Solved

User Settings not being applied from Default Domain Policy

Posted on 2004-10-05
11
270 Views
Last Modified: 2010-04-19
I have a Default Domain Policy that I want to add things like a Default Home Page and other cosmetic
things with.

The default policy currently has the "factory" settings for password security and so on, but when I add any
"User" settings to it, nothing happens on the end users PC when they login.
The password complexity and maximum age settings are working though.

I have tried simple things like "Remove Run Command from Start Menu" with no luck.
I have also double checked to make sure that "Enable" is showing on the Settings for the
Default Domain Policy. In other words, the "User Configuration Settings Disabled" is not selected.

What would prevent any new settings I add from being enforced?
0
Comment
Question by:manogue
  • 7
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 12232934
Hi manogue,

You have to make sure the Users accounts are in the inheritance path for this Policy.  If they are in a sub-OU make sure that the policies are not being blocked at that OU.  The only thing you can't block are account policies such as password complexity - so that could be why you are seeing them being applied while nothing else is.

If you are setting Computer policies then the Computer Accounts must be in the inheritance path.

Advise.


Cheers!
0
 

Author Comment

by:manogue
ID: 12239008
When a new OU is created... is inheratance blocked by default?
I haven't specifically blocked anything. This is a very new network, experiencing rapid growth and in need
of serious organization quickly. haha

I'm just creating OU's based on job function or department, so I'm just moving user accounts into newly
created OU's.

I'll try to check inheritance, but I'm not 100% clear on how. When I use the "Group Policy Modeling" wizard
to check what GPO's are being applied to what users on what PC's, It always says that the Default Policy is
"Denied" and the reason given is "Access denied (Security Filtering)".
0
 

Author Comment

by:manogue
ID: 12239771
Okay,

I found out how to check inheritance blocking in the GPO Management Utility.
None of the newly created OU's have it enabled. Actually no OU's have it at all.

One thing I found is that on every single OU that I add a new policy for, I have to
turn on Loopback for it to take effect. Is this normal?
Could this have something to do with why the Default Domain Policy isn't being
applied?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 51

Expert Comment

by:Netman66
ID: 12242312
Sounds like you have these policies configured on the Computer section and the Computer Accounts are not in an OU.

Place the Computer and User accounts for those PCs in the same OU - you should not need loopback processing then.

0
 

Author Comment

by:manogue
ID: 12243366
Need loopback because I have a Resource Center (public area of building) that anyone can log into.
These PC's are locked down tight, and need to be for anyone who logs in.
So I can't put those PC's in the same OU as users.

But the GPO in question is the  Default Domain Policy. It isn't assigned to a specific OU, but the domain level object,
and is not applying the User settings at all.

Anyone have any other ideas?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 12247674
If your users are logging into computers in the OUs with the loopback enabled they will not get their settings they will only see the User section of the GPO where the computer lives, not their own.

I have to assume you're only using loopback where the public logs in?

0
 

Author Comment

by:manogue
ID: 12251564
Well... I'm using loopback in a lot of places. I seperated out the PC's from the User accounts for various
reasons, one of which is that this is a high school, and I have 500 possible "hackers" looking to play around
on any given PC at any given time.

This raises a question then. In the Library, where I originally needed the Loopback (and still do) can I then not
add any user settings to the Default Domain Policy that I want to apply to those PC's due to this loopback?

I'll try your suggestion of adding the Users and PC's to the same OU's and see if the default policy applies.

Thanks for your help and thoughts Netman66!!
0
 

Author Comment

by:manogue
ID: 12252286
Okay... I created a Test OU and moved my PC object and my User account into it.

I made sure there were no inheritance blocking on the new OU and I also made sure there
was no GPO applying to the new OU also.

When I make changes to the Default Domain Policy in the user settings (like remove Run)...
nothing happens on my PC. I have rebooted to make sure that the Computer settings in the
Domain Policy are applied, and that it clears any older Computer Policy settings (like loopback)
that may have been applying from another policy.

If I create a test policy, and add "Remove Run COmmand" and apply this test policy to the Test OU,
it works just fine.

Why isn't the Default Domain Policy applying?

It's probably something small and silly I'm missing.
0
 

Author Comment

by:manogue
ID: 12253075
Now worth 500 points.... I'm getting desperate.
0
 

Author Comment

by:manogue
ID: 12253272
Okay... I found that somehow the Advanced Security settings on the Default Domain Policy were changed and the "Authenticated Users" object
did not have "Apply Group Policy" checked in the Special Permissions screen.

I'm awarding Netman66 the points because even after figuring this out, I wouldn't have gotten it working if I didn't know that Loopback prevents
other GPO's from taking effect.

Thank you Netman66
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12254373
Wow...good work with sticking with it.  I suppose, eventually, we would have gotten around to ACLs - but since all this was fairly new it wasn't first on my list of suggestions.

I understand what you wanted to do - loopback prevents User settings from the User's OU from applying onto a computer in another OU.

Glad to see you took care of it - and, thanks!

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question