Solved

Group Policies Not Applying

Posted on 2004-03-30
7
616 Views
Last Modified: 2010-03-18
All Clients are W2k professional. All fresh installs, no upgrades.
All DC's are W2k Server in native mode. Many of these servers were upgraded a while back from Windows NT.
I just want to get a GPO to apply to a set of users to remove buttons from the toolbar in Internet Explorer.
USER CONFIG/ADMIN TEMP/WINDOWS COMP/I EXPLORER/TOOLBARS
I have an OU that includes the users I need the policy applied to and I have created the GPO called toolbar in that OU.
I have checked the security tab on the group policy, both authenticated users and the specific domain users that need this policy applied have read and apply group policy checked
We really don't have a lot of GPOS on our network so I don't thing this is being overwritten
I've run GPresult on a machine where I am logged in as that user. The only other GPO that is included in that OU shoes up as being applied.
0
Comment
Question by:Brian_Blair
  • 4
  • 3
7 Comments
 
LVL 3

Expert Comment

by:following
Comment Utility
Do you have any errors in the Application Log in Event Viewer that indicate that this policy is failing when it attempts to apply it?  So you don't even see this new GPO listed when you run GPresult, but you do see another GPO that is linked to the same OU?

-jdm
0
 

Author Comment

by:Brian_Blair
Comment Utility
I will check event log 3/31.

That is correct, the policy is not even listed in the output of gpresult. However, the default domain policy, another gpo called "roaming" that is linked to the OU, and the local policy are showing up as affecting the user.
0
 
LVL 3

Expert Comment

by:following
Comment Utility
This could possibly be a result of a replication problem between DCs.  If you configured the GPO on one DC and it is not replicating to another DC, then perhaps the client machine is getting its list of policies to apply from the second DC.

To check on this, look in the event viewer on your DCs under the File Replication Service logs and Directory Service logs (especially for NTDS KCC entries).  Also try the replmon and netdiag tools in the Windows 2000 Support Tools (if not already installed, these are on the W2K Server CD).

-jdm
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Brian_Blair
Comment Utility
Chacked that yesterday. Policies are replicating successfully.
Also checked event viewer. No errors in event viewer indicating policy failure.

We are a 1 domain shop with 11 dc's all W2K server.  When I create a gpo I do it through Active Directory Users and Computers. I'm a little confused when I see it suggested that the GPO may have been configured on one DC. I configure them right on my pc and link it to an OU. They seem to apply OK except this one.

Thanks for your help to this point though.
0
 
LVL 3

Expert Comment

by:following
Comment Utility
If I understand it correctly, when you use Active Directory Users and Computers, it connects to the "closest" DC.  Whatever changes you make while connected to this DC are then replicated to the rest of the DCs at the next replication cycle.  So if you have replication problems on any particular DC and a client connects to that DC while logging on, it may not get the policy.  Does that make sense?

Are you using the Group Policy Management Console?  This is the new way of managing group policy that is downloadable from MS.  I have found it to very valuable for troubleshooting the organization of GPOs in our network.  It is a little more visual than the old way of doing it -- might help to pinpoint where it's failing.

http://www.microsoft.com/downloads/details.aspx?FamilyId=C355B04F-50CE-42C7-A401-30BE1EF647EA&displaylang=en

I see that all your clients are w2k.  The GPMC may only be installed on XP Pro or W2K3 Server; however, it will manage W2K servers as well as W2K3 servers.  Perhaps you won't be able to use this tool if you have no XP clients.

-jdm
0
 

Author Comment

by:Brian_Blair
Comment Utility
No I haven't tried that yet. If I load XP on a machine and then download it, will I be able to look and see how policies are being applied on specific PC's in my networK?
0
 
LVL 3

Accepted Solution

by:
following earned 250 total points
Comment Utility
You will be able to run very informative reports that are similar to GPResult, except you can run them against a remote machine for any user that has previously logged onto that machine.  You can also see exactly which GPOs are linked to which objects and whether any GPOs at a specific OU level are set to "Block Inheritance" or "Enforce" -- right click on the OU.  You can quickly see if the User or Computer portion of a GPO has been disabled (usually for performance reasons) -- right click on the GPO and click GPO Status.  You can see if the link to a GPO has been enabled for the OU -- right click on the GPO under the OU and see if "Link Enabled" is checked.  You can see at a glance a summary of all settings that are configured in a particular GPO.

In short, it is a wonderful tool to manage, troubleshoot, and organize most all aspects of Group Policy.

-jdm
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now