Solved

HELP: Group Policies

Posted on 2004-04-22
20
484 Views
Last Modified: 2010-04-13
I have some Windows 2000 Professional added to a Windows 2000 Advance Server domain.
In my "default domain policies" I have changed "Do not display last user name" from disabled to enabled. My server works fine now, that is, when I log off, and then press CTRL+ALT+DEL the last user name is not shown.
But on my client computers, that is not this way. I went to the "local group policies" of each of these computers, and changed that option to enabled, but it didn't work.
Note: there was a "selected setting" and an "effective setting" listed on my clients group policies. By now, my "selected setting" is enabled, but the "effective setting" is disabled!
Also note: in local group policies of the clients it was noted that any setting I choose, it may be overridden by the domain security options. But we see that it does not!!
What can I do now? What is wrong with the proccess. I don't want those user names to be shown on the computer screen after one loggs off.
 
Huji
0
Comment
Question by:huji
  • 5
  • 5
  • 4
  • +3
20 Comments
 
LVL 1

Expert Comment

by:dltsd
Comment Utility
The default domain policy will only apply to servers in the Domain.

Add a new policy on the OU or container where the Workstations reside in AD to "Do not display last user name". Then make sure that "No Override" is checked on the policy.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
You should create another OU and move the computers to it then create a new GP for that OU. In addition to setting the "Do not display last user name" from disabled to enabled in the new GP make sure you set (User Group Policy loopback processing mode) to Enabled under Computer configuration - Admin Templates - System - Group Policy
This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The Default Domain Policy is what you SHOULD change - I think you might have changed the Default Domain Controller Policy instead.

Leave the Domain Controller account in the Domain Controllers OU.

0
 
LVL 9

Expert Comment

by:MSGeek
Comment Utility
I agree with Netman66..dltsd, it's not a rub, but can you site your source for your statement "The default domain policy will only apply to servers in the Domain."??

Are any policies poropogating to the clienst?  If the default domain poilcy is not propogating, it is likely you have a DNS problem.  MSGeek
0
 
LVL 1

Expert Comment

by:dltsd
Comment Utility
MSGeek pardon I was actually thinking Default Domain Controllers Policy.  

However I still say the best solution is to add a policy to the OU where the workstations reside.
0
 
LVL 14

Author Comment

by:huji
Comment Utility
I'll check it tommorow and leave a comment accordingly.
Thanks for now
 
Huji
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
just as a check... run gpotool and gpresult from a command prompt and see what they say....

gpotool and gpresult are in the win2k resource kit.....

you can also run secedit /refreshpolicy machine_policy /enforce  ..... check the application log to see what it says.
other places to look for some erros include winnt\security\logfiles\winlogon.log  .... what does it say in the winlogon log ?

did you verify that the default domain policy has the settings you want enforced? netman66 could be right.... i've made that same mistake before :-)
0
 
LVL 9

Expert Comment

by:MSGeek
Comment Utility
you know I've used both tools and I find it more meaningfull to go see if the policies are even working, any of them, before I get that granular.  I mean if no policies are getting out at all, why waste your time.  Move on and run dcdiag on the Domain Controller, you likely have a DNS issue..  MSGeek
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
keep in mind that gpresult tells you when and which group policies are applied....

for example:
Last time Group Policy was applied: date and time

The computer received "Security" settings from these GPOs:

        Local Group Policy

if the computer received policies from the domain policy, then the domain policy would show up. if it shows up then we would know that the settings were only set on the domain controllers policy..... then we can set them on the domain policy.....

it's actually a simplier form of troubleshooting ....

but either way huji, you should be able to see if policies are coming from the domain controller.... if you can rule that out then you can move on to see why policies are not coming from the domain controller....

just thinking step by step here....


0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 14

Author Comment

by:huji
Comment Utility
Sorry for being late,
1)A DNS issue may be related. My DC runs very slow after 30 min from being restarted, and there seems to be a DNS issue. It is just a guess of course.
2)I moved all Computers to a new OU, but within MMC I could not create a GP for them! When I wanted to select and object to create a GP for, I didn't see anything inside the OU!
3)I tried to find somewhere to desellect overriding, but I could not.
 
Wish you can help me
Huji
0
 
LVL 9

Expert Comment

by:MSGeek
Comment Utility
Unless DNS is running correctly (AD is dependent on DNS) you are going the wrong way on a one way street.  What kind of Events are being logged in the event log of your server under DNS.  
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
need to see some log output.....

gpotool and/or gpresult....or
check the application log 15 minutes or so after running secedit....
check winlogon log after running secedit....

check on one client computer for example....

use AD users and computers to link gpo's to ou's and....use the security tab to select which group to apply the policy to...
but please.... check some logs to see what's happening with group policy

dns might be ok, especially if you can still log onto the domain.... in that case the problem could be a corrupt gpt file for the domain policy...but ALL the logs should be checked to get an idea of what is working and what is not.

speculation will have you running around in circles....

gl
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
0
 
LVL 14

Author Comment

by:huji
Comment Utility
Well, I tried everything I could, not inclufing those Resource Kit tools. Where should I download and install them?
Huji
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
0
 
LVL 14

Accepted Solution

by:
huji earned 0 total points
Comment Utility
Well, I upgraded my client to windows XP and the issue is solved this way, without any other efforts.
Thanks to all about their help
I wonder if I have to ask CS to close this question.
Any ideas?
Huji
0
 
LVL 9

Expert Comment

by:MSGeek
Comment Utility
Modulo.. no objections.  MSGeek
0
 
LVL 14

Author Comment

by:huji
Comment Utility
Thanks AnnieMod
huji
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now