HELP: Group Policies
I have some Windows 2000 Professional added to a Windows 2000 Advance Server domain.
In my "default domain policies" I have changed "Do not display last user name" from disabled to enabled. My server works fine now, that is, when I log off, and then press CTRL+ALT+DEL the last user name is not shown.
But on my client computers, that is not this way. I went to the "local group policies" of each of these computers, and changed that option to enabled, but it didn't work.
Note: there was a "selected setting" and an "effective setting" listed on my clients group policies. By now, my "selected setting" is enabled, but the "effective setting" is disabled!
Also note: in local group policies of the clients it was noted that any setting I choose, it may be overridden by the domain security options. But we see that it does not!!
What can I do now? What is wrong with the proccess. I don't want those user names to be shown on the computer screen after one loggs off.
Huji
In my "default domain policies" I have changed "Do not display last user name" from disabled to enabled. My server works fine now, that is, when I log off, and then press CTRL+ALT+DEL the last user name is not shown.
But on my client computers, that is not this way. I went to the "local group policies" of each of these computers, and changed that option to enabled, but it didn't work.
Note: there was a "selected setting" and an "effective setting" listed on my clients group policies. By now, my "selected setting" is enabled, but the "effective setting" is disabled!
Also note: in local group policies of the clients it was noted that any setting I choose, it may be overridden by the domain security options. But we see that it does not!!
What can I do now? What is wrong with the proccess. I don't want those user names to be shown on the computer screen after one loggs off.
Huji
You should create another OU and move the computers to it then create a new GP for that OU. In addition to setting the "Do not display last user name" from disabled to enabled in the new GP make sure you set (User Group Policy loopback processing mode) to Enabled under Computer configuration - Admin Templates - System - Group Policy
This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy.
This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy.
The Default Domain Policy is what you SHOULD change - I think you might have changed the Default Domain Controller Policy instead.
Leave the Domain Controller account in the Domain Controllers OU.
Leave the Domain Controller account in the Domain Controllers OU.
I agree with Netman66..dltsd, it's not a rub, but can you site your source for your statement "The default domain policy will only apply to servers in the Domain."??
Are any policies poropogating to the clienst? If the default domain poilcy is not propogating, it is likely you have a DNS problem. MSGeek
Are any policies poropogating to the clienst? If the default domain poilcy is not propogating, it is likely you have a DNS problem. MSGeek
MSGeek pardon I was actually thinking Default Domain Controllers Policy.
However I still say the best solution is to add a policy to the OU where the workstations reside.
However I still say the best solution is to add a policy to the OU where the workstations reside.
ASKER
I'll check it tommorow and leave a comment accordingly.
Thanks for now
Huji
Thanks for now
Huji
just as a check... run gpotool and gpresult from a command prompt and see what they say....
gpotool and gpresult are in the win2k resource kit.....
you can also run secedit /refreshpolicy machine_policy /enforce ..... check the application log to see what it says.
other places to look for some erros include winnt\security\logfiles\wi
did you verify that the default domain policy has the settings you want enforced? netman66 could be right.... i've made that same mistake before :-)
gpotool and gpresult are in the win2k resource kit.....
you can also run secedit /refreshpolicy machine_policy /enforce ..... check the application log to see what it says.
other places to look for some erros include winnt\security\logfiles\wi
did you verify that the default domain policy has the settings you want enforced? netman66 could be right.... i've made that same mistake before :-)
you know I've used both tools and I find it more meaningfull to go see if the policies are even working, any of them, before I get that granular. I mean if no policies are getting out at all, why waste your time. Move on and run dcdiag on the Domain Controller, you likely have a DNS issue.. MSGeek
keep in mind that gpresult tells you when and which group policies are applied....
for example:
Last time Group Policy was applied: date and time
The computer received "Security" settings from these GPOs:
Local Group Policy
if the computer received policies from the domain policy, then the domain policy would show up. if it shows up then we would know that the settings were only set on the domain controllers policy..... then we can set them on the domain policy.....
it's actually a simplier form of troubleshooting ....
but either way huji, you should be able to see if policies are coming from the domain controller.... if you can rule that out then you can move on to see why policies are not coming from the domain controller....
just thinking step by step here....
for example:
Last time Group Policy was applied: date and time
The computer received "Security" settings from these GPOs:
Local Group Policy
if the computer received policies from the domain policy, then the domain policy would show up. if it shows up then we would know that the settings were only set on the domain controllers policy..... then we can set them on the domain policy.....
it's actually a simplier form of troubleshooting ....
but either way huji, you should be able to see if policies are coming from the domain controller.... if you can rule that out then you can move on to see why policies are not coming from the domain controller....
just thinking step by step here....
ASKER
Sorry for being late,
1)A DNS issue may be related. My DC runs very slow after 30 min from being restarted, and there seems to be a DNS issue. It is just a guess of course.
2)I moved all Computers to a new OU, but within MMC I could not create a GP for them! When I wanted to select and object to create a GP for, I didn't see anything inside the OU!
3)I tried to find somewhere to desellect overriding, but I could not.
Wish you can help me
Huji
1)A DNS issue may be related. My DC runs very slow after 30 min from being restarted, and there seems to be a DNS issue. It is just a guess of course.
2)I moved all Computers to a new OU, but within MMC I could not create a GP for them! When I wanted to select and object to create a GP for, I didn't see anything inside the OU!
3)I tried to find somewhere to desellect overriding, but I could not.
Wish you can help me
Huji
Unless DNS is running correctly (AD is dependent on DNS) you are going the wrong way on a one way street. What kind of Events are being logged in the event log of your server under DNS.
need to see some log output.....
gpotool and/or gpresult....or
check the application log 15 minutes or so after running secedit....
check winlogon log after running secedit....
check on one client computer for example....
use AD users and computers to link gpo's to ou's and....use the security tab to select which group to apply the policy to...
but please.... check some logs to see what's happening with group policy
dns might be ok, especially if you can still log onto the domain.... in that case the problem could be a corrupt gpt file for the domain policy...but ALL the logs should be checked to get an idea of what is working and what is not.
speculation will have you running around in circles....
gl
gpotool and/or gpresult....or
check the application log 15 minutes or so after running secedit....
check winlogon log after running secedit....
check on one client computer for example....
use AD users and computers to link gpo's to ou's and....use the security tab to select which group to apply the policy to...
but please.... check some logs to see what's happening with group policy
dns might be ok, especially if you can still log onto the domain.... in that case the problem could be a corrupt gpt file for the domain policy...but ALL the logs should be checked to get an idea of what is working and what is not.
speculation will have you running around in circles....
gl
ASKER
Well, I tried everything I could, not inclufing those Resource Kit tools. Where should I download and install them?
Huji
Huji
resource kit downloads:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp
general:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;250842
http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp
general:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;250842
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Modulo.. no objections. MSGeek
ASKER
Thanks AnnieMod
huji
huji
Add a new policy on the OU or container where the Workstations reside in AD to "Do not display last user name". Then make sure that "No Override" is checked on the policy.