[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Group Policy won't push down to XP workststions on 2003 domain.

Posted on 2004-10-26
38
Medium Priority
?
3,643 Views
Last Modified: 2008-01-09
OK, I've been working on this for a week, and cannot figure it out. I'll preface the problem with what I'm trying to accomplish, then go deeper into the problem.

What I'm trying to do: I'm setting up a new office network consisting of a 2003 Server and about 25 XP workstations. The Server hosts several pieces of software and databases used by the workstations. The main program that is run is a customer database. It works (poorly in my opinion) by running an exe file from the server, almost like a batch file. This requires that the users on the workstations have at least "power user" access, as it writes local system files and accesses the clock.

What I've done so far: Initially, I set up a workgroup, and mapped drives so everything worked. Really, there were no real problems. I just gave all local users "power user" access. I then decided that I would like to set up a Domain, so I would have a much easier time deploying group policies (plus, I wanted to learn how to do it). I set up the server as a domain controller (with AD) and added a few workstations so I could start testing. Because the users must have local “power user” rights, I set everyone up as domain users (on the DC), then I added “authenticated users” to the local “power user” group (on the workstations). So far so good, and everything continues to work.

The Problem: Now that I’ve gotten that working, I started trying to set up Group Policies. I set up OUs for several different departments and added a GPO to one to see how it would work. For starters, I disabled the control panel. But, I cannot get the policies to push down to the workstations. I have added the correct users to the OU, I’ve performed several gpupdates, I have turned off the login optimization on the workstations, I have removed the local power user rights, I have added groups and even users directly to the GPO, and I even added the computer to the OU. I made sure the domain users had “read” and “apply group policy” permissions on the GPO. There are no active filters and no WMI filters. I’ve even bounced the server a few times.

I am totally confused.

I’ve been using the Active Directory Users and Computers GUI to perform all the changes. I’ve not yet used the GPMC, but I’ve DL’d it and I will try it today. I think that covers everything I have done/tried. Please help…
0
Comment
Question by:dollarlongnecks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 9
  • 7
  • +2
38 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12414527
So let's go thru the layout:

You have an OU
You have user objects added to the OU...(when you open the OU, you actually see the list of users)

In AD users and computers- you right clicked on the OU, chose properties, then the group policy tab and chose or created a GPO?
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12414562
"I have added groups and even users directly to the GPO, and I even added the computer to the OU."

Remember that everything under "user config" needs to be applied to user objects and everything under "computer config" must be applied to comptuer objects or else the GPO won't work. Also, you can not directory apply group policy to a security group.

0
 

Author Comment

by:dollarlongnecks
ID: 12414796
First Question: Yes, I went into the properties of the OU and created the GPO from there.

Second Question: All the things I've listed were things I have tried with no success. I've tried one, undone it, then tried another. Most (if not all) of the things I need to change are in the "user config" section. I did however go into the "computer config | windows settings | Security settings" and added groups and individual users to the "restricted groups" setting, hoping that that would work. but it didn't.

Domain Users is a security group, right? (I'm not in front of the server). That is probably why it did nothing when I added it to the GPO "restricted groups".

I was under the assumption that all I needed to do was created users, create an OU, create a GPO within the OU, then add the users. That is where I am stuck...
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 18

Expert Comment

by:luv2smile
ID: 12414885
The user objects need to be in the OU.

For test purposes, create a new user in the OU:

Open AD Users and Computers

Right click the OU and choose "new" and then "user"

Yes, domain users is a security group. Why are you using restricted groups?
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12414944
After you create the new user in the OU

In AD users and computers- right click on the OU, chose properties, then the group policy tab....if you currently have a GPO applied to the OU then it will appear here.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12414947
This is a shot in the dark, but in the properties of the GP you created, is the Block Policy Inheritance box unchecked?
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12414967
If you are still in the testing mode then delete all GPOs for the OU (or either just create a new OU and follow the steps above) and then create a new GPO and only apply the setting to block the control panel. Then run gpudate.exe and test it.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12415141
"I was under the assumption that all I needed to do was created users, create an OU, create a GPO within the OU, then add the users. That is where I am stuck..."

Basically the idea is that:

You create an OU
Then you create a user inside that OU
Then you apply GPOs to a container (usually an OU, but can be a site or domain)

GPOs aren't applied directly to a user...they are applied to a container and all users beneath that container take on the settings of the GPO. So you really don't add a GPO to a user....you add a user to a container and then apply the GPO to that container.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12415644
is "enforce policy" on your default domain policy activated?
0
 
LVL 2

Expert Comment

by:gavin_wickens
ID: 12415645
All the times I have had Group policies fail it has been to do with DNS poorly configured on client machines or a local copy of a profile.  Suggest check DNS using nslookup from command prompt and delete cached profiles (if applicable).
0
 

Author Comment

by:dollarlongnecks
ID: 12416277
OK, I went by the office and ended up having to work on some printer sharing problems, so I didn't have a chance to work on the GPO today. Tomorrow morning, I'm gonna to take all your recomendations and see if I can get something to work. Thanks for the input, and I'll update everyone tomorrow...
0
 

Author Comment

by:dollarlongnecks
ID: 12425810
OK, I'm at the office right now, trying some of the recommendations.

For testing purposes, I created a new OU, then created a new user from within the OU. I then went in to the OU and created a GPO within the OU, and made sure it was linked and enforced, then I ran gpupdate.

Still didn't work...

Now, I've noticed that there are several other GPOs. There is a Default Domain Policy, and also a Default Domain Controllers Policy. Do I need to do anything with these? Neither one of them is currently enforced, but I'm gonna enfoce them one at a time to see what happens.

Also, could the name of the Domain have anything to do with this problem? The workgroup I started with was called "Shields", and when I set up the domain, an SA friend of mine had me look up our ISP name (ok.cox.net) and then use that in with the name. So, the Domain name is "shields.ok.cox.net". Not sure if this is relevant at all, but this is my first domain setup, so I want to make sure I give you guys any and all information.

That's it for now, I'll check back, and I'll also post back with updates. Thanks...
0
 

Author Comment

by:dollarlongnecks
ID: 12425966
OK, two more things:

First off, I was playing with the GPMC (which I just installed) and the domain and the forest have the exact same name "shields.ok.cox.net". Is this how it's supposed to be?

Second, is there a way I can just scrap the domain and start over? My SA friend that initially helped me set it up ran throu it pretty fast, and it's possible that he may have done something that could be causing the problem.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12426010
The default domain policy and default domaon controller policy are built in policies. If you want to make group policy changes that affect all computers/users domain wide (no matter the OU) then you would use the default domain policy. The default domaon controller policy affects all domain controllers.

So no, you don't need to do anything with these for now. If you want to make changes that affect the ENTIRE domain or all the domain controllers, then you would use these.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12426042
Because you only have 1 domain...the forest and the domain name will be the same....that is the way it is suppossed to be.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12426250
To scrap the domain, you would have to uninstall and reinstall Active Directory.

0
 

Author Comment

by:dollarlongnecks
ID: 12426420
Is that something I should consider? If the naming in fine, and there aren't some weird settings that could be messed up, is it even worth it?

Also, my SA friend had me set it up as a pre-2000 domain, even though all computers are XP and the server is 2003. Could this be an issue?

Thanks again...
0
 
LVL 2

Expert Comment

by:gavin_wickens
ID: 12434857
From the server go into a dos prompt and run nslookup
should give you:
yourservername.yourdomainname
yourserveripaddress

If not your server isn't looking at it's self for DNS resolution.  If your settings are correct, do the same from a station and see what results you get.  There is a way of putting the domain policy and the domain controller policy back to defaults but won't post until you have tried this and feed back the results (because I believe it to be a DNS issue).
0
 

Author Comment

by:dollarlongnecks
ID: 12436026
I did an nslookup yesterday (and I'll do it again when I get to the office). The server name I got was something like ns2.ok.cox.net, and the IP looked like a cox IP, but I'd have to look it up to be sure it is the one assigned to the server.

I also tried putting the default GPOs back, even though they have not been changed (unless my buddy did it). I kept getting errors, and it looked like it was trying to change the settings somewhere in the cox network, as it was showing a cox domain name and a permission error, even though I was logged in as a domain admin.

I'm heading up to the office right now, and I will post exactly what I'm getting...
0
 
LVL 2

Expert Comment

by:gavin_wickens
ID: 12436749
So let me get this right, your ISP is ok.cox.net and your domain name is shields.ok.cox.net, your nslookup returned ns2.ok.cox.net which (I guess) is your ISP's DNS server,  not yours.  Is DNS running on your server at all (does it appear in start - programs administarte tools-DNS)?  What is your server ip setup please post ip address, subnet mask, default gateway and DNS servers addresses.
0
 

Author Comment

by:dollarlongnecks
ID: 12437870
OK, it looks like we're getting to the core of the problem here.

DNS does not appear to be running on the server. I did not set it up unless it was part of the Domain Controller setup, and again, I had a friend run through that with me, so I'm guessing it's not there. I really didn't know it was needed.

nslookup gives:
Default Server: ns2.ok.cox.net
Address: 68.12.16.25

I tried to run ipconfig, but it gives an error when I use the /all switch, and ipconfig alone gives:
Server: ns2.ok.cox.net
Address: 68.12.16.25

*** ns2.ok.cox.net can't find ipconfig: Non-existent domain

I'm not sure how else to get IP setup information, as I've always used ipconfig. But I got the IP from whatismyip, and it was 68.97.XXX.XXX, definately not the same as the one I get from the nslookup...
0
 
LVL 2

Expert Comment

by:gavin_wickens
ID: 12445160
You tried to run ipconfig while in nslookup.  Run again from a command prompt.  You need to install dns on your server, is DHCP running on your server?
0
 

Author Comment

by:dollarlongnecks
ID: 12447146
OK, here's the stuff from ipconfig:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WISDOMCUBE
   Primary Dns Suffix  . . . . . . . : shields.ok.cox.net
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : shields.ok.cox.net
                                       ok.cox.net
                                       ok.cox.net
                                       cox.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : ok.cox.net
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
   Physical Address. . . . . . . . . : 00-0F-1F-67-08-0E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.1.108
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 68.12.16.25
                                       68.12.16.30
                                       68.2.16.30
   Lease Obtained. . . . . . . . . . : Friday, October 29, 2004 8:33:04 AM
   Lease Expires . . . . . . . . . . : Saturday, October 30, 2004 8:33:04 AM

I'm about to start the DNS install. I need to list it with the router as a DNS server, right? Does it matter which one? Also, the DHCP runs from the router. That's it for now, I'll update after the install.
0
 

Author Comment

by:dollarlongnecks
ID: 12447885
OK, DNS is installed. I've never installed one before, so hopefully it's all right. :)

I'm guessing it's gonna take a while to propagate, as the nslookup still shows the cox server. I'm gonna list a few things I know about the setup so we can make sure I've done it right.

In the router, DHCP is running. I put the Server as a static IP outside of the DHCP range. The router has space for 3 DNS servers, I put the local server as 1, and the cox DNS as 2 and 3.

While configuring the DNS server: I created a forward lookup zone, where the ISP maintains the zone, and a read-only secondary copy resides on the server. I named the zone "shields", and I specified the ISP DNS servers as master DNS servers. I also had it forward queries to the same ISP DNS servers.

But, when I go in to manage the DNS server, "shields" is listed in the forward lookup zone, and there is an error.

Zone Not Loaded by DNS Server

The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed.

I tried to reload, but it doesn't seem to do anything. I'm not sure if I need to wait longer or what. I'll check back when I leave for the day...
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12448168
how could you setup a w2k3 domain without a running dynamic dns? strange.

first misstake: the dc has to use itself as dns server in ip settings.
second: the correct name of this zone has to be "shields.ok.cox.net".
but you cant use a secondary zone for your w2k3 domain.
add a master zone shields.ok.cox.net.
add your isp dns servers as forwarders in your dns servers settings.
you need a writeable zone on a dns server for your servers/clients to run a w2k3 domain.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12448180
and why does the router need dns entrys?
0
 

Author Comment

by:dollarlongnecks
ID: 12448249
That's the thing, I don't know. This is the deepest I've even gone into a network setup, and I'm kinda learning as I'm going. I've been talking to a friend who is an SA, but he has never done 2003, and neither has anyone else at his work.

I assumed that I'd need to specify the DNS servers in the router, guess not.

I'm leaving for the day (it's a contract job) and wont go back until monday morning. If there are other things that you can think of, feel free to post. I'll make changes and report back...
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12448539
maybe the router can provide dns services for your office.
but i would not use this for a w2k3 domain.
if i where you, i would set up a fresh domain.
install the server with dns :), configure the domain you want to have and then do the dcpromo.
and use only this dns server for your servers and clients.
0
 
LVL 2

Accepted Solution

by:
gavin_wickens earned 2000 total points
ID: 12456291
Without altering your setup to much....
Turn off DHCP on the router.
Set static IP on server 192.168.1.2, subnet 255.255.255.0, gateway 192.168.1.1, DNS 192.168.1.2.
Install DHCP on server, create a new scope 192.168.1.5 - 192.168.1.254 and authorise it.
DHCP options - default gateway 192.168.1.1, DNS server 192.168.1.2
If you let windows configure your DNS remove it and add again using advanced (I will configure myself option).
Run DNS from start - programs - administrative tools - DNS.
Right click on forward lookup zone and create.  Create one called sheilds.ok.cox.net (either Active directory integrated or standard primary).
Right click on reverse lookup zone and create 192.168.1.x (either Active directory integrated or standard primary).
If you selected standard primary, right click on each of the zones you created and do properties.  You will need to set them to allow dynamic updates.
Once this is done go into command prompt and type ipconfig /registerdns and press enter.
Now type nslookup and press enter.  You should get the following:
WISDOMCUBE.shields.ok.cox.net
192.168.1.2
Close command prompt.
This means you internal DNS is now fine, If you run nslookup from the client and you get the same result you have it sussed and group policies will work.  However your internet won't.  To fix this you need to go back into DNS and right click on the server and do properties.  There is an option to enable forwarders, type in 68.12.16.25 and ADD
68.12.16.30 and ADD
What this means is any DNS that isn't resolved internally by your server will be forwarded to your ISP for resolution, eg google.co.uk etc.
Now your internet should work and I can have 500 points!
0
 

Author Comment

by:dollarlongnecks
ID: 12465291
OK, I'll try this in the next few days. It looks like I'll have to do it sometime while they are not working. I'll post back as soon as I've got it up and running.
0
 

Author Comment

by:dollarlongnecks
ID: 12505375
OK, well, had some issues...

Went through and did everything you suggested. Everything looked OK from the server, nslookup gave the correct info. However, running nslookup on a client gave an unknown server and the loopback IP. Also, ipconfig from clients gave an IP address that was not part of the scope (a self generated generic IP).

I was able to go in to TCP/IP and specify IP, subnet, gateway, and DNS server. This seemed to work, as I got internet access and the nslookup gave the correct information. But, I was trying to do all this before the start of the day and I was running out of time. There was no way I was going to be able to go to each computer, log in, and change the settings. So, I undid everything and went back to how it was with just the domain controller running.

Is that what I need to do? I assumed that the clients would get the info from the server. Is there something I forgot to do? Everything seemed to work but that.

Oh, also, for some reason, a few times when I tried to log into a client, I would get a pop-up box that said the domain SHIELDS was not available. Then, a minute later, it would let me in with no problem. weird.

OK, I guess this remains open, so help if you can. Thanks.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12505637
if ipconfig gives a selfgenerated generic ip, the client did not reach any dhcp server. is a router between dhcp server and client?
did you configure the DNS Server Option in your DHCP Server under Scope or Server Options?
0
 

Author Comment

by:dollarlongnecks
ID: 12508034
No, the router is not between the clients and server, just attached to one of the switches.

I didn't really configure the DNS or DHCP once I set it up initially. I basicly followed gavin_wickens instructions, then tried a few things I knew to try.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12508117
but in his instructions is the following:
Install DHCP on server, create a new scope 192.168.1.5 - 192.168.1.254 and authorise it.
DHCP options - default gateway 192.168.1.1, DNS server 192.168.1.2

and that means, configure your dhcp + dhcp options.
0
 

Author Comment

by:dollarlongnecks
ID: 12508150
Oh yeah, sorry. I did that. It asked those questions during the setup (wizard). I thought you meant did I go in afterward and make configuration changes.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12508434
try a "ipconfig /all" on your client.
there should be a line "DHCP Server".
does it use the right one?
0
 

Author Comment

by:dollarlongnecks
ID: 12511822
No, I think it said something like "unknown". It definately was not seeing the DHCP server. But I went ahead and uninstalled the DNS and DHCP and turned the DHCP back on at the router, just so everything would work like it did before.

I may go back up this weekend and try it again when I'm not pressed for time. I guess it is possible I missed something. If anyone can think of something else that may be missing, please let me know.
0
 

Author Comment

by:dollarlongnecks
ID: 12518468
Woohoo! It works. I came up today when no one was working and went through and re-installed everything again. I must have missed something the first time, as it went smoothly today. Even the Group Policies work. Finally!

Thanks to everyone who helped. This was a great learning experience.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question