manogue
asked on
User Settings not being applied from Default Domain Policy
I have a Default Domain Policy that I want to add things like a Default Home Page and other cosmetic
things with.
The default policy currently has the "factory" settings for password security and so on, but when I add any
"User" settings to it, nothing happens on the end users PC when they login.
The password complexity and maximum age settings are working though.
I have tried simple things like "Remove Run Command from Start Menu" with no luck.
I have also double checked to make sure that "Enable" is showing on the Settings for the
Default Domain Policy. In other words, the "User Configuration Settings Disabled" is not selected.
What would prevent any new settings I add from being enforced?
things with.
The default policy currently has the "factory" settings for password security and so on, but when I add any
"User" settings to it, nothing happens on the end users PC when they login.
The password complexity and maximum age settings are working though.
I have tried simple things like "Remove Run Command from Start Menu" with no luck.
I have also double checked to make sure that "Enable" is showing on the Settings for the
Default Domain Policy. In other words, the "User Configuration Settings Disabled" is not selected.
What would prevent any new settings I add from being enforced?
ASKER
When a new OU is created... is inheratance blocked by default?
I haven't specifically blocked anything. This is a very new network, experiencing rapid growth and in need
of serious organization quickly. haha
I'm just creating OU's based on job function or department, so I'm just moving user accounts into newly
created OU's.
I'll try to check inheritance, but I'm not 100% clear on how. When I use the "Group Policy Modeling" wizard
to check what GPO's are being applied to what users on what PC's, It always says that the Default Policy is
"Denied" and the reason given is "Access denied (Security Filtering)".
I haven't specifically blocked anything. This is a very new network, experiencing rapid growth and in need
of serious organization quickly. haha
I'm just creating OU's based on job function or department, so I'm just moving user accounts into newly
created OU's.
I'll try to check inheritance, but I'm not 100% clear on how. When I use the "Group Policy Modeling" wizard
to check what GPO's are being applied to what users on what PC's, It always says that the Default Policy is
"Denied" and the reason given is "Access denied (Security Filtering)".
ASKER
Okay,
I found out how to check inheritance blocking in the GPO Management Utility.
None of the newly created OU's have it enabled. Actually no OU's have it at all.
One thing I found is that on every single OU that I add a new policy for, I have to
turn on Loopback for it to take effect. Is this normal?
Could this have something to do with why the Default Domain Policy isn't being
applied?
I found out how to check inheritance blocking in the GPO Management Utility.
None of the newly created OU's have it enabled. Actually no OU's have it at all.
One thing I found is that on every single OU that I add a new policy for, I have to
turn on Loopback for it to take effect. Is this normal?
Could this have something to do with why the Default Domain Policy isn't being
applied?
Sounds like you have these policies configured on the Computer section and the Computer Accounts are not in an OU.
Place the Computer and User accounts for those PCs in the same OU - you should not need loopback processing then.
Place the Computer and User accounts for those PCs in the same OU - you should not need loopback processing then.
ASKER
Need loopback because I have a Resource Center (public area of building) that anyone can log into.
These PC's are locked down tight, and need to be for anyone who logs in.
So I can't put those PC's in the same OU as users.
But the GPO in question is the Default Domain Policy. It isn't assigned to a specific OU, but the domain level object,
and is not applying the User settings at all.
Anyone have any other ideas?
These PC's are locked down tight, and need to be for anyone who logs in.
So I can't put those PC's in the same OU as users.
But the GPO in question is the Default Domain Policy. It isn't assigned to a specific OU, but the domain level object,
and is not applying the User settings at all.
Anyone have any other ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well... I'm using loopback in a lot of places. I seperated out the PC's from the User accounts for various
reasons, one of which is that this is a high school, and I have 500 possible "hackers" looking to play around
on any given PC at any given time.
This raises a question then. In the Library, where I originally needed the Loopback (and still do) can I then not
add any user settings to the Default Domain Policy that I want to apply to those PC's due to this loopback?
I'll try your suggestion of adding the Users and PC's to the same OU's and see if the default policy applies.
Thanks for your help and thoughts Netman66!!
reasons, one of which is that this is a high school, and I have 500 possible "hackers" looking to play around
on any given PC at any given time.
This raises a question then. In the Library, where I originally needed the Loopback (and still do) can I then not
add any user settings to the Default Domain Policy that I want to apply to those PC's due to this loopback?
I'll try your suggestion of adding the Users and PC's to the same OU's and see if the default policy applies.
Thanks for your help and thoughts Netman66!!
ASKER
Okay... I created a Test OU and moved my PC object and my User account into it.
I made sure there were no inheritance blocking on the new OU and I also made sure there
was no GPO applying to the new OU also.
When I make changes to the Default Domain Policy in the user settings (like remove Run)...
nothing happens on my PC. I have rebooted to make sure that the Computer settings in the
Domain Policy are applied, and that it clears any older Computer Policy settings (like loopback)
that may have been applying from another policy.
If I create a test policy, and add "Remove Run COmmand" and apply this test policy to the Test OU,
it works just fine.
Why isn't the Default Domain Policy applying?
It's probably something small and silly I'm missing.
I made sure there were no inheritance blocking on the new OU and I also made sure there
was no GPO applying to the new OU also.
When I make changes to the Default Domain Policy in the user settings (like remove Run)...
nothing happens on my PC. I have rebooted to make sure that the Computer settings in the
Domain Policy are applied, and that it clears any older Computer Policy settings (like loopback)
that may have been applying from another policy.
If I create a test policy, and add "Remove Run COmmand" and apply this test policy to the Test OU,
it works just fine.
Why isn't the Default Domain Policy applying?
It's probably something small and silly I'm missing.
ASKER
Now worth 500 points.... I'm getting desperate.
ASKER
Okay... I found that somehow the Advanced Security settings on the Default Domain Policy were changed and the "Authenticated Users" object
did not have "Apply Group Policy" checked in the Special Permissions screen.
I'm awarding Netman66 the points because even after figuring this out, I wouldn't have gotten it working if I didn't know that Loopback prevents
other GPO's from taking effect.
Thank you Netman66
did not have "Apply Group Policy" checked in the Special Permissions screen.
I'm awarding Netman66 the points because even after figuring this out, I wouldn't have gotten it working if I didn't know that Loopback prevents
other GPO's from taking effect.
Thank you Netman66
Wow...good work with sticking with it. I suppose, eventually, we would have gotten around to ACLs - but since all this was fairly new it wasn't first on my list of suggestions.
I understand what you wanted to do - loopback prevents User settings from the User's OU from applying onto a computer in another OU.
Glad to see you took care of it - and, thanks!
I understand what you wanted to do - loopback prevents User settings from the User's OU from applying onto a computer in another OU.
Glad to see you took care of it - and, thanks!
You have to make sure the Users accounts are in the inheritance path for this Policy. If they are in a sub-OU make sure that the policies are not being blocked at that OU. The only thing you can't block are account policies such as password complexity - so that could be why you are seeing them being applied while nothing else is.
If you are setting Computer policies then the Computer Accounts must be in the inheritance path.
Advise.
Cheers!