Solved

Implementing Group Policy

Posted on 2004-08-05
16
277 Views
Last Modified: 2010-04-19
Hi there,

My network has 2 windows 2003 servers. one is Domain Controller and 2nd is additional domain controller. On Domain Controller i went to "Active Directory Users and Computers" and created a new Organizational Unit. Where i placed a computer and user name.

Right clicked OU and clicked properties. Added a new Group Policy and disabled Control Panel under "User Confinguration". Still the computer and user name are having Control Panel when they log in to domain.

Kindly guide in this issue what step i am missing to implement Group Policy, i am very new to this thing. It would be very helpful if you could guide me step by step implementation of Group Policies.

Thanks.
0
Comment
Question by:chathar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +3
16 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 11724096
if your clients are XP troubleshoot them using the following

See what policies are being applied to XP

First
Click Start >run >cmd {enter}
gpupdate /force {enter}
Let the client reboot.

After a reboot
Click Start >run>mmc {enter}
File>add/remove snap in >add
Add in the “Resultant set of policy”

Get IT Done: Troubleshoot group policies with Windows XP's Resultant Set of Policy Wizard
http://techrepublic.com.com/5100-6270-1054826.html
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11724110
chathar
It sounds like you policy has not yet replicated and/or not refreshed onto the client

if the client is XP then this should do it:

GPUPDATE /FORCE

If the client is 2000 then you will need to run the SECEDIT command to refresh machine_policy and user_policy

Also, use REPLMON from the resource kit to determine that your AD Domain is replicating correctly

Cheers

JamesDS
0
 

Author Comment

by:chathar
ID: 11724403
Still not working, i have windows 2000 workstations and i tried following commands:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

how can i verify if these changes are really implemented or not?

i have also restarted Client machine, tried logging in again. but no use.

Now i have also disabled "Run" form start menu to check if it works, Run option is still available on client machine.

about AD replication, it seems like replication is working fine cause the changes i make on DC are visible on ADC, even if i Edit Group Policy on ADC it is same as which i saved on DC.

i have also checked "Resultant Set of Policies" on OU and they show desired results, still i wonder y these changes are not implemented on workstation.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11724472
Sounds to me like you forgot to set the security permissions on the GPO...  Go to your OU, then properties, then the GPO properties button, then the security tab...  Set the permissions for your users (or security group) to Read and Assign..  Then on the client machines, reboot each machine 3 times...  (with some GPO's, they must be rebooted a min of twice for the policy to take affect..  even secedit command will not force some policies to be pushed and accepted...)

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11724498
BTW:  if the clients are XP Pro, then you can run the RSOP from them, and see exactly what policies they are using...  It is in the MMC (Mico Mgmt Console)..  you add the snap in and run RSOP...  but the easiest way to access it is:

Start > Run > rsop.msc (OK)

FE
0
 

Author Comment

by:chathar
ID: 11724509
i just check application log of client machine. whenever i run secedit command the application logs gets an error message

Windows cannot determine the user or computer name. Return value (1722)

what could be the reason.
0
 

Expert Comment

by:fsaiexpert
ID: 11724643
You cannot restrict the control pannel for a computer, only a user. Double check the settings, remove the user teh ou, shut down and start (not reboot). Shut down agian, add the user to the ou and start again.

Make sure that the computer is connecting to the domain.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11724677
Take the system out of the Domain and into a workgroup.  Delete the computer account from the Domain Controller, then go back to the client and rejoin it to the domain..  This should clear up the error message..

FE
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 200 total points
ID: 11724701
Also, this can be caused by the client not being able to find a DNS server..   Check your IP config on the client and make sure your DNS server is being correctly enumerated there...  I will assume the DNS is running on your Domain Controllers, and you have given each of them static addresses...  you should have both addresses being given out for DNS resolution..  

You may want to also ck your DNS mgmt console on the servers to see if the forward lookup zone is being correctly enumerated too..

FE
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11725223
Two things to look for in addition to the posts above:

1)  Make sure SYSVOL on both servers is identical - if it isn't there are replication problems and the client is likely authenticating with the server that is missing information in SYSVOL.

2)  Check to make sure that the KDC Service is set to Automatic and is started - on both servers.

Advise.
0
 

Author Comment

by:chathar
ID: 11725457
Problem solved, thanks to "Fatal Exception", i had no DNS entries on client side :)
thanks for ur held dudes....!!!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11725682
*grin*  DNS is the cause of most of these problems..  should have mentioned it first thing..  

Glad we got it solved..!!

FE
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11729064
<smile> good call
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11730041
*grin* back to you Pete..!!  I just got lucky, thats all...!!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question