Solved

User Settings not being applied from Default Domain Policy

Posted on 2004-10-05
11
262 Views
Last Modified: 2010-04-19
I have a Default Domain Policy that I want to add things like a Default Home Page and other cosmetic
things with.

The default policy currently has the "factory" settings for password security and so on, but when I add any
"User" settings to it, nothing happens on the end users PC when they login.
The password complexity and maximum age settings are working though.

I have tried simple things like "Remove Run Command from Start Menu" with no luck.
I have also double checked to make sure that "Enable" is showing on the Settings for the
Default Domain Policy. In other words, the "User Configuration Settings Disabled" is not selected.

What would prevent any new settings I add from being enforced?
0
Comment
Question by:manogue
  • 7
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 12232934
Hi manogue,

You have to make sure the Users accounts are in the inheritance path for this Policy.  If they are in a sub-OU make sure that the policies are not being blocked at that OU.  The only thing you can't block are account policies such as password complexity - so that could be why you are seeing them being applied while nothing else is.

If you are setting Computer policies then the Computer Accounts must be in the inheritance path.

Advise.


Cheers!
0
 

Author Comment

by:manogue
ID: 12239008
When a new OU is created... is inheratance blocked by default?
I haven't specifically blocked anything. This is a very new network, experiencing rapid growth and in need
of serious organization quickly. haha

I'm just creating OU's based on job function or department, so I'm just moving user accounts into newly
created OU's.

I'll try to check inheritance, but I'm not 100% clear on how. When I use the "Group Policy Modeling" wizard
to check what GPO's are being applied to what users on what PC's, It always says that the Default Policy is
"Denied" and the reason given is "Access denied (Security Filtering)".
0
 

Author Comment

by:manogue
ID: 12239771
Okay,

I found out how to check inheritance blocking in the GPO Management Utility.
None of the newly created OU's have it enabled. Actually no OU's have it at all.

One thing I found is that on every single OU that I add a new policy for, I have to
turn on Loopback for it to take effect. Is this normal?
Could this have something to do with why the Default Domain Policy isn't being
applied?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12242312
Sounds like you have these policies configured on the Computer section and the Computer Accounts are not in an OU.

Place the Computer and User accounts for those PCs in the same OU - you should not need loopback processing then.

0
 

Author Comment

by:manogue
ID: 12243366
Need loopback because I have a Resource Center (public area of building) that anyone can log into.
These PC's are locked down tight, and need to be for anyone who logs in.
So I can't put those PC's in the same OU as users.

But the GPO in question is the  Default Domain Policy. It isn't assigned to a specific OU, but the domain level object,
and is not applying the User settings at all.

Anyone have any other ideas?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 12247674
If your users are logging into computers in the OUs with the loopback enabled they will not get their settings they will only see the User section of the GPO where the computer lives, not their own.

I have to assume you're only using loopback where the public logs in?

0
 

Author Comment

by:manogue
ID: 12251564
Well... I'm using loopback in a lot of places. I seperated out the PC's from the User accounts for various
reasons, one of which is that this is a high school, and I have 500 possible "hackers" looking to play around
on any given PC at any given time.

This raises a question then. In the Library, where I originally needed the Loopback (and still do) can I then not
add any user settings to the Default Domain Policy that I want to apply to those PC's due to this loopback?

I'll try your suggestion of adding the Users and PC's to the same OU's and see if the default policy applies.

Thanks for your help and thoughts Netman66!!
0
 

Author Comment

by:manogue
ID: 12252286
Okay... I created a Test OU and moved my PC object and my User account into it.

I made sure there were no inheritance blocking on the new OU and I also made sure there
was no GPO applying to the new OU also.

When I make changes to the Default Domain Policy in the user settings (like remove Run)...
nothing happens on my PC. I have rebooted to make sure that the Computer settings in the
Domain Policy are applied, and that it clears any older Computer Policy settings (like loopback)
that may have been applying from another policy.

If I create a test policy, and add "Remove Run COmmand" and apply this test policy to the Test OU,
it works just fine.

Why isn't the Default Domain Policy applying?

It's probably something small and silly I'm missing.
0
 

Author Comment

by:manogue
ID: 12253075
Now worth 500 points.... I'm getting desperate.
0
 

Author Comment

by:manogue
ID: 12253272
Okay... I found that somehow the Advanced Security settings on the Default Domain Policy were changed and the "Authenticated Users" object
did not have "Apply Group Policy" checked in the Special Permissions screen.

I'm awarding Netman66 the points because even after figuring this out, I wouldn't have gotten it working if I didn't know that Loopback prevents
other GPO's from taking effect.

Thank you Netman66
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12254373
Wow...good work with sticking with it.  I suppose, eventually, we would have gotten around to ACLs - but since all this was fairly new it wasn't first on my list of suggestions.

I understand what you wanted to do - loopback prevents User settings from the User's OU from applying onto a computer in another OU.

Glad to see you took care of it - and, thanks!

0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows 7 Updates 11 75
SolarWind and DNS Server 12 36
Best practices power settings GPO Win 10 4 57
Backup DHCP Server 8 70
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now