Windows 2000 Server/XP Pro Group Policy Woes

Tim Goddard
Tim Goddard used Ask the Experts™
on
Hi Everyone

I've dug a bit of a hole involving Group Policy Objects in Windows 2000 Server.

Everything appeared to be going well.  I created a couple of Organisation Units, put some users, computers and groups in them and configured GPOs to control access.  I was configuring the client machines on the same network segment as the server and access was restricted as required.  Excellent (or so I thought) and the boss was pleased with how restricted everything was.

Now at a later date I've needed to remove a couple of restrictions (to allow a user to add a new printer for example).  I've altered the GPO setting on the server but no matter what I do the restriction isn't lifted on the client machine.  Now the user can't add a printer and the boss isn't so pleased with the restrictions :-)

Where have I gone wrong?  The only difference now is that the client PCs (running XP Pro) are on remote network segments linked via VPN and don't obtain IP addresses from the server.  I've tried GPUPDATE with no luck and it's really annoying me (and the boss).

I've even tried creating new OUs and GPOs from scratch but the old restrictions still persist.  Ouch.

Any help greatly appreciated

Tim.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005

Commented:
When you say "removing them" are you setting them to Not Configured?  If so, you have to set them to the opposite of what you had initially set - for example, if you enabled a policy then disable it.  Not Configured doesn't undo any changes it only stops enforcing the setting but it remains in the state you last set it.

One more thing to check is that the client PCs are not receiving settings from parent OUs and really do contact the DC when logging in.  It's possible they log in using cached credentials and never receive the GPO updates.

Try turning this off on one of the suspect PCs:

http://support.microsoft.com/default.aspx?scid=kb;en-us;305293

Advise.

Author

Commented:
Hi Netman

My apologies for taking so so long to get back on this one, I'd been dragged away from this 'annoyance' by another task and have only just got back to it.  Thanks for the info, I did what you suggested but it doesn't seem to have affected things.

I ran gpupdate and gpresult and received the following results (sorry for the long post)...

C:\WINDOWS>gpupdate
Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.

C:\WINDOWS>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 17/09/2003 at 14:41:34


RSOP results for FFN_DOMAIN\FFN4 on FFN4-OFFICE : Logging Mode
---------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 FFN_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   FFN
Roaming Profile:
Local Profile:               C:\Documents and Settings\ffn4
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=FFN4-OFFICE,OU=NurseryComputers,DC=ffn,DC=local
    Last time Group Policy was applied: 03/09/2003 at 14:40:03
    Group Policy was applied from:      FFN_SERVER.ffn.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        FFN4-OFFICE$
        Domain Computers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
    CN=FFN4,OU=NurseryUsers,DC=ffn,DC=local
    Last time Group Policy was applied: 17/09/2003 at 14:40:03
    Group Policy was applied from:      FFN_SERVER.ffn.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        FFN_NurseryUsers GPO
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Power Users
        BUILTIN\Users
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        ERROR: Access Denied.

C:\WINDOWS>

Don't know if this gives any clues, I'm a bit concerned by the last line "ERROR: Access Denied" on the user security groups.

Thanks again

Tim.

Top Expert 2005
Commented:
The computer policy was last applied 14 days before the User policy was refreshed....seems strange.

Seems like the FFN_NurseryUsers GPO is not applying to the PC.  Are the User and Computer accounts in that OU?  Make sure that slow link detection is not active.

Did you disable the processing of the computer portion of that GPO by accident?

Try creating a site and a subnet for the remote office in AD.  Link the policy to the Site instead of the OU.

Advise.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial