Group policy

Posted on 2003-11-20
Medium Priority
Last Modified: 2010-04-13
I want to set up a group policy.
I have created an OU and a group policy in the OU, but when i move the users to the new OU the changes do not take effect. Even if i make the users Roaming.
Do i need to log on to the server with each and every user to create the profile?
What am i missing?
Please Help
Question by:Rickyhollis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7

Expert Comment

ID: 9786693
the settings you modified in the policy are "computer configuration" or "user configuration"?
are the user/computer accounts in the OU?

The workstations are windows 2000? if so, restart the workstation to force the new policies to download to the machines (otherwise it will take up to 90 minutes)

In a windows XP, the quick boot option (enabled by default) will not download the policies at startup.

the way that policies are applied is the following:
when the computer starts, it checks in which domain, site and ou the computer is.
Then it applies by order:
local security policy, site policy, domain policy, Parent OU... Child OU.
Each setting overrides the previous one (unless the "no override" has been set for a policy)
The computer will only apply the "computer configuration" part of the policies (affecting settings in HKEY_LOCAL_MACHINE).

When a user logs on, it will apply policies in the same order (except for local security policy, which does not apply to user accounts), But only for "user configuration" (Affecting settings in HKEY_CURRENT_USER). The policies applied are the ones referring to where the user account is located in AD.

LVL 10

Expert Comment

ID: 9787109
Also ensure that the security properties of the GP object include the "Apply Policy" setting for users in the OU.  You can also force the policy to update without rebooting the system by using the "secedit /refreshpolicy" command("gpupdate" for XP).  

Author Comment

ID: 9787589
thanks for helping guys here is the extra info

its for user configuration, they are all windows 2000 workstations and a windows 200 server.
When you say log of the machine is it the server or the users machine?
Do i find the "apply policy" setting in the permission's menu?
And if that doesn't work what am i doing wrong because its looking very dim at the moment.

Thanks a lot

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Expert Comment

ID: 9788326
if the policy is for user configurations, it doesn't matter to which machine the user logs on

From the group policies list for a OU, highlight the policy, click properties, go to the Security tab and check that "authenticated users" have permission to "apply group policy"

Author Comment

ID: 9815994
Ok just a few more questions and the points will be given.

The users have to be Roaming hey?
Do i just add the users to the OU or should i add the users to a group in the OU?

Expert Comment

ID: 9817020
the users have to be in the OU. Policies are applied to user and computer accounts only. If a group is in a OU with a specific policy, this policy will not be applied to users.

If users log on from different computers it will not make a difference.
When the user logs on, the policy present in the OU that contains the account is applied, regardless of the computer where the user is logging in.

Author Comment

ID: 9817202
Ok thanks alot for your help but this is what i have done as a test,

I created a OU with a group policy doing a few restrictive things.
I added the user to the OU, made sure that the authenticated user was given apply policy premission and then refreshed the system with secedit /refreshpolicy User_Policy, then logged on as the user and there was no change, it can't be loading the group policy.
I have set the group policy to no override so there is no reason why it shouldn't work.
Please help!

Expert Comment

ID: 9817230
I'd rather restart the workstation where the user is logging in, then check the event viewer for any information about the policy.
(you should find an event SceCli saying "Security policy in the Group policy objects are applied successfully. ")

What's the OS in the workstation? if it is windows XP from start menu->run type "mmc.exe" then load a Snap-in called Resutant Set of Policy (RSoP) and log the policy for the local computer and logged in user.

That will tell you which policies are being applied.

Author Comment

ID: 9817338
It is a win 2000 workstation.

I created yet another user and noticed that the profile is being created in the profile path but the changes are just not happening.

Expert Comment

ID: 9817436
Restarting a w2k forces download of policy files (if not already in the machine)

do you get the message in the event viewer?

have you got many domain controllers?

Author Comment

ID: 9817796
Ok i tried moving an existing user to another OU that had different policies, restarted the machine and it didn't work.

Says that there was a problem with the computer or user name in the event viewer.
tried with a new user and the same problem.
I must be missing one small problem.
Both users were added on the local machines.
This is driving me insane, i know it should be simple and you probably thing i'm being very stupid but its just not working!

Author Comment

ID: 9822849
We only have one domian controller.
Would it be best to just go to each and every pc and create a local policy and scrap the domain policy because we need to have this up and running asap.

Accepted Solution

ralonso earned 100 total points
ID: 9823551
Local policies will not solve your problem because they only apply to computer settings, not to user settings.

can you try to create a new OU, just from the top level. Place a user in it and define a new policy with just one obvious setting (say... do not display "Run" in the start menu).

Then restart your windows 2000 workstation and try and see if it is applied correctly.


Past problems I've had with policies:
+ you had to rebuild your server. There were some policies before and when you readded the workstations to the domain they are using the old policy (same name, but the version number was higher in the server before, therefore the workstation will not download them)

+ the workstation is applying a policy in a higher priority container.


If it still doesn't work, could you paste the error message from event viewer and tell us your OU Structure and the policy you were trying to modify?


Author Comment

ID: 9823808
i got it working.

Thanks for your help.
For interests sakes what I did was I created a Parent OU and added Sub OU's to that.
The parent OU had a Group policy and that seemed to work fine.

Thanks again ralonso!

Author Comment

ID: 9830945
Hi there

I'm still having problems!!!
I created the OU with the two Sub OU's and they worked on the test server that i put together thats when i thought i got it right but when i tryed to implement it on our server it didn't make any difference, the users keep the existing group policy.

Iv'e tryed secedit /refreshpolicy USER_POLICY and secedit /refreshpolicy MACHINE_POLICY both on the server and the workstations but that does nothing.
There should be only one GPO controling both the user OU and the machine OU which was set in the parent OU.
Could the users local profiles be corrupt and thats why they won't let any changes to be made.
I made a big mistake when first implementing the GPO, i thought you had to have roaming profiles and i thought you had to log on to the server as each user to make the GPO take effect.
Could that have made the problems now?

Please help!!!!

Please help!
I'm going insane!!


Expert Comment

ID: 9849253
Group policies, unlike in windows NT and 95, are not supposed to permanently change the registry:
your [roaming] profile is loaded, and then the changes in the policy are applied "in memory", but not in the registry,etc.

If you suspect that the profile of the users may be the source of the problem, log on as admin to one workstation, delete the profile of one user [, disable roaming profile for this user] and log on as the user.

If the expected policy changes are not there, your problem is indeed in the policy.

I seem to remember that you can delete all policies in a machine so that they get generated again in case they get corrupted.

Just in case, from command prompt try:
 gpresult.exe > gpresult.txt
 notepad gpresult.txt

In this file you will have the output of policies applied to your machine (not completely explicit, but at least it is something).

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question