Problems with domain GPOs after updating client machines to XP SP2
Posted on 2004-09-21
I have a Windows 2000 server SP4, XP SP1, one domain active directory network.
I have several GPOs implemented in the domain.
I installed XP SP2 without troubles. All programs seems to be running fine and I can logon to the domain and access resources. However, the policies are not being applied. I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine.
I have run some test in order to find the problem:
1.- I am logging in the machine with the domain administrator account. This account is also present in the user account list, as administrator of the machine. Under this curcumstances, not a single GPO is being applied. Before XP SP2, the GPOs that concerder this account were correctly applied. In particular, one GPO implied showing a text dialog to the user right after hitting CTRL+ALT+DEL. It worked before, it does not work now (this is just an example, not a single GPO is being applied to this administrator account).
1.- The gpresults shows the message "The following GPOs were not applied because they were filtered out" for every GPO in the domain assigned to this user. This is true both for machine configuration and user configuration. The rest of the information of the gpresult command is fine: user info, group membership, etc.
2.- If I log on as a different user in the same machine, with different administrative rights in the machine (for instance, a Power user that it is also not a member of the administrators in the local machine), and I run the gpresults command, I do not get that message. The user policies seems to be applied correctly. However, I would say that the behaviour is erratic. It is like the local machine rights are prevaling over the domain policies (for instance, I have a policy to avoid changing the Desktop settings. This policiy worked fine before SP2 and the user could open the dialog but all tabs were absent. Now, the user is able to open this dialog, open some tabs, and some items can be changed, others not).
3.- I have downloaded and installed the new version of the Group Policy Management Console SP1. In the console I have checked the state of the policies. In almost every policy of the domain, under Security Filtering for the policy, I have the Authenticated users group as the only one to be affected by the GPOs. I do not have this group anywere in Active directory, neither I have ever used it or noticed it before. No other group is present in this security filtering list.
4.- I have disabled the Firewall, but all remains the same.
All this problems appeared after XP SP2, so it is obvious that this update is the cause.
Were is the problem?
Thanks in advance for your reply,