bwalker1
asked on
Default Domain Policy not applied
I am having a problem with our Windows 2000 DC's not pushing out the default domain policy to workstations. When I run gpresult on said workstations I get thisd output:
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
App-Computer-Workstations
Filtering: Disabled (Link)
Computer-Workstation
Filtering: Disabled (Link)
Service Packs
Filtering: Denied (Security)
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
Computer-Admins
Filtering: Disabled (Link)
Computer-Exception-Install
Filtering: Disabled (Link)
Can someone point me in the right direction as to why I am getting "not applied - unknown reason" for the default domain policy?
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
App-Computer-Workstations
Filtering: Disabled (Link)
Computer-Workstation
Filtering: Disabled (Link)
Service Packs
Filtering: Denied (Security)
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
Computer-Admins
Filtering: Disabled (Link)
Computer-Exception-Install
Filtering: Disabled (Link)
Can someone point me in the right direction as to why I am getting "not applied - unknown reason" for the default domain policy?
Are your workstations all 2000, a mix of XP and 2000, or what?
Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers? Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains.
Have you applied or denied the policy based upon a group membership? Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).
We probably need a little more information to be truly helpful here...
Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers? Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains.
Have you applied or denied the policy based upon a group membership? Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering).
We probably need a little more information to be truly helpful here...
Are you running DNS on the DC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am also a network admin working at the same company trying to resolve this issue. The answers to all questions above are posted here. I hope this helps. The only thing I had not done was set the policy to no override. Made that change and will be testing it today.
Okay the first link they suggest is talking about the loopback policy, that doesn’t affect us here.
No group filters are being applied to the default domain policy at all. It is assigned to all “authenticated users”
Are your workstations all 2000, a mix of XP and 2000, or what? They are a mix of xp and 2000.
Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers? Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains – I would say a combination of both, sometimes from the dc, sometimes from an xp workstation.
Have you applied or denied the policy based upon a group membership? Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering). No Filtering applied to this gpo.
Are you running DNS on the DC - Yes, dns is running on all DCs.
It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself. – I didn’t have “no override” set. I have at this time, set that checkmark. It will take some time to propogate, I’m going to force replication and see if I can give it a hand. Might need you to check a couple of workstation out there at some point today.
1) Does this happen to specifc machines only? Machines attached to a specific DC (not the rid master)
2) Does this happen to specific objects in a specific OU only? It could be viewed that way. It is affecting specific machines in several specific OUs spread thoughout the schema.
Okay the first link they suggest is talking about the loopback policy, that doesn’t affect us here.
No group filters are being applied to the default domain policy at all. It is assigned to all “authenticated users”
Are your workstations all 2000, a mix of XP and 2000, or what? They are a mix of xp and 2000.
Do you edit your policies using a tool on Windows 2000 or XP or from the domain controllers? Sometimes, when using an XP workstation with the 2003 GPO tool, people have been known to cause policy problems for their 2000 domains – I would say a combination of both, sometimes from the dc, sometimes from an xp workstation.
Have you applied or denied the policy based upon a group membership? Perhaps you set the policy so that it would not be applied to certain users or groups (also known as Group Filtering). No Filtering applied to this gpo.
Are you running DNS on the DC - Yes, dns is running on all DCs.
It is possible that the Default Domain Policy is being blocked from lower objects in the AD heirarchy. For you to enforce the Default Domain Policy even if the "Block Policy Inheritance" is set on lower objects (like OUs and individual GPOs) to all objects in the domain, you have to put a check on "No Override" in the GPO properties of the domain itself. – I didn’t have “no override” set. I have at this time, set that checkmark. It will take some time to propogate, I’m going to force replication and see if I can give it a hand. Might need you to check a couple of workstation out there at some point today.
1) Does this happen to specifc machines only? Machines attached to a specific DC (not the rid master)
2) Does this happen to specific objects in a specific OU only? It could be viewed that way. It is affecting specific machines in several specific OUs spread thoughout the schema.
Can you ping the domain (e.g. domain.local or just domain) and can you do an nslookup on the domain and on the server/s by name and IP (reverse lookup), have you run netdiag on the server to see if any failures occur (this is worth a try). Try the pings and lookups from both the server and the workstations.
when i ping the domain, it responds with an ip address of a server in our network, but not a dns server/or dc.
i corrected the dns entry to point to our soa/rid dc. see if that helps.
i corrected the dns entry to point to our soa/rid dc. see if that helps.
http://support.microsoft.com/kb/231287/EN-US/