Default Domain Policy not applied

I am having a problem with our Windows 2000 DC's not pushing out the default domain policy to workstations.  When I run gpresult on said workstations I get thisd output:


    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        App-Computer-Workstations
            Filtering:  Disabled (Link)

        Computer-Workstation
            Filtering:  Disabled (Link)

        Service Packs
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

        Computer-Admins
            Filtering:  Disabled (Link)

        Computer-Exception-Installer
            Filtering:  Disabled (Link)

Can someone point me in the right direction as to why I am getting "not applied - unknown reason" for the default domain policy?  
LVL 11
bwalker1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

weight01Commented:
0
ambboyComputer Systems Infrastructure ArchitectCommented:
Are your workstations all 2000, a mix of XP and 2000, or what?

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).

We probably need a little more information to be truly helpful here...
0
MattFocusCommented:
Are you running DNS on the DC?
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

lapukmanCommented:
It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.

Remember, changing this setting might take sometime to propagate, so you might not get immediate result after you have done this.

If this does not resolve your issue, then I would like to know some info:

1) Does this happen to specifc machines only?
2) Does this happen to specific objects in a specific OU only?


Lapukman
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
knighthammerCommented:
I am also a network admin working at the same company trying to resolve this issue.  The answers to all questions above are posted here.  I hope this helps.  The only thing I had not done was set the policy to no override.  Made that change and will be testing it today.

Okay the first link they suggest is talking about the loopback policy, that doesn’t affect us here.

No group filters are being applied to the default domain policy at all.  It is assigned to all “authenticated users”

Are your workstations all 2000, a mix of XP and 2000, or what?  They are a mix of xp and 2000.

Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers?  Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains – I would say a combination of both, sometimes from the dc, sometimes from an xp workstation.

Have you applied or denied the policy based upon a group membership?  Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).   No Filtering applied to this gpo.


Are you running DNS on the DC  - Yes, dns is running on all DCs.

It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself.   – I didn’t have “no override” set.  I have at this time, set that checkmark.  It will take some time to propogate, I’m going to force replication and see if I can give it a hand.  Might need you to check a couple of workstation out there at some point today.

1) Does this happen to specifc machines only?    Machines attached to a specific DC (not the rid master)
2) Does this happen to specific objects in a specific OU only?  It could be viewed that way.  It is affecting specific machines in several specific OUs spread thoughout the schema.
0
MattFocusCommented:
Can you ping the domain (e.g. domain.local or just domain) and can you do an nslookup on the domain and on the server/s by name and IP (reverse lookup), have you run netdiag on the server to see if any failures occur (this is worth a try).  Try the pings and lookups from both the server and the workstations.
0
knighthammerCommented:
when i ping the domain, it responds with an ip address of a server in our network, but not a dns server/or dc.  


i corrected the dns entry to point to our soa/rid dc.  see if that helps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.