?
Solved

Default Domain Policy not applied

Posted on 2005-03-29
7
Medium Priority
?
3,422 Views
Last Modified: 2012-08-13
I am having a problem with our Windows 2000 DC's not pushing out the default domain policy to workstations.  When I run gpresult on said workstations I get thisd output:


    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        App-Computer-Workstations
            Filtering:  Disabled (Link)

        Computer-Workstation
            Filtering:  Disabled (Link)

        Service Packs
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        Computer-Admins
            Filtering:  Disabled (Link)

        Computer-Exception-Installer
            Filtering:  Disabled (Link)

Can someone point me in the right direction as to why I am getting "not applied - unknown reason" for the default domain policy?  
0
Comment
Question by:bwalker1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Expert Comment

by:weight01
ID: 13657356
0
 

Expert Comment

by:ambboy
ID: 13658367
Are your workstations all 2000, a mix of XP and 2000, or what?

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).

We probably need a little more information to be truly helpful here...
0
 
LVL 1

Expert Comment

by:MattFocus
ID: 13659362
Are you running DNS on the DC?
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 5

Accepted Solution

by:
lapukman earned 1500 total points
ID: 13659426
It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.

Remember, changing this setting might take sometime to propagate, so you might not get immediate result after you have done this.

If this does not resolve your issue, then I would like to know some info:

1) Does this happen to specifc machines only?
2) Does this happen to specific objects in a specific OU only?


Lapukman
0
 

Expert Comment

by:knighthammer
ID: 13663717
I am also a network admin working at the same company trying to resolve this issue.  The answers to all questions above are posted here.  I hope this helps.  The only thing I had not done was set the policy to no override.  Made that change and will be testing it today.

Okay the first link they suggest is talking about the loopback policy, that doesn’t affect us here.

No group filters are being applied to the default domain policy at all.  It is assigned to all “authenticated users”

Are your workstations all 2000, a mix of XP and 2000, or what?  They are a mix of xp and 2000.

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains – I would say a combination of both, sometimes from the dc, sometimes from an xp workstation.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).   No Filtering applied to this gpo.


Are you running DNS on the DC  - Yes, dns is running on all DCs.

It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.   – I didn’t have “no override” set.  I have at this time, set that checkmark.  It will take some time to propogate, I’m going to force replication and see if I can give it a hand.  Might need you to check a couple of workstation out there at some point today.

1) Does this happen to specifc machines only?    Machines attached to a specific DC (not the rid master)
2) Does this happen to specific objects in a specific OU only?  It could be viewed that way.  It is affecting specific machines in several specific OUs spread thoughout the schema.
0
 
LVL 1

Expert Comment

by:MattFocus
ID: 13664808
Can you ping the domain (e.g. domain.local or just domain) and can you do an nslookup on the domain and on the server/s by name and IP (reverse lookup), have you run netdiag on the server to see if any failures occur (this is worth a try).  Try the pings and lookups from both the server and the workstations.
0
 

Expert Comment

by:knighthammer
ID: 13666433
when i ping the domain, it responds with an ip address of a server in our network, but not a dns server/or dc.  


i corrected the dns entry to point to our soa/rid dc.  see if that helps.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question