Link to home
Start Free TrialLog in
Avatar of BrianPerks
BrianPerks

asked on

Windows 2000 Domain, with Windows XP SP2 Clients which will not use the Active Directory Group Policy.

I have a Windows 2000 Server (SP4) as a Domain Controller with Active Directory installed.  I have an OU (Students) with a Group Policy configured to restrict access for these users.  If the said users log onto the domain through Wyse Thin Clients as a Remote Desktop user then the Group Policy is active.  If the said users log onto the domain through a Windows XP SP2 client (domain member) then the Group Policy is not active.  If they then log on as a Remote Desktop user from the XP machines after domain authentication then the Group Policy is active in the Remote Desktop session.

I have tried putting all of the Computers and Users into a single OU and setting up a Group Policy for that OU but still it will not propagate.

The client PCs in question are lowly specced AMD K2 types with 160MB Ram, 10GB HD, ATI Rage Video and a100Mbit NIC.  XP SP2 loaded OK although it is a little clunky.

I have had XP clients working as expected with no issues at HQ.
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

is the policy in question a user or computer policy??

remember that user polices apply to user accounts and computer polcies apply to computer accounts.
also remember that in order for a GPO to take effect 3 things must take place:

1.  the user or computer must be in a domain, or OU, or downlevel of the domain or OU where the policy is applied (assuming no filtering)
2.  the user or computer must have the  "read" right to the GPO
3. the user or computer must have the "apply group policy" right to the GPO

are all three of the above conditions true?

run gpresult from command line to see a list of applied and filtered out GPOs on the machine, it might reveal something.
Avatar of BrianPerks
BrianPerks

ASKER

mikeleebrla

I don't quite understand "is the policy in question a user or computer policy?"

The policy is applied to an OU that contains all student "users" and is mainly configured to restrict users desktop sessions when authenticated through the GPO-Edit functionality in the "User Configuration" folder of that GPO.

All 3 of your requirements are satisfied for the GPO to take effect.

I will run gpresult to see if that gives me any more clues as to the failure when I visit site.

I had read something about network performance being an issue and GPOs not being fully active until the login process had been completed  up to three times so I have logged on a number of times but the GPO is still not active.  Also as the "Computer Configuration" is default I have tried disabling it through the GPO-Properties Page to improve performance to no avail.
whenever you create a policy there are 2 sections that you can create it in (user configuration or computer configuration).  I'm not talking about where the OU is in the AD tree that you applied the policy to, im talking about the policy itself  in the Group Policy Snap in.  An example of a config that will NOT work would be:  you create a policy that is a "computer configuration" policy and then you apply this polcy to an OU that only has users as its members.  This will not work.  Note:  there is no way for you to make a "computer configuration" polcy apply to users. Since this is a computer policy it can only be applied to computers, not users.
mikeleebrla

I am attacking the creation of GPOs from the Active Direcrory-Users and Computers mmc on the Domain Controller for the domain that the Windows XP Pro (SP2) clients are in.  I have an Organisational Unit called Students which contains the users that may log in to the domain from the XP clients.  The GPO I am configuring is opened by opening the Group Policy tab on the Students OU Property page.  I am only concerned with the "User Configuration" section in this GPO.  I would expect any user who logs (autheniticates in the domain) onto an XP client and who is a member of the Students OU to be bound by the GPO.  That is the part that is not functioning.

I have opened the Group Policy snap-in as suggested but the method I am employing above appears to be the most natural (for me) as it is immediately apparent what objects it relates to.
ASKER CERTIFIED SOLUTION
Avatar of mikeleebrla
mikeleebrla
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
mikeleebrla

Still getting to grips with how to post to the system.

Anyways, your comments pointed to using GPRESULT which led to the actual problem/solution.  The client PCs did not reference the domain controller as the DNS server but where pointing to an external DNS server.  Once we set up the DNS server correctly on the domain controller and pointed the clients to it, problem solved.
glad you got it working,, remember in an active directory environment all clients/servers must be pointed to an AD DNS server and never to your ISPs.  clients/servers pointing to the ISPs dns server is the cause of alot of headaches and questions on this site.