[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 786
  • Last Modified:

Group Policy Confusion

Over the weekend I tried to apply a group policy setting that would automatically lock the workstations after 10 minutes of idle time. I did this by making the following changes...

I edited the Default Domain Policy on domain.local (On the only DC in the organization)
User Configuration / Administrative Templates / Control Panel / Display
Hide Screen Saver Tab:   enabled
Screen Saver: enabled
Screen Saver Executable Name: logon.scr
Password Protect the Screen Saver: enabled
Screen Saver Timeout: enabled

I made the changes yesterday and ran secedit /refreshpolicy USER_POLICY /enforce on the DC

The domain is in mixed mode (used to have win98 clients, but no longer) with only Win2k and WinXP clients. For some reason, some clients act accordingly...the passworded screensaver comes on after 10 minutes. But other clients have weird settings. Like my machine for instance (I have a domain admin account), the screensaver has been changed and the timeout is fine, but it doesn't password protect. The screensaver tab is also missing, which it should.

However another domain admin's pc has it working fine, except his screensaver tab is just greyed out, not missing.

Then I have some clients that even after I run gpupdate on, no settings are applied at all and the user can make all the changes they want to the screen saver.


I need some help diagnosing why I am getting such varied results and how to fix it.
0
DVation191
Asked:
DVation191
  • 12
  • 11
  • 3
  • +2
6 Solutions
 
mikeleebrlaCommented:
you will need to run GPUDATE from the XP clients to refresh the newly created policies
0
 
mikeleebrlaCommented:
sorry for the typo it's GPUPDATE.
0
 
mikeleebrlaCommented:
i posted before i fully read the bottom of your question..... can you specify which OSes the policy is working on and which aren't.... on the ones that the policy is NOT working on can you run a gpresult and see if the policy is even being applied to the compter at all?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DVation191Author Commented:
My pc, the one that has the right screen saver and the right timeout and a hidden screensaver tab but doesn't lock properly is WinXP SP2

My co-worker's pc that has the right screen saver and the right timeout but a grey'ed out screensaver that DOES lock properly is also WinXP SP2.

The client that has no screensaver settings applied appropriately at ALL is running WinXP SP1.



I tried running gpresult on the machine that had no screensaver settings applied and noticed this:
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Default Domain Policy
        Filtering:  Denied (Security)


As far as I know, that client has the same security as the rest of the staff, many of which the GP Settings are working. I guess I need to investigate the security permissions...somewhere...
0
 
DVation191Author Commented:
The error above was under the Machine Policy section.

There was also an error from the User Policy section...

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Local Group Policy
        Filtering:  Not Applied (Empty)
0
 
DVation191Author Commented:
Disregard my last post (local group policy isn't applied)
0
 
mrrickyjonesCommented:
If these settings were modified on default domain policy they should apply to everyone the same in that domain UNLESS on an OU somewhere, there are settings defined for screensaver.  Group policy at the OU level is applied last and will overwrite anything set on the domain level.  Also, make sure you do not have the block policy inheritence checked.  

You may want to set the no override option on the default domain policy to see if that will solve the problem.
0
 
tengageCommented:
From some of the XP machines, run RSOP.MSC.  This will let you drill down and tell what policies are applying what settings.  If there are any overlapping policies, it will tell you which one is actually making changes.

I would also recommend if you haven't already done so, download the new and improved Policy MMC from http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.

It sounds like maybe some of your IDs are in containers that have "block inheritance" enabled.  The new GPMC should make that clear if it is the case.
0
 
tengageCommented:
There are several ways to stop a policy from making it to certain OUs.  Another thing to check would be security settings on the policy.  If an ID cannot read the policy, it cannot apply it.  This may explain why GPResult showed you this message.
    Default Domain Policy
        Filtering:  Denied (Security)
0
 
tengageCommented:
Here is another thing to try.  When YOU logon to one of the broken machines, does it act the same (everything but the lock function works)?  If these problems seem to follow the ID, then you can at least narrow it down a bit.  The one that is strange is the Greyed out screen saver tab.  I just implemented the exact scenario you are talking about and my problem is that I was applying it to a container that had just machines in it.....Duh.
0
 
DVation191Author Commented:
Let me start off by saying I figured out why my own machine wasn't locking. It was because of a "screen saver grace period" setting in the registry that let me set the screensaver to 5 minutes with a grace period of 10 minutes (so that the screen saver would come on at minute 5 of idle time, but it wouldn't actually lock until minute 15 of idle time....). Once I deleted this key my own machine worked fine. It's the one that doesn't have any group policy settings applied at all that bothers me....

"If these settings were modified on default domain policy they should apply to everyone the same in that domain UNLESS on an OU somewhere"
 > All these users are in the default "Users" OU. Block inheritence is not checked.

"From some of the XP machines, run RSOP.MSC. "
 > Hadn't tried that. On my own machine, it shows all the policies appropriately (as they should, since they are working correctly).
 > On the client machine that has no policies...there was a big red X over the computer name just under "console root". There was no red X over "Computer COnfigureation" but there WAS a big red X over "User COnfiguration" (which is of course where the screen saver settings are held)

I went into the properties of the Default Group Policy of the local domain and went to the "Security Tab". I explicitly added this client's account with Read permissions and Apply Group Policy permissions. I then went back to the client and ran gpupdate...it still failed. Whats going on here!?




0
 
tengageCommented:
Do you have any strange events being logged that may help?
0
 
DVation191Author Commented:
Just double-checked the event logs. No errors. =(
0
 
WeHeCommented:
Download the GPMC from Microsoft.
Inside GPMC you can simulate (Group Policy Modeling) and check (Group Policy Results) rsop's for any user/computer/ou combination.
check there, which gpo applies where to whom and why.
maybe this will bring some more light to this.
but this "Filtering:  Denied (Security)" sounds like a Permission Problem.
0
 
tengageCommented:
On a broken machine, launch RSOP and right click on "User Config".  There should be a tab called "error information".  If it is there, does it tell you anything worthwhile?
0
 
tengageCommented:
sorry, right click | Properties | error info
0
 
DVation191Author Commented:
I ran GPMC remotely and ran it with the client account as the user and my own account as the user. according to GPMC, my account picks up the policy no problem.

However GPMC reports a problem with the client account...though I have no idea what it means or how to solve it...maybe you guys will know :)


Event ID 1030:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event ID 1058:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ovation,DC=local. The file must be present at the location <\\ovation.local\sysvol\ovation.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy processing aborted.



Any ideas??
0
 
WeHeCommented:
look if this file exist and you have permissions to it:
\\ovation.local\sysvol\ovation.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
0
 
DVation191Author Commented:
When I try to access that location from her account, I get an error that "No network provider accepted the given network path"
When I try to access that location from my own account, I can access it fine.

I have a feeling this has to do with some service that maybe isn't being started. I found a couple MS KB articles on those event IDs...and if anybody is wondering, DFS is not disabled on the domain controller or the client...the service is running on both machines.

And the mystery continues...
0
 
tengageCommented:
Did you perform this test from the same machine with both IDs?  It sounds like the problem user is just not logged on correctly.  The machine is running XP right?  Can the user resolve the DCs address by name (short name or fully qualified)?  Can the user ping the DC?  Can the user ping the Domain?  How many protocols do you have installed (novell)?  Can the problem user browse to \\domaincontroller\netlogon?  Do you have logon scripts configured and do the run correctly?  Can the user browse to \\Domaincontroller\sysvol\ovation.local\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini?

Can the user's machine do an NSLOOKUP using one of her nameservers and lookup ovation.local?  Are there proper wins entries for the domain?

I'm thinking it may be name resolution, but that shouldn't be different for two IDs on the same computer.
0
 
tengageCommented:
one more thing, try to go to run | \\%logonserver%.  Does a valid domain controller show up?

Here are some articles on the "No network provider accepted the given network path" message, they appear to be generic and mostly 9X related.

http://support.microsoft.com/kb/127933/EN-US/
http://www.jsiinc.com/SUBR/tip8500/rh8517.htm

0
 
DVation191Author Commented:
So this is what I did...following some leads on those Event IDs I did the following....

I removed the computer from the domain and deleted the computer account from AD. I then rejoined the domain. No difference.
I doubled checked the DFS services on both the client computer and the DC. No difference.
I ran SFC /scannow. It replaced a bunch of files, so I rebooted. Still no difference.
Because of my hunch that it had to do with a service of some kind, I ran a registry file I made way back that restores all the services to their default settings. I ran this, rebooted... and BINGO. all the GPOs applied sucessfully.

I have no idea which service caused the problem, and it's too late to be able to tell now that I have restored all the services...but it makes me wonder how the client was able to do the things she does everyday like logon, check email, access shares etc yet couldn't recieve a GPO.

To make matters even more confusing, I see these very same Event IDs in my own event log, yet the GPOs apply just fine. I haven't checked the client computer yet to see if the Event IDs are recurring.
0
 
tengageCommented:
wow.  Do you have more machines that you could narrow down the specific service that caused your problem?  I would guess something like the server service or TCP/IP Netbios helper.
0
 
tengageCommented:
Which services does your script enable / start?
0
 
WeHeCommented:
you ran this file on the on the server or the client?
can you post or publish your registry file?
0
 
tengageCommented:
I killed my TCP/IP netbios helper and got the errors in my event log like you described.  Maybe that is the one.  I ran accross this problem before, the TCP/IP netbios helper was required in order for our KIX logon scripts to properly map drives.
0
 
DVation191Author Commented:
It modifies ALL services. I exported all the services settings on a fresh XP Pro install to a registry file. I keep it around ... it's saved me a few times now. I have no idea which service or combination of services it changed that fixed the problem.

I only found out this particular client's machine wasn't working properly because shortly after the GPO was applied, that PC was one of the ones I was watching to see if it worked right. I suppose I'll have to use GPMC to run the wizard on each of the 50 users on this domain...that could take some time. Unless somebody has another idea on how to accomplish this faster?
0
 
DVation191Author Commented:
I ran this on the client. And yes I can publish the reg file. I'll zip it up and post it here...
http://216.157.152.135/Services.Pro.Restore.zip

"I killed my TCP/IP netbios helper and got the errors in my event log like you described."
> That could be the one!

I have that service enabled now and don't recieve the error in the event log. What a pain.
This question is now essentially closed, but if anyone cares to offer some suggestions on how I can make sure this isn't happening on other clients, I'd really appreciate it.

I'd just create a policy that enables the service, but that won't work if the GPO can't be applied without it on :)
0
 
tengageCommented:
If you do narrow it down to a specific service, you can automate enabling the service (unless it's the server service)

I use SC.EXE which is available on one of the dozens of Resource Kits.

sc \\machine config lmhosts start= auto

That will set the "TCP / IP Netbios helper" to automatic.  Run that in a batch file for all of your machines and you should be set
0
 
DVation191Author Commented:
Ok thanks a lot.

Thank you to everyone that helped...this wasn't an easy one but you all helped me drill down to the source of the problem. Thanks to all that contributed
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 12
  • 11
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now