Solved

AD Group Policies not being applied to computers

Posted on 2004-03-25
15
1,900 Views
Last Modified: 2010-04-19
I have just completed the migration of my NT4 domain to Windows2003/Active Directory.
I have created new logical OU's that make sense to our company and moved all computers, users and groups to appropriate OU structures.

My Group Policies are not working on any new OU that I create.

If I right click on mydomain.com, and go to the policies tab, I can edit the policies and those get pushed down fine. It only works at this level.

Here is what I have tried...
Made a new OU on the root of mydomain.com called TESTOU
I moved the computer that I want to push policies to into this OU.
I then created a group in this OU called MYPOLICYGROUP
Then I created a new policy and applied that policy to the group "MYPOLICYGROUP"
Edit the policy and took away the start/run.
Replicated Active Directory. (no errors)
Ran gpupdate /force from the client.
Rebooted the client.
I "DO NOT" get the new policy....ugh!

I then ran GPRESULT, it never shows the policy being applied or denied for any reason.

I can get this to work only if I put the user and computer into the same OU.
For many reasons this is not a viable solution.

Does anyone have any ideas why this may be doing this?

Thanks
DK
0
Comment
Question by:dkitts
  • 5
  • 4
  • 4
  • +1
15 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10678743
Ok..  the interesting thing about applying GPO's to clients is that with some policies it takes 2-3 reboots for them to take effect..  So, first thing to try is rebooting the systems again..

Also, make sure that the GPO's security permissions are set correctly..  The READ and Apply must be set...

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10678785
Also, since you are using W2K3, you might consider dnloading GPMC and use it for seeing the RSOP for your network clients..  a very cool interface, about time MS put someting like this together..

Enterprise Management with the Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

0
 

Author Comment

by:dkitts
ID: 10679736
The computers have been rebooted a few times.
GPO's are set to READ AND APPLY for every group.
Ive used the GPMC and did not see any problems with the RSOP.  The RSOP shows what should happen.  But its not happening :(
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10679792
Darn..  Was hoping this would be easy..  lol, eh..?   Got to go to a short meeting, but will be back soon to try something else..

FE
0
 
LVL 7

Accepted Solution

by:
spareticus earned 500 total points
ID: 10679833
if you want this policy to apply to users, then the user needs to be in the OU, not the computer, not the group
if you want user policies to apply to a user when they log on to a particular computer (based on the computer's OU), then you have to do additional configuration)
loopback processing
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10679882
You cannot apply Group Policy to groups - only to User and Computer objects.

If you are applying Computer settings, the Computer account must be in the OU.
If you are applying User settings, the User account must be in the OU.
If you are applying both....you get the idea.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10679983
hmm.. I completely missed that in the question..  Absolutely..  no groups and your users must either be in the OU, or the OU that you created that you placed them into must be assigned that GPO...  
0
 
LVL 7

Expert Comment

by:spareticus
ID: 10680045
Or you can use loopback group policy processing to apply to the user the policies linked at the computer's OU...see above link and post
0
 

Author Comment

by:dkitts
ID: 10680202
I am trying to apply a Policy to an OU.  
Shouldn't I be able to have an OU that contains users then an OU that contains the workstations and then a 3rd OU that contains terminal servers.  Then manage different policies on the OU's??  Say a user from my user OU signs in to a terminal server that is in a terminal server OU... I would like a policy that tightens down users on this termserv OU but..... if that same user from the "users" OU signs in to his workstation that is in a different OU he/she would get a totally different policy?
To me it is impossible then to have different OU's????
Every server or workstation needs to belong in the same out as the users ????
0
 
LVL 7

Expert Comment

by:spareticus
ID: 10680255
you can do what you want to do.  When you have a policy that you want to apply to users when they log on to a specific machine, use loopback processing.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10680600
Terminal Server OU should have loopback enabled.

Computer settings affect the computer in the OU.  User settings are applied from the OU the User account exists.  

You can either filter, loopback or block policies you don't want to apply in different scenarios.

Nobody said this was easy!  This is why it's supposed to take several months to design AD - to avoid any bad design choices.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10680702
yea..  I've been studying this stuff for a couple of years and getting a grip on it is just not that easy...    
0
 

Author Comment

by:dkitts
ID: 10689176
Thank You everyone for your help.
The link that  spareticus first sent was the fix. He gets the points :)
0
 

Author Comment

by:dkitts
ID: 10689200
FYI,

I have another problem that I am working on too... Anyone want to give this a shot...
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_20924830.html
0
 
LVL 7

Expert Comment

by:spareticus
ID: 10689902
glad that helped
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
removing Exchange from an old windows 2003 DC 8 58
Need MS Windows 2003 R2 (32) support tools 3 77
Trasfering FSMO roles 8 99
HP Printer on Windows 2003 Terminal Server 4 32
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question