Group policy

I want to set up a group policy.
I have created an OU and a group policy in the OU, but when i move the users to the new OU the changes do not take effect. Even if i make the users Roaming.
Do i need to log on to the server with each and every user to create the profile?
What am i missing?
Please Help
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the settings you modified in the policy are "computer configuration" or "user configuration"?
are the user/computer accounts in the OU?

The workstations are windows 2000? if so, restart the workstation to force the new policies to download to the machines (otherwise it will take up to 90 minutes)

In a windows XP, the quick boot option (enabled by default) will not download the policies at startup.

the way that policies are applied is the following:
when the computer starts, it checks in which domain, site and ou the computer is.
Then it applies by order:
local security policy, site policy, domain policy, Parent OU... Child OU.
Each setting overrides the previous one (unless the "no override" has been set for a policy)
The computer will only apply the "computer configuration" part of the policies (affecting settings in HKEY_LOCAL_MACHINE).

When a user logs on, it will apply policies in the same order (except for local security policy, which does not apply to user accounts), But only for "user configuration" (Affecting settings in HKEY_CURRENT_USER). The policies applied are the ones referring to where the user account is located in AD.

Justin CAWS Solutions ArchitectCommented:
Also ensure that the security properties of the GP object include the "Apply Policy" setting for users in the OU.  You can also force the policy to update without rebooting the system by using the "secedit /refreshpolicy" command("gpupdate" for XP).  
RickyhollisAuthor Commented:
thanks for helping guys here is the extra info

its for user configuration, they are all windows 2000 workstations and a windows 200 server.
When you say log of the machine is it the server or the users machine?
Do i find the "apply policy" setting in the permission's menu?
And if that doesn't work what am i doing wrong because its looking very dim at the moment.

Thanks a lot

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

if the policy is for user configurations, it doesn't matter to which machine the user logs on

From the group policies list for a OU, highlight the policy, click properties, go to the Security tab and check that "authenticated users" have permission to "apply group policy"
RickyhollisAuthor Commented:
Ok just a few more questions and the points will be given.

The users have to be Roaming hey?
Do i just add the users to the OU or should i add the users to a group in the OU?
the users have to be in the OU. Policies are applied to user and computer accounts only. If a group is in a OU with a specific policy, this policy will not be applied to users.

If users log on from different computers it will not make a difference.
When the user logs on, the policy present in the OU that contains the account is applied, regardless of the computer where the user is logging in.
RickyhollisAuthor Commented:
Ok thanks alot for your help but this is what i have done as a test,

I created a OU with a group policy doing a few restrictive things.
I added the user to the OU, made sure that the authenticated user was given apply policy premission and then refreshed the system with secedit /refreshpolicy User_Policy, then logged on as the user and there was no change, it can't be loading the group policy.
I have set the group policy to no override so there is no reason why it shouldn't work.
Please help!
I'd rather restart the workstation where the user is logging in, then check the event viewer for any information about the policy.
(you should find an event SceCli saying "Security policy in the Group policy objects are applied successfully. ")

What's the OS in the workstation? if it is windows XP from start menu->run type "mmc.exe" then load a Snap-in called Resutant Set of Policy (RSoP) and log the policy for the local computer and logged in user.

That will tell you which policies are being applied.
RickyhollisAuthor Commented:
It is a win 2000 workstation.

I created yet another user and noticed that the profile is being created in the profile path but the changes are just not happening.
Restarting a w2k forces download of policy files (if not already in the machine)

do you get the message in the event viewer?

have you got many domain controllers?
RickyhollisAuthor Commented:
Ok i tried moving an existing user to another OU that had different policies, restarted the machine and it didn't work.

Says that there was a problem with the computer or user name in the event viewer.
tried with a new user and the same problem.
I must be missing one small problem.
Both users were added on the local machines.
This is driving me insane, i know it should be simple and you probably thing i'm being very stupid but its just not working!
RickyhollisAuthor Commented:
We only have one domian controller.
Would it be best to just go to each and every pc and create a local policy and scrap the domain policy because we need to have this up and running asap.
Local policies will not solve your problem because they only apply to computer settings, not to user settings.

can you try to create a new OU, just from the top level. Place a user in it and define a new policy with just one obvious setting (say... do not display "Run" in the start menu).

Then restart your windows 2000 workstation and try and see if it is applied correctly.


Past problems I've had with policies:
+ you had to rebuild your server. There were some policies before and when you readded the workstations to the domain they are using the old policy (same name, but the version number was higher in the server before, therefore the workstation will not download them)

+ the workstation is applying a policy in a higher priority container.


If it still doesn't work, could you paste the error message from event viewer and tell us your OU Structure and the policy you were trying to modify?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RickyhollisAuthor Commented:
i got it working.

Thanks for your help.
For interests sakes what I did was I created a Parent OU and added Sub OU's to that.
The parent OU had a Group policy and that seemed to work fine.

Thanks again ralonso!
RickyhollisAuthor Commented:
Hi there

I'm still having problems!!!
I created the OU with the two Sub OU's and they worked on the test server that i put together thats when i thought i got it right but when i tryed to implement it on our server it didn't make any difference, the users keep the existing group policy.

Iv'e tryed secedit /refreshpolicy USER_POLICY and secedit /refreshpolicy MACHINE_POLICY both on the server and the workstations but that does nothing.
There should be only one GPO controling both the user OU and the machine OU which was set in the parent OU.
Could the users local profiles be corrupt and thats why they won't let any changes to be made.
I made a big mistake when first implementing the GPO, i thought you had to have roaming profiles and i thought you had to log on to the server as each user to make the GPO take effect.
Could that have made the problems now?

Please help!!!!

Please help!
I'm going insane!!

Group policies, unlike in windows NT and 95, are not supposed to permanently change the registry:
your [roaming] profile is loaded, and then the changes in the policy are applied "in memory", but not in the registry,etc.

If you suspect that the profile of the users may be the source of the problem, log on as admin to one workstation, delete the profile of one user [, disable roaming profile for this user] and log on as the user.

If the expected policy changes are not there, your problem is indeed in the policy.

I seem to remember that you can delete all policies in a machine so that they get generated again in case they get corrupted.

Just in case, from command prompt try:
 gpresult.exe > gpresult.txt
 notepad gpresult.txt

In this file you will have the output of policies applied to your machine (not completely explicit, but at least it is something).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.