Solved

Group Policy is not enforced on domain.

Posted on 2004-08-19
18
4,058 Views
Last Modified: 2008-01-09
I set up a domain for a group of 12 computers and when I setup a GPO linked to a OU the group policy is not enforced. Noting is enforced. I can login to the usernames I create but I cannot get anything I set in the group policy editor to be enforced like "hiding the screen saver settings" or "display tab". Or for another instance adding "logoff" to the start menu.

None of these are enforced after I set them up in the default domain policy.

The domain is a server at a university.

I can setup a local policy on a win2k machine but I cannot get the same settings applied through a domain.

This needs to be figured out by Monday and I do not have access over the weekend to the domain. I have been working on this for two days now and have spent $150 on books etc to no avail..... I have done everything they asked me too.
0
Comment
Question by:olm4n
  • 8
  • 5
  • 3
  • +1
18 Comments
 
LVL 12

Expert Comment

by:ColinRoyds
Comment Utility
Try this

create a new policy on a test ou
create a group in this ou put a appropriate test user in it, then go to the group policy windows(not the policy itself) and select properties, go to security and add the group in, then tick the "apply group policy" , and you all done.


0
 

Author Comment

by:olm4n
Comment Utility
This is not working. I got as far as setting the group policy to the test user but when I brought up the user on a client machine the policy settings were not enforced.
0
 

Author Comment

by:olm4n
Comment Utility
I forgot to mention thanks for helping.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
Let's first look at the basics: Are your DNS settings correct? If the DNS settings are incorrect, the GPOs won't be found. Assuming DNS is running on your DC, make sure that on the DC, the *only* DNS server listed in the TCP/IP properties is the DC's actual IP address (not 127.0.0.1); the same is true for your clients: Make sure they *only* use your DC for DNS.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
0
 
LVL 4

Expert Comment

by:Kittrick
Comment Utility
One thing you might want to take into consideration is that the policies on the client will override anything on the server. If you have conflicting and/or   ambiguous permissions that clash between the server and locally on the clients, the clients will supercede the server's policies.

Hope that helps!
Kittrick
0
 

Author Comment

by:olm4n
Comment Utility
Okay so I need to set each clients DNS address with the main domains servers IP address.

Right now my Domain Controller or Domain server is setup with the (127.0.0.1) DNS primary address.

When you say DC do you meen domain controller or Domain Client?

My clients have the default university DNS server addresses.

Do I want my clients to have static IP's?

0
 

Author Comment

by:olm4n
Comment Utility
Okay I changed the domain controllers DNS IP address to its real IP address. Now should I have my test client setup with the same DNS address which i can set locally as admin?

i will give it is a test run now and see if anything is different.
0
 

Author Comment

by:olm4n
Comment Utility
Okay guys I did all this and everything is looking alot better guys.

I will do some more extensive testing and get back to you all.

Thanks alot!
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
DC means Domain Controller. Since it's been the DNS settings, something else to check:
Open the DNS MMC; verify that it's configured to allow dynamic updates.
While you're at it, you can setup a reverse lookup zone for your network as well; the dcpromo wizard doesn't do this by itself.
Now stop and start the Netlogon service, then open a command prompt and enter "ipconfig /registerdns"
Verify that the SRV records have been created in your DNS (see link below), and that the host record for your DC has been created as well.
As for your domain members, they *have* to point to your DC as well. For lookups in the rest of your network, do the following:
Delete the root zone in your DNS forward lookup zones (the single dot, ".") if it's present; then right-click your DNS server in the left pane, choose "Properties", and configure forwarders to point to your university's DNS server(s).

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
http://support.microsoft.com/?kbid=316341

HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?kbid=300202

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515

How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811

How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Kittrick,
local policies do NOT override domain policies; it's the other way around.
Group policies are processed in the "LSDO" order:
1. *L*ocal Group Policy
2. *S*ites GPOs
3. *D*omain GPOs
4. *O*rganizantional Units GPOs.
Policies that are applied later overwrite policies applied earlier.
0
 
LVL 12

Expert Comment

by:ColinRoyds
Comment Utility
have you tried running secedit /refreshpolicy from the command line

the syntax is something like secedit /refreshpolicy user_policy/enforce check by running secedit /?

this should give you an event log entry which might help
sorry I am running xp here so it's a bit different and uses gpupdate not secedit
0
 

Author Comment

by:olm4n
Comment Utility
Well I have verified that my server is controlling my clients now but I need to know do I need to setup a static IP on each client with the dns server being the domain controller. I have done with my two test subjects and they are working great and I connected with another computer and it did nto seem to matter as it connected with the domain policies enforced.

I am using everything default and adding users under "users".

Anyway thanks once again for all your help.
0
 

Author Comment

by:olm4n
Comment Utility
Thanks. I now have another question.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
It doesn't matter if you use static IPs or DHCP leases for your clients, as long as in both cases your DC *only* is listed as DNS server.
If you're using some university DHCP server which will hand out the university's DNS server, you'll have to specify the DNS server statically (unless your clients are on their own subnet and you can setup a different scope for them, or you're working with reservations).
0
 
LVL 4

Expert Comment

by:Kittrick
Comment Utility
I knew I read something about local computers not being able to play well with the domain and policies which I think might be part of the problem the poster is having.  

On a quick tour around EE, I found:

GPOs overrides on local policies settings in domain
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20726663.html

"So configuring the UK settings at the domain level will only override those exact same local policies if any have been set.
It will not override unrelated policies that may be specified in your local policy"

Kittrick
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Local and domain policies go together very well. Read the post again: All mdiglio (correctly) states is that an unconfigured domain policy doesn't override a configured or disabled local policy; the reason for this is obvious. For conflicting configured policies, though, the domain policy will override the local policy.
0
 
LVL 4

Expert Comment

by:Kittrick
Comment Utility
By the same token, if the policy isn't the same exact policy you are trying to override on the local client, the local client will have in essence ignored the request by the server. I misspoke when I mentioned the term override.. I stand corrected.


Kittrick
0
 

Author Comment

by:olm4n
Comment Utility
I got it fixed. Thanks guys.

You have to have the TCP and IP settings right. For me it worked when I made the "prefered DNS server" and the "IP address" the same.

I am using the universities subnet mask and Default gateway address's though.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Live backup of a server 11 87
CA Certificate 2 44
setup share and NTFS permissions. 12 59
User profile Size Report 3 35
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now