Solved

Group policy

Posted on 2003-11-20
16
422 Views
Last Modified: 2010-04-13
I want to set up a group policy.
I have created an OU and a group policy in the OU, but when i move the users to the new OU the changes do not take effect. Even if i make the users Roaming.
Do i need to log on to the server with each and every user to create the profile?
What am i missing?
Please Help
0
Comment
Question by:Rickyhollis
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:ralonso
ID: 9786693
the settings you modified in the policy are "computer configuration" or "user configuration"?
are the user/computer accounts in the OU?

The workstations are windows 2000? if so, restart the workstation to force the new policies to download to the machines (otherwise it will take up to 90 minutes)

In a windows XP, the quick boot option (enabled by default) will not download the policies at startup.

the way that policies are applied is the following:
when the computer starts, it checks in which domain, site and ou the computer is.
Then it applies by order:
local security policy, site policy, domain policy, Parent OU... Child OU.
Each setting overrides the previous one (unless the "no override" has been set for a policy)
The computer will only apply the "computer configuration" part of the policies (affecting settings in HKEY_LOCAL_MACHINE).


When a user logs on, it will apply policies in the same order (except for local security policy, which does not apply to user accounts), But only for "user configuration" (Affecting settings in HKEY_CURRENT_USER). The policies applied are the ones referring to where the user account is located in AD.



0
 
LVL 10

Expert Comment

by:BloodRed
ID: 9787109
Also ensure that the security properties of the GP object include the "Apply Policy" setting for users in the OU.  You can also force the policy to update without rebooting the system by using the "secedit /refreshpolicy" command("gpupdate" for XP).  
0
 

Author Comment

by:Rickyhollis
ID: 9787589
thanks for helping guys here is the extra info

its for user configuration, they are all windows 2000 workstations and a windows 200 server.
When you say log of the machine is it the server or the users machine?
Do i find the "apply policy" setting in the permission's menu?
And if that doesn't work what am i doing wrong because its looking very dim at the moment.

Thanks a lot

:)
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9788326
if the policy is for user configurations, it doesn't matter to which machine the user logs on

From the group policies list for a OU, highlight the policy, click properties, go to the Security tab and check that "authenticated users" have permission to "apply group policy"
0
 

Author Comment

by:Rickyhollis
ID: 9815994
Ok just a few more questions and the points will be given.

The users have to be Roaming hey?
Do i just add the users to the OU or should i add the users to a group in the OU?
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9817020
the users have to be in the OU. Policies are applied to user and computer accounts only. If a group is in a OU with a specific policy, this policy will not be applied to users.

If users log on from different computers it will not make a difference.
When the user logs on, the policy present in the OU that contains the account is applied, regardless of the computer where the user is logging in.
0
 

Author Comment

by:Rickyhollis
ID: 9817202
Ok thanks alot for your help but this is what i have done as a test,

I created a OU with a group policy doing a few restrictive things.
I added the user to the OU, made sure that the authenticated user was given apply policy premission and then refreshed the system with secedit /refreshpolicy User_Policy, then logged on as the user and there was no change, it can't be loading the group policy.
I have set the group policy to no override so there is no reason why it shouldn't work.
Please help!
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9817230
I'd rather restart the workstation where the user is logging in, then check the event viewer for any information about the policy.
(you should find an event SceCli saying "Security policy in the Group policy objects are applied successfully. ")

What's the OS in the workstation? if it is windows XP from start menu->run type "mmc.exe" then load a Snap-in called Resutant Set of Policy (RSoP) and log the policy for the local computer and logged in user.

That will tell you which policies are being applied.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Rickyhollis
ID: 9817338
It is a win 2000 workstation.

I created yet another user and noticed that the profile is being created in the profile path but the changes are just not happening.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9817436
Restarting a w2k forces download of policy files (if not already in the machine)

do you get the message in the event viewer?

have you got many domain controllers?
0
 

Author Comment

by:Rickyhollis
ID: 9817796
Ok i tried moving an existing user to another OU that had different policies, restarted the machine and it didn't work.

Says that there was a problem with the computer or user name in the event viewer.
tried with a new user and the same problem.
I must be missing one small problem.
Both users were added on the local machines.
This is driving me insane, i know it should be simple and you probably thing i'm being very stupid but its just not working!
0
 

Author Comment

by:Rickyhollis
ID: 9822849
We only have one domian controller.
Would it be best to just go to each and every pc and create a local policy and scrap the domain policy because we need to have this up and running asap.
0
 
LVL 5

Accepted Solution

by:
ralonso earned 25 total points
ID: 9823551
Local policies will not solve your problem because they only apply to computer settings, not to user settings.

can you try to create a new OU, just from the top level. Place a user in it and define a new policy with just one obvious setting (say... do not display "Run" in the start menu).

Then restart your windows 2000 workstation and try and see if it is applied correctly.

--------------

Past problems I've had with policies:
+ you had to rebuild your server. There were some policies before and when you readded the workstations to the domain they are using the old policy (same name, but the version number was higher in the server before, therefore the workstation will not download them)

+ the workstation is applying a policy in a higher priority container.

---------------

If it still doesn't work, could you paste the error message from event viewer and tell us your OU Structure and the policy you were trying to modify?

0
 

Author Comment

by:Rickyhollis
ID: 9823808
i got it working.

Thanks for your help.
For interests sakes what I did was I created a Parent OU and added Sub OU's to that.
The parent OU had a Group policy and that seemed to work fine.

Thanks again ralonso!
0
 

Author Comment

by:Rickyhollis
ID: 9830945
Hi there

I'm still having problems!!!
I created the OU with the two Sub OU's and they worked on the test server that i put together thats when i thought i got it right but when i tryed to implement it on our server it didn't make any difference, the users keep the existing group policy.

Iv'e tryed secedit /refreshpolicy USER_POLICY and secedit /refreshpolicy MACHINE_POLICY both on the server and the workstations but that does nothing.
There should be only one GPO controling both the user OU and the machine OU which was set in the parent OU.
Could the users local profiles be corrupt and thats why they won't let any changes to be made.
I made a big mistake when first implementing the GPO, i thought you had to have roaming profiles and i thought you had to log on to the server as each user to make the GPO take effect.
Could that have made the problems now?

Please help!!!!

Please help!
I'm going insane!!

0
 
LVL 5

Expert Comment

by:ralonso
ID: 9849253
Group policies, unlike in windows NT and 95, are not supposed to permanently change the registry:
your [roaming] profile is loaded, and then the changes in the policy are applied "in memory", but not in the registry,etc.

If you suspect that the profile of the users may be the source of the problem, log on as admin to one workstation, delete the profile of one user [, disable roaming profile for this user] and log on as the user.

If the expected policy changes are not there, your problem is indeed in the policy.

I seem to remember that you can delete all policies in a machine so that they get generated again in case they get corrupted.

Just in case, from command prompt try:
 gpresult.exe > gpresult.txt
 notepad gpresult.txt

In this file you will have the output of policies applied to your machine (not completely explicit, but at least it is something).
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now