Solved

HELP: Group Policies

Posted on 2004-04-22
20
492 Views
Last Modified: 2010-04-13
I have some Windows 2000 Professional added to a Windows 2000 Advance Server domain.
In my "default domain policies" I have changed "Do not display last user name" from disabled to enabled. My server works fine now, that is, when I log off, and then press CTRL+ALT+DEL the last user name is not shown.
But on my client computers, that is not this way. I went to the "local group policies" of each of these computers, and changed that option to enabled, but it didn't work.
Note: there was a "selected setting" and an "effective setting" listed on my clients group policies. By now, my "selected setting" is enabled, but the "effective setting" is disabled!
Also note: in local group policies of the clients it was noted that any setting I choose, it may be overridden by the domain security options. But we see that it does not!!
What can I do now? What is wrong with the proccess. I don't want those user names to be shown on the computer screen after one loggs off.
 
Huji
0
Comment
Question by:huji
  • 5
  • 5
  • 4
  • +3
20 Comments
 
LVL 1

Expert Comment

by:dltsd
ID: 10893698
The default domain policy will only apply to servers in the Domain.

Add a new policy on the OU or container where the Workstations reside in AD to "Do not display last user name". Then make sure that "No Override" is checked on the policy.
0
 
LVL 7

Expert Comment

by:msice
ID: 10894504
You should create another OU and move the computers to it then create a new GP for that OU. In addition to setting the "Do not display last user name" from disabled to enabled in the new GP make sure you set (User Group Policy loopback processing mode) to Enabled under Computer configuration - Admin Templates - System - Group Policy
This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10895221
The Default Domain Policy is what you SHOULD change - I think you might have changed the Default Domain Controller Policy instead.

Leave the Domain Controller account in the Domain Controllers OU.

0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 9

Expert Comment

by:MSGeek
ID: 10895339
I agree with Netman66..dltsd, it's not a rub, but can you site your source for your statement "The default domain policy will only apply to servers in the Domain."??

Are any policies poropogating to the clienst?  If the default domain poilcy is not propogating, it is likely you have a DNS problem.  MSGeek
0
 
LVL 1

Expert Comment

by:dltsd
ID: 10900236
MSGeek pardon I was actually thinking Default Domain Controllers Policy.  

However I still say the best solution is to add a policy to the OU where the workstations reside.
0
 
LVL 14

Author Comment

by:huji
ID: 10901099
I'll check it tommorow and leave a comment accordingly.
Thanks for now
 
Huji
0
 
LVL 7

Expert Comment

by:PaulADavis
ID: 10904823
just as a check... run gpotool and gpresult from a command prompt and see what they say....

gpotool and gpresult are in the win2k resource kit.....

you can also run secedit /refreshpolicy machine_policy /enforce  ..... check the application log to see what it says.
other places to look for some erros include winnt\security\logfiles\winlogon.log  .... what does it say in the winlogon log ?

did you verify that the default domain policy has the settings you want enforced? netman66 could be right.... i've made that same mistake before :-)
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 10905298
you know I've used both tools and I find it more meaningfull to go see if the policies are even working, any of them, before I get that granular.  I mean if no policies are getting out at all, why waste your time.  Move on and run dcdiag on the Domain Controller, you likely have a DNS issue..  MSGeek
0
 
LVL 7

Expert Comment

by:PaulADavis
ID: 10906324
keep in mind that gpresult tells you when and which group policies are applied....

for example:
Last time Group Policy was applied: date and time

The computer received "Security" settings from these GPOs:

        Local Group Policy

if the computer received policies from the domain policy, then the domain policy would show up. if it shows up then we would know that the settings were only set on the domain controllers policy..... then we can set them on the domain policy.....

it's actually a simplier form of troubleshooting ....

but either way huji, you should be able to see if policies are coming from the domain controller.... if you can rule that out then you can move on to see why policies are not coming from the domain controller....

just thinking step by step here....


0
 
LVL 14

Author Comment

by:huji
ID: 10911530
Sorry for being late,
1)A DNS issue may be related. My DC runs very slow after 30 min from being restarted, and there seems to be a DNS issue. It is just a guess of course.
2)I moved all Computers to a new OU, but within MMC I could not create a GP for them! When I wanted to select and object to create a GP for, I didn't see anything inside the OU!
3)I tried to find somewhere to desellect overriding, but I could not.
 
Wish you can help me
Huji
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 10912083
Unless DNS is running correctly (AD is dependent on DNS) you are going the wrong way on a one way street.  What kind of Events are being logged in the event log of your server under DNS.  
0
 
LVL 7

Expert Comment

by:PaulADavis
ID: 10912540
need to see some log output.....

gpotool and/or gpresult....or
check the application log 15 minutes or so after running secedit....
check winlogon log after running secedit....

check on one client computer for example....

use AD users and computers to link gpo's to ou's and....use the security tab to select which group to apply the policy to...
but please.... check some logs to see what's happening with group policy

dns might be ok, especially if you can still log onto the domain.... in that case the problem could be a corrupt gpt file for the domain policy...but ALL the logs should be checked to get an idea of what is working and what is not.

speculation will have you running around in circles....

gl
0
 
LVL 7

Expert Comment

by:PaulADavis
ID: 10912656
0
 
LVL 14

Author Comment

by:huji
ID: 11003303
Well, I tried everything I could, not inclufing those Resource Kit tools. Where should I download and install them?
Huji
0
 
LVL 7

Expert Comment

by:PaulADavis
ID: 11005499
0
 
LVL 14

Accepted Solution

by:
huji earned 0 total points
ID: 11056104
Well, I upgraded my client to windows XP and the issue is solved this way, without any other efforts.
Thanks to all about their help
I wonder if I have to ask CS to close this question.
Any ideas?
Huji
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 11083657
Modulo.. no objections.  MSGeek
0
 
LVL 14

Author Comment

by:huji
ID: 11118763
Thanks AnnieMod
huji
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question