Problems with Group Policy in Active Directory

Hello. I'm a department assistant (student) for the computer science department at California Lutheran University. We are setting up a new Windows XP image to deploy in our labs. We are currently using a Windows 2000 server as our Domain Controller.

I have been trying to work on a group policy for the lab login accounts. These accounts (called D11 and D14 named for the lab room names) have roaming profiles. In the Active Directory Users and Computers section, I have an organizational unit called "Lab Accounts" directly under the domain controller server. This OU has a group policy that I have been working on. In this OU are the D11 and D14 users. These users are part of the "Domain Users" and "CS Labs" (primary) security groups. I have set allow Read and Apply Group Policy permissions for both of these groups on the Group Policy Object.

My problem is that the group policy is not being applied when I log in to the workstation I have been working on as D11. However, the D11 account is prevented from accessing the desktop properties dialog (I did not enable this behavior in my group policy). I have never worked with active directory in this way before, so I do not know if I'm doing something wrong, but as far as I can tell I'm doing everything by the book, and it should work. I did not set up the Domain Controller server myself, that was done by someone else who I have been unable to contact, so I am unsure if there is something on the server that is causing the problem. If anyone could help me out, I would be very grateful.

-Sam Fahmie
Who is Participating?
Netman66Connect With a Mentor Commented:
There are two parts to the GPO - the Computer Configuration and the User Configuration.  It depends on what policy elements you configured whether they are applied correctly to the right object.

Let me explain.

Your GPO is linked to an OU.  This OU contains user objects.  If you configured the User section of GPO and the user objects have the correct permissions to apply the GPO - they will apply.  If you configured the Computer section of the GPO and the computer objects do not exist in the OU, then the settings will not apply.  The computer acounts must also be in the affected OU if those are the settings you're working with.

The ONLY exception to GPO rule processing is related to Account Policies.  The Domain Policy (can be the Default Domain Policy, but doesn't have to be) dictates the account policies and cannot be overruled or blocked at any OU policy.

No comment has been added lately, so it's time to clean up this TA.            
I will leave a recommendation in the Cleanup topic area that this question is:            
Answered by: Netman66            

Please leave any comments here within the next seven days.            


EE Cleanup Volunteer
All Courses

From novice to tech pro — start learning today.