from the filter and add the OU that you made for the computer, to see if it's working
ASKER
OMG!!!!!!!
Look what i discovered when i ran GPresult /r on one of my client machines
Look what i discovered when i ran GPresult /r on one of my client machines
AHA! WINDOWS 2000! There you have it! I have been in that soapbox from the beginning that the clients are not talking to the new upgraded domain! :) You may know this already but you cannot jump from 2000 to 2008. Go from 2000 to 2003 (we assumed the domain was already up to 2008). I just attached a document on how to do this step by step.
Let me know if I can help more. My profile here in EE has my website and there is a contact number there.
ADDS-Domain-Upgrade.doc
Cheers!
Esteban
Let me know if I can help more. My profile here in EE has my website and there is a contact number there.
ADDS-Domain-Upgrade.doc
Cheers!
Esteban
ASKER
wow
hold on!
as far as i am concerned, i Forest prepped and domain prepped my win 2003 DC before introducing my Win 2008R2 DC into the mix!
once that was done, i moved all the fsmo rolls over to the win 2008 r2 dc.
left everything like that for 6 weeks before creating this Screen Saver gpo.
there was no instructions as to having to upgrade the clients as well!
wtf!???
hold on!
as far as i am concerned, i Forest prepped and domain prepped my win 2003 DC before introducing my Win 2008R2 DC into the mix!
once that was done, i moved all the fsmo rolls over to the win 2008 r2 dc.
left everything like that for 6 weeks before creating this Screen Saver gpo.
there was no instructions as to having to upgrade the clients as well!
wtf!???
If you already said this I'm sorry. Did you disjoin a client from the domain, delete it from AD and re-join it to the domain and see if it recognizes the upgraded domain? It's late so I will look at your response tomorrow.
ASKER
i dont think you understand whats going on here.
i dont have any other servers in my network.
ive only had 2 DC's in my network.
one Windows 2003 DC that was recently decommissioned and removed from AD. Also removed Physically
and One Win 2008 R2 DC.
Thats it.
Im guessing before i introduced my win 2008 r2 DC into the mix, all my workstations where functioning at win 2000 level.
so i went ahead and raised the domain functional level to win 2003 and my forest functional level to win 2003.
Then i forest prepped and domain prepped my win 2003 DC so that i could introduce my win 2008 r2 DC into the mix and for some reason, all my workstations are STUCK at win 2000 functional level?
I am looking through that document you gave me but i am having a hard time trying to find out how to get my workstations raised to win 2008 R2 functional level.
I already checked and made sure my current Forest and Domain functional levels are Win 2008 R2.
And yes i have completely removed a test workstation from the domain and deleted it from AD and then Re-joined it.
Still says Domain Type win 2000!
FYI i did not change the name of the workstation when i re-joined it to the domain.
would this cause an issue?
i dont have any other servers in my network.
ive only had 2 DC's in my network.
one Windows 2003 DC that was recently decommissioned and removed from AD. Also removed Physically
and One Win 2008 R2 DC.
Thats it.
Im guessing before i introduced my win 2008 r2 DC into the mix, all my workstations where functioning at win 2000 level.
so i went ahead and raised the domain functional level to win 2003 and my forest functional level to win 2003.
Then i forest prepped and domain prepped my win 2003 DC so that i could introduce my win 2008 r2 DC into the mix and for some reason, all my workstations are STUCK at win 2000 functional level?
I am looking through that document you gave me but i am having a hard time trying to find out how to get my workstations raised to win 2008 R2 functional level.
I already checked and made sure my current Forest and Domain functional levels are Win 2008 R2.
And yes i have completely removed a test workstation from the domain and deleted it from AD and then Re-joined it.
Still says Domain Type win 2000!
FYI i did not change the name of the workstation when i re-joined it to the domain.
would this cause an issue?
No. It shouldn't. I understand the situation. Let me sleep and look at this over again. Put all information gathered.
Those machines used to be in the domain function of Windows 2000. My initial thought is that in the upgrade of the domain something didn't take and somehow it has cached the GPO settings locally. Again, it's late so I want to start fresh tomorrow.
Those machines used to be in the domain function of Windows 2000. My initial thought is that in the upgrade of the domain something didn't take and somehow it has cached the GPO settings locally. Again, it's late so I want to start fresh tomorrow.
ASKER
im sorry for keeping you up!
thanks for all your help!
i really appreciate it.
I was not expecting a response from you untill tomorrow thats why i posted so many explanations so that you could read it tomorrow.
again sorry for keeping you up have a good night
thanks for all your help!
i really appreciate it.
I was not expecting a response from you untill tomorrow thats why i posted so many explanations so that you could read it tomorrow.
again sorry for keeping you up have a good night
ASKER
i also tried clearing the gpo cache on the client workstations after rejoining them to the domain and running a gpupdate /force
no luck
still says domain type win 2000!
there must be a command in ntdsutil that cleans this up
i dont think its the workstations fault. I think it is my domain thats all F'ed up!
no luck
still says domain type win 2000!
there must be a command in ntdsutil that cleans this up
i dont think its the workstations fault. I think it is my domain thats all F'ed up!
Yes. This is the domain. I have read this over and looked through possible answers. One thing we haven't done that we should have done a while back (my fault). What do the logs say?
ASKER
I will check that as soon as I get a chance.
ASKER
should i look at the log on the workstations or the server
ASKER
im looking at event viewer for both the DC and my workstatons,
what should i be looking for in particular?
what should i be looking for in particular?
ASKER
7863483174
ASKER
i just finished reading this article:
http://www.404techsupport.com/2012/05/why-does-gpresult-say-domain-type-windows-2000-on-a-server-2008-r2-domain/
so it seems that Gpresult was never updated and thats why it still shows domain type: windows 2000.
It does not matter whether you have a win 2003 2008 or 2008 R2 domain functional level.
Gpresult will always show this!
so i made sure my domain and forest functional level is win 2008 R2 by clicking properties on my domain in AD or GPMC.
just an FYI
so my domain may be alright after all.
now its down to an issue with my groups or user accounts or OU's
i dont KNOW!
http://www.404techsupport.com/2012/05/why-does-gpresult-say-domain-type-windows-2000-on-a-server-2008-r2-domain/
so it seems that Gpresult was never updated and thats why it still shows domain type: windows 2000.
It does not matter whether you have a win 2003 2008 or 2008 R2 domain functional level.
Gpresult will always show this!
so i made sure my domain and forest functional level is win 2008 R2 by clicking properties on my domain in AD or GPMC.
just an FYI
so my domain may be alright after all.
now its down to an issue with my groups or user accounts or OU's
i dont KNOW!
OK I'm back. Long story and long day.
So everything per the domain controller and test client logs show that everybody is talking the right way and your domain is good. Excellent.
I just found this article (http://support.microsoft.com/kb/977944). I wonder if that is why is not applying.
You have already done what I would have done. I would have created an OU in Group Policy Management and applied the settings to it and then down to the computers.
I'm running out of ideas here. You are not using a third-party tool to create the screensaver or anything like that correct?
So everything per the domain controller and test client logs show that everybody is talking the right way and your domain is good. Excellent.
I just found this article (http://support.microsoft.com/kb/977944). I wonder if that is why is not applying.
You have already done what I would have done. I would have created an OU in Group Policy Management and applied the settings to it and then down to the computers.
I'm running out of ideas here. You are not using a third-party tool to create the screensaver or anything like that correct?
ASKER
correct
ASKER
the screen saver gpo has nothing to do with a desktop wallpaper.
but thanks anyway.
its just not applying the way it should.
like i said, its only applying to individual user accounts that i move to that OU.
It wont apply at all to a user group.
I have tried putting a security filter for the user group in the policy for allow "apply group policy"
block policy inheritance does nothing. in GPMC it shows that that OU is not inheriting any domain level GPO but when i run a gpresult /r on the workstations, it shows the default domain Gpo being applied!. I double checked and its not being Enforced so i dont know why its being applied.
but thanks anyway.
its just not applying the way it should.
like i said, its only applying to individual user accounts that i move to that OU.
It wont apply at all to a user group.
I have tried putting a security filter for the user group in the policy for allow "apply group policy"
block policy inheritance does nothing. in GPMC it shows that that OU is not inheriting any domain level GPO but when i run a gpresult /r on the workstations, it shows the default domain Gpo being applied!. I double checked and its not being Enforced so i dont know why its being applied.
The part that I don't get is that it should apply to the local computer and not the user. The GPO created is a computer policy as opposed to a user policy which is why I don't get why is not applying.
I would literally have to start from scratch by removing all screensaver settings and the specific screensaver GPO, create the OU in GPMC and that should work.
Maybe it's time to call Microsoft. I know there are geniuses in this website that could probably fix what we have been working on for three days in five minutes. I am just out of ideas without being able to do a remote session and seeing it myself as you apply settings to see if something jumps at me. That's where I'm at. I'm willing to do a remote session and per my company's standards, the name of your company would be confidential and this would be of course free of cost to you. I am just puzzled and a little ticked that this is not working.
It's your call. My website information is under my profile that you and anyone can view on EE and you can contact me directly or call Microsoft.
Esteban
I would literally have to start from scratch by removing all screensaver settings and the specific screensaver GPO, create the OU in GPMC and that should work.
Maybe it's time to call Microsoft. I know there are geniuses in this website that could probably fix what we have been working on for three days in five minutes. I am just out of ideas without being able to do a remote session and seeing it myself as you apply settings to see if something jumps at me. That's where I'm at. I'm willing to do a remote session and per my company's standards, the name of your company would be confidential and this would be of course free of cost to you. I am just puzzled and a little ticked that this is not working.
It's your call. My website information is under my profile that you and anyone can view on EE and you can contact me directly or call Microsoft.
Esteban
ASKER
do you think its because my default domain group policy has password policy settings enabled?
i read somewhere that this applies to the domain rather than the user settings and this might be why i still see the default domain policy being applied to that OU even though i specifically have it set to Block Policy inheritance.
anyway, i still am trying to figure out why my Screen Saver GPO only applies to individual user accounts and not User Groups.
i read somewhere that this applies to the domain rather than the user settings and this might be why i still see the default domain policy being applied to that OU even though i specifically have it set to Block Policy inheritance.
anyway, i still am trying to figure out why my Screen Saver GPO only applies to individual user accounts and not User Groups.
At this point I would guessing. In my opinion of doing consulting work around the world for 12 years, policies that are specific to screen savers, software installation regulations, etc. are normally done outside the default domain policy. I have used (and Microsoft taught me this but it could have changed) that the DDP should be used for password history, complexity, etc. Granted your environment is not thousands of computers in 5 different countries. That is when this can become a nightmare. Been there done that. My point is that this is not a complicated thing. You create an OU where you put all of your machines. You apply to that OU the DDP and also apply any other policies that you create on the side, enforcing it to the OU and allowing the DDP and any other policies to play nice.
I have this link I saved years ago that is an architecture guide on how to create policies (best practices). Glance at it and see if it makes sense.
http://www.grouppolicy.biz/2010/07/best-practice-group-policy-design-guidelines-part-2/
I have this link I saved years ago that is an architecture guide on how to create policies (best practices). Glance at it and see if it makes sense.
http://www.grouppolicy.biz/2010/07/best-practice-group-policy-design-guidelines-part-2/
ASKER
thanks for the link!
do you have any idea why the Screen Saver GPO will only to apply to individual users and not User groups?
I mean, i went ahead and just put every user account one by one in that OU and the GPO seems to be applying ok when one of those users log in to the domain on a workstation.
I guess i am gonna keep it like that but it seems like a band-aid rather than a fix to the problem
do you have any idea why the Screen Saver GPO will only to apply to individual users and not User groups?
I mean, i went ahead and just put every user account one by one in that OU and the GPO seems to be applying ok when one of those users log in to the domain on a workstation.
I guess i am gonna keep it like that but it seems like a band-aid rather than a fix to the problem
ASKER
and i will always be wondering if my Group Policy and Domain are functioning properly
ASKER
your right, this is a very simple network and yes i have only password policy settings configured in my DDP right now.
This is why I wanted to send you the link. I have a client that has offices in three countries. The way the GPO's are setup are by OU's everywhere. We have an OU called "Executives Buenos Aires" and apply a specific GPO of what they can and can't do. "Accounting Buenos Aires" and another GPO.
You don't have that problem. You have your DDP and then you create a screensaver GPO that is NOT under the build in computers OU but a hand made OU and you should be able to apply it to computers or users. It just depends on how you set it up.
I agree when you say it's a band aid but I suggest you look deeper because if the company grows, you are going to have a nightmare ahead of you maintaining the environment.
You don't have that problem. You have your DDP and then you create a screensaver GPO that is NOT under the build in computers OU but a hand made OU and you should be able to apply it to computers or users. It just depends on how you set it up.
I agree when you say it's a band aid but I suggest you look deeper because if the company grows, you are going to have a nightmare ahead of you maintaining the environment.
ASKER
I know! thats why i am here on experts-exchange.com LOL!
ASKER
i think it might have something to do with the fact that i GPPrepped my win 2003 DC before i introduced my win 2008 r2 DC. You think?
it was an optional thing when installing a win 2008 r2 dc into an win 2003 environment.
do you think this is what messed it up?
are there any command line tools that will clean up my gpo's and let me start a brand new database of GPO's for this new win 2008 r2 environment?
it was an optional thing when installing a win 2008 r2 dc into an win 2003 environment.
do you think this is what messed it up?
are there any command line tools that will clean up my gpo's and let me start a brand new database of GPO's for this new win 2008 r2 environment?
ASKER
im still broke here.
I posted this on the 17th. Unless another expert comes in to save the day...
Posted on 11/17:
Maybe it's time to call Microsoft. I know there are geniuses in this website that could probably fix what we have been working on for three days in five minutes. I am just out of ideas without being able to do a remote session and seeing it myself as you apply settings to see if something jumps at me. That's where I'm at. I'm willing to do a remote session and per my company's standards, the name of your company would be confidential and this would be of course free of cost to you. I am just puzzled and a little ticked that this is not working.
Posted on 11/17:
Maybe it's time to call Microsoft. I know there are geniuses in this website that could probably fix what we have been working on for three days in five minutes. I am just out of ideas without being able to do a remote session and seeing it myself as you apply settings to see if something jumps at me. That's where I'm at. I'm willing to do a remote session and per my company's standards, the name of your company would be confidential and this would be of course free of cost to you. I am just puzzled and a little ticked that this is not working.
ASKER
you are welcome to do a remote session
you ever heard of team viewer?
!!!!
you ever heard of team viewer?
!!!!
ASKER
just say the word and i'll install team viewer and you can remote in.
ASKER
my contact email is Techboss.it@gmail.com
please email me so we can communicate more securely
please email me so we can communicate more securely
ASKER
okay I am opening up another thread called
Cant completely remove windows 2003 domain controller after demoting it using dcpromo
if you want meet me there
thanks
Cant completely remove windows 2003 domain controller after demoting it using dcpromo
if you want meet me there
thanks
ASKER
Check your email.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The fix was to take the extra screen saver policy and apply it to the default domain policy instead. The environment is 10 computer. No need to have a specific GPO for it when you can do it at the top level.
Point one of the computer's DNS to the 2008 DC.
Take that ONE computer out of domain.
Delete computer account from AD on 2008 DC.
Join computer back to domain.
Test.
If that gives you the same problem, then point to the DC that has 2003 Server and do the same.
See if the problem lies in the 2003 Server or 2008 server.