Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Default Domain Policy not applied

Posted on 2005-03-29
7
Medium Priority
?
3,561 Views
Last Modified: 2012-08-13
I am having a problem with our Windows 2000 DC's not pushing out the default domain policy to workstations.  When I run gpresult on said workstations I get thisd output:


    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        App-Computer-Workstations
            Filtering:  Disabled (Link)

        Computer-Workstation
            Filtering:  Disabled (Link)

        Service Packs
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        Computer-Admins
            Filtering:  Disabled (Link)

        Computer-Exception-Installer
            Filtering:  Disabled (Link)

Can someone point me in the right direction as to why I am getting "not applied - unknown reason" for the default domain policy?  
0
Comment
Question by:bwalker1
7 Comments
 
LVL 1

Expert Comment

by:weight01
ID: 13657356
0
 

Expert Comment

by:ambboy
ID: 13658367
Are your workstations all 2000, a mix of XP and 2000, or what?

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).

We probably need a little more information to be truly helpful here...
0
 
LVL 1

Expert Comment

by:MattFocus
ID: 13659362
Are you running DNS on the DC?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 5

Accepted Solution

by:
lapukman earned 1500 total points
ID: 13659426
It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.

Remember, changing this setting might take sometime to propagate, so you might not get immediate result after you have done this.

If this does not resolve your issue, then I would like to know some info:

1) Does this happen to specifc machines only?
2) Does this happen to specific objects in a specific OU only?


Lapukman
0
 

Expert Comment

by:knighthammer
ID: 13663717
I am also a network admin working at the same company trying to resolve this issue.  The answers to all questions above are posted here.  I hope this helps.  The only thing I had not done was set the policy to no override.  Made that change and will be testing it today.

Okay the first link they suggest is talking about the loopback policy, that doesn’t affect us here.

No group filters are being applied to the default domain policy at all.  It is assigned to all “authenticated users”

Are your workstations all 2000, a mix of XP and 2000, or what?  They are a mix of xp and 2000.

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains – I would say a combination of both, sometimes from the dc, sometimes from an xp workstation.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).   No Filtering applied to this gpo.


Are you running DNS on the DC  - Yes, dns is running on all DCs.

It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.   – I didn’t have “no override” set.  I have at this time, set that checkmark.  It will take some time to propogate, I’m going to force replication and see if I can give it a hand.  Might need you to check a couple of workstation out there at some point today.

1) Does this happen to specifc machines only?    Machines attached to a specific DC (not the rid master)
2) Does this happen to specific objects in a specific OU only?  It could be viewed that way.  It is affecting specific machines in several specific OUs spread thoughout the schema.
0
 
LVL 1

Expert Comment

by:MattFocus
ID: 13664808
Can you ping the domain (e.g. domain.local or just domain) and can you do an nslookup on the domain and on the server/s by name and IP (reverse lookup), have you run netdiag on the server to see if any failures occur (this is worth a try).  Try the pings and lookups from both the server and the workstations.
0
 

Expert Comment

by:knighthammer
ID: 13666433
when i ping the domain, it responds with an ip address of a server in our network, but not a dns server/or dc.  


i corrected the dns entry to point to our soa/rid dc.  see if that helps.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question