Solved

Group Policy won't push down to XP workststions on 2003 domain.

Posted on 2004-10-26
3,639 Views
Last Modified: 2008-01-09
OK, I've been working on this for a week, and cannot figure it out. I'll preface the problem with what I'm trying to accomplish, then go deeper into the problem.

What I'm trying to do: I'm setting up a new office network consisting of a 2003 Server and about 25 XP workstations. The Server hosts several pieces of software and databases used by the workstations. The main program that is run is a customer database. It works (poorly in my opinion) by running an exe file from the server, almost like a batch file. This requires that the users on the workstations have at least "power user" access, as it writes local system files and accesses the clock.

What I've done so far: Initially, I set up a workgroup, and mapped drives so everything worked. Really, there were no real problems. I just gave all local users "power user" access. I then decided that I would like to set up a Domain, so I would have a much easier time deploying group policies (plus, I wanted to learn how to do it). I set up the server as a domain controller (with AD) and added a few workstations so I could start testing. Because the users must have local “power user” rights, I set everyone up as domain users (on the DC), then I added “authenticated users” to the local “power user” group (on the workstations). So far so good, and everything continues to work.

The Problem: Now that I’ve gotten that working, I started trying to set up Group Policies. I set up OUs for several different departments and added a GPO to one to see how it would work. For starters, I disabled the control panel. But, I cannot get the policies to push down to the workstations. I have added the correct users to the OU, I’ve performed several gpupdates, I have turned off the login optimization on the workstations, I have removed the local power user rights, I have added groups and even users directly to the GPO, and I even added the computer to the OU. I made sure the domain users had “read” and “apply group policy” permissions on the GPO. There are no active filters and no WMI filters. I’ve even bounced the server a few times.

I am totally confused.

I’ve been using the Active Directory Users and Computers GUI to perform all the changes. I’ve not yet used the GPMC, but I’ve DL’d it and I will try it today. I think that covers everything I have done/tried. Please help…
0
Question by:dollarlongnecks
    38 Comments
     
    LVL 18

    Expert Comment

    by:luv2smile
    So let's go thru the layout:

    You have an OU
    You have user objects added to the OU...(when you open the OU, you actually see the list of users)

    In AD users and computers- you right clicked on the OU, chose properties, then the group policy tab and chose or created a GPO?
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    "I have added groups and even users directly to the GPO, and I even added the computer to the OU."

    Remember that everything under "user config" needs to be applied to user objects and everything under "computer config" must be applied to comptuer objects or else the GPO won't work. Also, you can not directory apply group policy to a security group.

    0
     

    Author Comment

    by:dollarlongnecks
    First Question: Yes, I went into the properties of the OU and created the GPO from there.

    Second Question: All the things I've listed were things I have tried with no success. I've tried one, undone it, then tried another. Most (if not all) of the things I need to change are in the "user config" section. I did however go into the "computer config | windows settings | Security settings" and added groups and individual users to the "restricted groups" setting, hoping that that would work. but it didn't.

    Domain Users is a security group, right? (I'm not in front of the server). That is probably why it did nothing when I added it to the GPO "restricted groups".

    I was under the assumption that all I needed to do was created users, create an OU, create a GPO within the OU, then add the users. That is where I am stuck...
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    The user objects need to be in the OU.

    For test purposes, create a new user in the OU:

    Open AD Users and Computers

    Right click the OU and choose "new" and then "user"

    Yes, domain users is a security group. Why are you using restricted groups?
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    After you create the new user in the OU

    In AD users and computers- right click on the OU, chose properties, then the group policy tab....if you currently have a GPO applied to the OU then it will appear here.
    0
     
    LVL 6

    Expert Comment

    by:nihlcat
    This is a shot in the dark, but in the properties of the GP you created, is the Block Policy Inheritance box unchecked?
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    If you are still in the testing mode then delete all GPOs for the OU (or either just create a new OU and follow the steps above) and then create a new GPO and only apply the setting to block the control panel. Then run gpudate.exe and test it.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    "I was under the assumption that all I needed to do was created users, create an OU, create a GPO within the OU, then add the users. That is where I am stuck..."

    Basically the idea is that:

    You create an OU
    Then you create a user inside that OU
    Then you apply GPOs to a container (usually an OU, but can be a site or domain)

    GPOs aren't applied directly to a user...they are applied to a container and all users beneath that container take on the settings of the GPO. So you really don't add a GPO to a user....you add a user to a container and then apply the GPO to that container.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    is "enforce policy" on your default domain policy activated?
    0
     
    LVL 2

    Expert Comment

    by:gavin_wickens
    All the times I have had Group policies fail it has been to do with DNS poorly configured on client machines or a local copy of a profile.  Suggest check DNS using nslookup from command prompt and delete cached profiles (if applicable).
    0
     

    Author Comment

    by:dollarlongnecks
    OK, I went by the office and ended up having to work on some printer sharing problems, so I didn't have a chance to work on the GPO today. Tomorrow morning, I'm gonna to take all your recomendations and see if I can get something to work. Thanks for the input, and I'll update everyone tomorrow...
    0
     

    Author Comment

    by:dollarlongnecks
    OK, I'm at the office right now, trying some of the recommendations.

    For testing purposes, I created a new OU, then created a new user from within the OU. I then went in to the OU and created a GPO within the OU, and made sure it was linked and enforced, then I ran gpupdate.

    Still didn't work...

    Now, I've noticed that there are several other GPOs. There is a Default Domain Policy, and also a Default Domain Controllers Policy. Do I need to do anything with these? Neither one of them is currently enforced, but I'm gonna enfoce them one at a time to see what happens.

    Also, could the name of the Domain have anything to do with this problem? The workgroup I started with was called "Shields", and when I set up the domain, an SA friend of mine had me look up our ISP name (ok.cox.net) and then use that in with the name. So, the Domain name is "shields.ok.cox.net". Not sure if this is relevant at all, but this is my first domain setup, so I want to make sure I give you guys any and all information.

    That's it for now, I'll check back, and I'll also post back with updates. Thanks...
    0
     

    Author Comment

    by:dollarlongnecks
    OK, two more things:

    First off, I was playing with the GPMC (which I just installed) and the domain and the forest have the exact same name "shields.ok.cox.net". Is this how it's supposed to be?

    Second, is there a way I can just scrap the domain and start over? My SA friend that initially helped me set it up ran throu it pretty fast, and it's possible that he may have done something that could be causing the problem.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    The default domain policy and default domaon controller policy are built in policies. If you want to make group policy changes that affect all computers/users domain wide (no matter the OU) then you would use the default domain policy. The default domaon controller policy affects all domain controllers.

    So no, you don't need to do anything with these for now. If you want to make changes that affect the ENTIRE domain or all the domain controllers, then you would use these.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    Because you only have 1 domain...the forest and the domain name will be the same....that is the way it is suppossed to be.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    To scrap the domain, you would have to uninstall and reinstall Active Directory.

    0
     

    Author Comment

    by:dollarlongnecks
    Is that something I should consider? If the naming in fine, and there aren't some weird settings that could be messed up, is it even worth it?

    Also, my SA friend had me set it up as a pre-2000 domain, even though all computers are XP and the server is 2003. Could this be an issue?

    Thanks again...
    0
     
    LVL 2

    Expert Comment

    by:gavin_wickens
    From the server go into a dos prompt and run nslookup
    should give you:
    yourservername.yourdomainname
    yourserveripaddress

    If not your server isn't looking at it's self for DNS resolution.  If your settings are correct, do the same from a station and see what results you get.  There is a way of putting the domain policy and the domain controller policy back to defaults but won't post until you have tried this and feed back the results (because I believe it to be a DNS issue).
    0
     

    Author Comment

    by:dollarlongnecks
    I did an nslookup yesterday (and I'll do it again when I get to the office). The server name I got was something like ns2.ok.cox.net, and the IP looked like a cox IP, but I'd have to look it up to be sure it is the one assigned to the server.

    I also tried putting the default GPOs back, even though they have not been changed (unless my buddy did it). I kept getting errors, and it looked like it was trying to change the settings somewhere in the cox network, as it was showing a cox domain name and a permission error, even though I was logged in as a domain admin.

    I'm heading up to the office right now, and I will post exactly what I'm getting...
    0
     
    LVL 2

    Expert Comment

    by:gavin_wickens
    So let me get this right, your ISP is ok.cox.net and your domain name is shields.ok.cox.net, your nslookup returned ns2.ok.cox.net which (I guess) is your ISP's DNS server,  not yours.  Is DNS running on your server at all (does it appear in start - programs administarte tools-DNS)?  What is your server ip setup please post ip address, subnet mask, default gateway and DNS servers addresses.
    0
     

    Author Comment

    by:dollarlongnecks
    OK, it looks like we're getting to the core of the problem here.

    DNS does not appear to be running on the server. I did not set it up unless it was part of the Domain Controller setup, and again, I had a friend run through that with me, so I'm guessing it's not there. I really didn't know it was needed.

    nslookup gives:
    Default Server: ns2.ok.cox.net
    Address: 68.12.16.25

    I tried to run ipconfig, but it gives an error when I use the /all switch, and ipconfig alone gives:
    Server: ns2.ok.cox.net
    Address: 68.12.16.25

    *** ns2.ok.cox.net can't find ipconfig: Non-existent domain

    I'm not sure how else to get IP setup information, as I've always used ipconfig. But I got the IP from whatismyip, and it was 68.97.XXX.XXX, definately not the same as the one I get from the nslookup...
    0
     
    LVL 2

    Expert Comment

    by:gavin_wickens
    You tried to run ipconfig while in nslookup.  Run again from a command prompt.  You need to install dns on your server, is DHCP running on your server?
    0
     

    Author Comment

    by:dollarlongnecks
    OK, here's the stuff from ipconfig:

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : WISDOMCUBE
       Primary Dns Suffix  . . . . . . . : shields.ok.cox.net
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : shields.ok.cox.net
                                           ok.cox.net
                                           ok.cox.net
                                           cox.net

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : ok.cox.net
       Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
       Physical Address. . . . . . . . . : 00-0F-1F-67-08-0E
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 192.168.1.108
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DNS Servers . . . . . . . . . . . : 68.12.16.25
                                           68.12.16.30
                                           68.2.16.30
       Lease Obtained. . . . . . . . . . : Friday, October 29, 2004 8:33:04 AM
       Lease Expires . . . . . . . . . . : Saturday, October 30, 2004 8:33:04 AM

    I'm about to start the DNS install. I need to list it with the router as a DNS server, right? Does it matter which one? Also, the DHCP runs from the router. That's it for now, I'll update after the install.
    0
     

    Author Comment

    by:dollarlongnecks
    OK, DNS is installed. I've never installed one before, so hopefully it's all right. :)

    I'm guessing it's gonna take a while to propagate, as the nslookup still shows the cox server. I'm gonna list a few things I know about the setup so we can make sure I've done it right.

    In the router, DHCP is running. I put the Server as a static IP outside of the DHCP range. The router has space for 3 DNS servers, I put the local server as 1, and the cox DNS as 2 and 3.

    While configuring the DNS server: I created a forward lookup zone, where the ISP maintains the zone, and a read-only secondary copy resides on the server. I named the zone "shields", and I specified the ISP DNS servers as master DNS servers. I also had it forward queries to the same ISP DNS servers.

    But, when I go in to manage the DNS server, "shields" is listed in the forward lookup zone, and there is an error.

    Zone Not Loaded by DNS Server

    The DNS server encountered a problem while attempting to load the zone. The transfer of zone data from the master server failed.

    I tried to reload, but it doesn't seem to do anything. I'm not sure if I need to wait longer or what. I'll check back when I leave for the day...
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    how could you setup a w2k3 domain without a running dynamic dns? strange.

    first misstake: the dc has to use itself as dns server in ip settings.
    second: the correct name of this zone has to be "shields.ok.cox.net".
    but you cant use a secondary zone for your w2k3 domain.
    add a master zone shields.ok.cox.net.
    add your isp dns servers as forwarders in your dns servers settings.
    you need a writeable zone on a dns server for your servers/clients to run a w2k3 domain.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    and why does the router need dns entrys?
    0
     

    Author Comment

    by:dollarlongnecks
    That's the thing, I don't know. This is the deepest I've even gone into a network setup, and I'm kinda learning as I'm going. I've been talking to a friend who is an SA, but he has never done 2003, and neither has anyone else at his work.

    I assumed that I'd need to specify the DNS servers in the router, guess not.

    I'm leaving for the day (it's a contract job) and wont go back until monday morning. If there are other things that you can think of, feel free to post. I'll make changes and report back...
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    maybe the router can provide dns services for your office.
    but i would not use this for a w2k3 domain.
    if i where you, i would set up a fresh domain.
    install the server with dns :), configure the domain you want to have and then do the dcpromo.
    and use only this dns server for your servers and clients.
    0
     
    LVL 2

    Accepted Solution

    by:
    Without altering your setup to much....
    Turn off DHCP on the router.
    Set static IP on server 192.168.1.2, subnet 255.255.255.0, gateway 192.168.1.1, DNS 192.168.1.2.
    Install DHCP on server, create a new scope 192.168.1.5 - 192.168.1.254 and authorise it.
    DHCP options - default gateway 192.168.1.1, DNS server 192.168.1.2
    If you let windows configure your DNS remove it and add again using advanced (I will configure myself option).
    Run DNS from start - programs - administrative tools - DNS.
    Right click on forward lookup zone and create.  Create one called sheilds.ok.cox.net (either Active directory integrated or standard primary).
    Right click on reverse lookup zone and create 192.168.1.x (either Active directory integrated or standard primary).
    If you selected standard primary, right click on each of the zones you created and do properties.  You will need to set them to allow dynamic updates.
    Once this is done go into command prompt and type ipconfig /registerdns and press enter.
    Now type nslookup and press enter.  You should get the following:
    WISDOMCUBE.shields.ok.cox.net
    192.168.1.2
    Close command prompt.
    This means you internal DNS is now fine, If you run nslookup from the client and you get the same result you have it sussed and group policies will work.  However your internet won't.  To fix this you need to go back into DNS and right click on the server and do properties.  There is an option to enable forwarders, type in 68.12.16.25 and ADD
    68.12.16.30 and ADD
    What this means is any DNS that isn't resolved internally by your server will be forwarded to your ISP for resolution, eg google.co.uk etc.
    Now your internet should work and I can have 500 points!
    0
     

    Author Comment

    by:dollarlongnecks
    OK, I'll try this in the next few days. It looks like I'll have to do it sometime while they are not working. I'll post back as soon as I've got it up and running.
    0
     

    Author Comment

    by:dollarlongnecks
    OK, well, had some issues...

    Went through and did everything you suggested. Everything looked OK from the server, nslookup gave the correct info. However, running nslookup on a client gave an unknown server and the loopback IP. Also, ipconfig from clients gave an IP address that was not part of the scope (a self generated generic IP).

    I was able to go in to TCP/IP and specify IP, subnet, gateway, and DNS server. This seemed to work, as I got internet access and the nslookup gave the correct information. But, I was trying to do all this before the start of the day and I was running out of time. There was no way I was going to be able to go to each computer, log in, and change the settings. So, I undid everything and went back to how it was with just the domain controller running.

    Is that what I need to do? I assumed that the clients would get the info from the server. Is there something I forgot to do? Everything seemed to work but that.

    Oh, also, for some reason, a few times when I tried to log into a client, I would get a pop-up box that said the domain SHIELDS was not available. Then, a minute later, it would let me in with no problem. weird.

    OK, I guess this remains open, so help if you can. Thanks.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    if ipconfig gives a selfgenerated generic ip, the client did not reach any dhcp server. is a router between dhcp server and client?
    did you configure the DNS Server Option in your DHCP Server under Scope or Server Options?
    0
     

    Author Comment

    by:dollarlongnecks
    No, the router is not between the clients and server, just attached to one of the switches.

    I didn't really configure the DNS or DHCP once I set it up initially. I basicly followed gavin_wickens instructions, then tried a few things I knew to try.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    but in his instructions is the following:
    Install DHCP on server, create a new scope 192.168.1.5 - 192.168.1.254 and authorise it.
    DHCP options - default gateway 192.168.1.1, DNS server 192.168.1.2

    and that means, configure your dhcp + dhcp options.
    0
     

    Author Comment

    by:dollarlongnecks
    Oh yeah, sorry. I did that. It asked those questions during the setup (wizard). I thought you meant did I go in afterward and make configuration changes.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    try a "ipconfig /all" on your client.
    there should be a line "DHCP Server".
    does it use the right one?
    0
     

    Author Comment

    by:dollarlongnecks
    No, I think it said something like "unknown". It definately was not seeing the DHCP server. But I went ahead and uninstalled the DNS and DHCP and turned the DHCP back on at the router, just so everything would work like it did before.

    I may go back up this weekend and try it again when I'm not pressed for time. I guess it is possible I missed something. If anyone can think of something else that may be missing, please let me know.
    0
     

    Author Comment

    by:dollarlongnecks
    Woohoo! It works. I came up today when no one was working and went through and re-installed everything again. I must have missed something the first time, as it went smoothly today. Even the Group Policies work. Finally!

    Thanks to everyone who helped. This was a great learning experience.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: Foundations of Front-End Development

    Jump-start a lucrative career in front-end web development, with zero previous coding experience required. This course covers the basic programming concepts and languages required for creating engaging websites from scratch.

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    931 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now