?
Solved

User Settings not being applied from Default Domain Policy

Posted on 2004-10-05
11
Medium Priority
?
275 Views
Last Modified: 2010-04-19
I have a Default Domain Policy that I want to add things like a Default Home Page and other cosmetic
things with.

The default policy currently has the "factory" settings for password security and so on, but when I add any
"User" settings to it, nothing happens on the end users PC when they login.
The password complexity and maximum age settings are working though.

I have tried simple things like "Remove Run Command from Start Menu" with no luck.
I have also double checked to make sure that "Enable" is showing on the Settings for the
Default Domain Policy. In other words, the "User Configuration Settings Disabled" is not selected.

What would prevent any new settings I add from being enforced?
0
Comment
Question by:manogue
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 12232934
Hi manogue,

You have to make sure the Users accounts are in the inheritance path for this Policy.  If they are in a sub-OU make sure that the policies are not being blocked at that OU.  The only thing you can't block are account policies such as password complexity - so that could be why you are seeing them being applied while nothing else is.

If you are setting Computer policies then the Computer Accounts must be in the inheritance path.

Advise.


Cheers!
0
 

Author Comment

by:manogue
ID: 12239008
When a new OU is created... is inheratance blocked by default?
I haven't specifically blocked anything. This is a very new network, experiencing rapid growth and in need
of serious organization quickly. haha

I'm just creating OU's based on job function or department, so I'm just moving user accounts into newly
created OU's.

I'll try to check inheritance, but I'm not 100% clear on how. When I use the "Group Policy Modeling" wizard
to check what GPO's are being applied to what users on what PC's, It always says that the Default Policy is
"Denied" and the reason given is "Access denied (Security Filtering)".
0
 

Author Comment

by:manogue
ID: 12239771
Okay,

I found out how to check inheritance blocking in the GPO Management Utility.
None of the newly created OU's have it enabled. Actually no OU's have it at all.

One thing I found is that on every single OU that I add a new policy for, I have to
turn on Loopback for it to take effect. Is this normal?
Could this have something to do with why the Default Domain Policy isn't being
applied?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 51

Expert Comment

by:Netman66
ID: 12242312
Sounds like you have these policies configured on the Computer section and the Computer Accounts are not in an OU.

Place the Computer and User accounts for those PCs in the same OU - you should not need loopback processing then.

0
 

Author Comment

by:manogue
ID: 12243366
Need loopback because I have a Resource Center (public area of building) that anyone can log into.
These PC's are locked down tight, and need to be for anyone who logs in.
So I can't put those PC's in the same OU as users.

But the GPO in question is the  Default Domain Policy. It isn't assigned to a specific OU, but the domain level object,
and is not applying the User settings at all.

Anyone have any other ideas?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 12247674
If your users are logging into computers in the OUs with the loopback enabled they will not get their settings they will only see the User section of the GPO where the computer lives, not their own.

I have to assume you're only using loopback where the public logs in?

0
 

Author Comment

by:manogue
ID: 12251564
Well... I'm using loopback in a lot of places. I seperated out the PC's from the User accounts for various
reasons, one of which is that this is a high school, and I have 500 possible "hackers" looking to play around
on any given PC at any given time.

This raises a question then. In the Library, where I originally needed the Loopback (and still do) can I then not
add any user settings to the Default Domain Policy that I want to apply to those PC's due to this loopback?

I'll try your suggestion of adding the Users and PC's to the same OU's and see if the default policy applies.

Thanks for your help and thoughts Netman66!!
0
 

Author Comment

by:manogue
ID: 12252286
Okay... I created a Test OU and moved my PC object and my User account into it.

I made sure there were no inheritance blocking on the new OU and I also made sure there
was no GPO applying to the new OU also.

When I make changes to the Default Domain Policy in the user settings (like remove Run)...
nothing happens on my PC. I have rebooted to make sure that the Computer settings in the
Domain Policy are applied, and that it clears any older Computer Policy settings (like loopback)
that may have been applying from another policy.

If I create a test policy, and add "Remove Run COmmand" and apply this test policy to the Test OU,
it works just fine.

Why isn't the Default Domain Policy applying?

It's probably something small and silly I'm missing.
0
 

Author Comment

by:manogue
ID: 12253075
Now worth 500 points.... I'm getting desperate.
0
 

Author Comment

by:manogue
ID: 12253272
Okay... I found that somehow the Advanced Security settings on the Default Domain Policy were changed and the "Authenticated Users" object
did not have "Apply Group Policy" checked in the Special Permissions screen.

I'm awarding Netman66 the points because even after figuring this out, I wouldn't have gotten it working if I didn't know that Loopback prevents
other GPO's from taking effect.

Thank you Netman66
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12254373
Wow...good work with sticking with it.  I suppose, eventually, we would have gotten around to ACLs - but since all this was fairly new it wasn't first on my list of suggestions.

I understand what you wanted to do - loopback prevents User settings from the User's OU from applying onto a computer in another OU.

Glad to see you took care of it - and, thanks!

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question