Solved

GPO Being Filtered Out

Posted on 2006-07-21
28
1,864 Views
Last Modified: 2012-11-23
I have created a newly linked GPO to one of my OU's in Active Directory. All the GPO's that are linked to this OU are being applied except this newly linked GPO which "was not applied because it was filtered out" at the PC. The GPO being filtered is only disabling the timeout for the screen saver in the User Configuration section of the GPO.
0
Comment
Question by:bjettinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 6
  • +3
28 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17157565
I guess not but have you put any WMI filtering on this to restrict?  Hav you looked using gpresult.exe /z or /v .  can you post any results please.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17157578
I presume you will get something like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
xxxxx
Filtering: Disabled (GPO)
0
 

Author Comment

by:bjettinger
ID: 17157708
That is correct. The following GPO's were not applied because they were filtered out.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 43

Expert Comment

by:Steve Knight
ID: 17158900
And what else does it then say when you run gpresult with verbose options /v or /z?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17159360
you havent got any other policies above with no over ride permissions?
0
 
LVL 6

Expert Comment

by:glennbrown2
ID: 17159497
are you applying the policy to a computer OU??  I did this before and received the same error.

Also, check the security tab on the GPO and make sure the correct permissions are configured for users.

you should use the gpresult as dragon-it has suggested and post the results......this will help.
0
 
LVL 3

Expert Comment

by:artthegeek
ID: 17159919
You're not alone in this policy inheritance conflict stuff.

Microsoft now has a great snap-in:  RSoP (Resultant Set of Policy):  http://support.microsoft.com/default.aspx?scid=kb;en-us;323276
It has an very user-friendly GUI to help diagnose policy inheritance.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17160461
Please post the section under this:  The following GPOs were not applied because they were filtered out

What I need to see is this (although yours may be different):  

Filtering: Disabled (GPO)
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17161510
As requested 10 mins after the Q was logged...
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17161551
I realize that.

0
 

Author Comment

by:bjettinger
ID: 17168600
The following is the Gpresult /v

 Applied Group Policy Objects
 -----------------------------
     General Watson Workstations SUS Update GPO V1.0
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Special Function US NY Carmel Empower Workstation GPO V1.1
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)

 The computer is a part of the following security groups:
 --------------------------------------------------------
     BUILTIN\Administrators
     Everyone
     Debugger Users
     BUILTIN\Users
     USNYDSK0299$
     Domain Computers
     NT AUTHORITY\NETWORK
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for Computer:
 ----------------------------------------

     Software Installations
     ----------------------
         N/A

     Startup Scripts
     ---------------
         N/A

     Shutdown Scripts
     ----------------
         N/A

     Account Policies
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordAge
             Computer Setting:  2

         GPO: Default Domain Policy V1.4
             Policy:            PasswordHistorySize
             Computer Setting:  24

         GPO: Default Domain Policy V1.4
             Policy:            LockoutDuration
             Computer Setting:  4294967295

         GPO: Default Domain Policy V1.4
             Policy:            ResetLockoutCount
             Computer Setting:  30

         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordLength
             Computer Setting:  8

         GPO: Default Domain Policy V1.4
             Policy:            LockoutBadCount
             Computer Setting:  6

         GPO: Default Domain Policy V1.4
             Policy:            MaximumPasswordAge
             Computer Setting:  90

     Audit Policy
     ------------
         N/A

     User Rights
     -----------
         GPO: Default Domain Policy V1.4
             Policy:            SystemtimePrivilege
             Computer Setting:  Administrators

     Security Options
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            RequireLogonToChangePassword
             Computer Setting:  Not Enabled

         GPO: Default Domain Policy V1.4
             Policy:            PasswordComplexity
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ForceLogoffWhenHourExpire
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ClearTextPassword
             Computer Setting:  Not Enabled

     Event Log Settings
     ------------------
         N/A

     Restricted Groups
     -----------------
         N/A

     System Services
     ---------------
         N/A

     Registry Settings
     -----------------
         N/A

     File System Settings
     --------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows NT\SystemRestore
             State:   Enabled


R SETTINGS
-----------
 CN=Bill Ettinger (Administrative Account),OU=Administrative Accounts,OU=Admi
tration,DC=na,DC=watson,DC=com
 Last time Group Policy was applied: 7/24/2006 at 11:07:48 AM
 Group Policy was applied from:      usnysrv0013.na.watson.com
 Group Policy slow link threshold:   500 kbps

 Applied Group Policy Objects
 -----------------------------
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Local Group Policy
         Filtering:  Not Applied (Empty)

 The user is a part of the following security groups:
 ----------------------------------------------------
     Domain Users
     Everyone
     BUILTIN\Power Users
     BUILTIN\Users
     BUILTIN\Administrators
     DP-Ccat-001-R
     AP-Citrix-004-Admin
     AP-Citrix-003-Admin
     DP-MRPIISupply-001-R
     OP-IDs-001-R
     DP-Watsonprodu-001-R
     DP-LocAdmin-001-R
     DP-SAPEndUser-001-R
     PP-Audit-001-R
     AP-Websens-001-GUser
     DP-SupAudits-001-R
     PP-ECR-001-C
     Dp-SLCtraining-001-R
     DP-GPOBackup-001-C
     DP-IS-001-C
     DP-MRPII-001-R
     DP-changedecis-001-R
     Citrix XP Admins
     DP-SAPUAT-001-R
     DP-ProjectExch-001-C
     PP-Change-001-R
     PP-CFG-002-C
     !usnysrv0004
     OP-AppsInst-001-Admin
     DP-csgroups-001-C
     DP-Steris-001-C
     Domain Admins
     PP-HUD-001-R
     DP-Templates-001-R
     DP-ITProjectRe-001-R
     DP-MiamiTrans-001-R
     !wks-Workstation-001
     !uscasrt0003
     AP-Argent-001-Admin
     DP-ITinfrastru-001-R
     DP-NewSAPAccou-001-R
     PP-Chuck-001-R
     DP-SDLCandPMM-001-R
     AP-Altiris-001-GOP
     OP-Wireless-001-User
     PP-Auditdoc-001-R
     OP-AppsInst-001-Admin-Local
     DP-GPOBackup-001-C-Local
     LOCAL
     NT AUTHORITY\INTERACTIVE
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for User:
 ------------------------------------

     Software Installations
     ----------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         N/A

     Folder Redirection
     ------------------
         N/A

     Internet Explorer Browser User Interface
     ----------------------------------------
         N/A

     Internet Explorer Connection
     ----------------------------
         N/A

     Internet Explorer URLs
     ----------------------
         N/A

     Internet Explorer Security
     --------------------------
         N/A

     Internet Explorer Programs
     --------------------------
         N/A

>
0
 
LVL 6

Expert Comment

by:glennbrown2
ID: 17168714
it sounds like you are applying a user GPO to a computer OU (or vice versa)
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17168727
OK, I can't see any user assigned GPO's there that have been filtered out.  Perhaps this is because you have run it as your  admin user and they are not applied to

OU=Administrative Accounts,OU=Administration,DC=na,DC=watson,DC=com
or OU=Administration,DC=na,DC=watson,DC=com

Where is the GPO applied to and where is the user who it should apply to (and what is it called).  Have a look at the commandline options on gpresult to run it as a different user (I don't have XP here to check syntax).  gpresult /?


Steve
0
 

Author Comment

by:bjettinger
ID: 17168996
The GPO is using the User Configuration part as screen saver timeout is in that area. It is also a computer OU that the GPO is being applied to. Here is more information from Gpresult:

N:\>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/24/2006 at 11:48:37 AM


RSOP results for WATSON_DOMAIN\bettinge on USNYDSK0299 : Logging Mode
----------------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 WATSON_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   CAR01
Roaming Profile:
Local Profile:               C:\Documents and Settings\bettinge
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation,OU=CAR,OU=NY,OU=US,DC
=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        General Watson Workstations SUS Update GPO V1.0
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Special Function US NY Carmel Empower Workstation GPO V1.1
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        USNYDSK0299$
        Domain Computers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
    CN=Bill Ettinger,OU=Users,OU=CAR,OU=NY,OU=US,DC=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Power Users
        BUILTIN\Users
        BUILTIN\Administrators
        DP-Ccat-001-R
        AP-Citrix-004-Admin
        AP-Citrix-003-Admin
        DP-MRPIISupply-001-R
        DP-INFOLIB-001-R
        OP-IDs-001-R
        DP-Watsonprodu-001-R
        DP-SAPEndUser-001-R
        AP-Websens-001-GUser
        DP-SupAudits-001-R
        DP-ProjectDoc-001-R
        Dp-SLCtraining-001-R
        DP-IS-001-C
        DP-MRPII-001-R
        DP-changedecis-001-R
        DP-MSAccess200-001-R
        OP-Remote-001-Users
        DP-SAPUAT-001-R
        DP-Facilities-003-C
        OP-ITNocPage-001-Users
        DP-ProjectExch-001-C
        OP-AppsInst-001-Users
        DP-ScoreMRPII-001-R
        DP-Steris-001-C
        Domain Admins
        DP-Templates-001-R
        DP-ITProjectRe-001-R
        DP-MiamiTrans-001-R
        DP-ScoreSite-001-R
        AP-HotDox-001-UsersC
        DP-MSAccess200-002-C
        AP-Argent-001-Admin
        DP-ITinfrastru-001-R
        DP-NewSAPAccou-001-R
        DP-SDLCandPMM-001-R
        OP-Wireless-001-User
        DP-Documentsma-001-C
        OP-AppsInst-001-Users-Local
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

N:\>
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17169117
What is the policy name that you made the changes to that are not applying?

0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17169315
If it is a computer OU that it is being applied to and it is a user config. then nothing will happen, it needs assigning to a container with the users is....

Steve
0
 

Author Comment

by:bjettinger
ID: 17169873
The policy name is "Special Function US NY Carmel Empower Workstation GPO V1.1". The GPO is set to be read by all authenticated users so it should apply to them.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17170011
OK it's applying to the workstation, but the Computer Config is empty.

I don't see it applying at all to the User - so as Dragon-it has stated above, the User Accounts must be in the path of the policy.  

0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 17170643
Hmm, having seen this "  CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation," perhaps it is a job for loopback processing?  Are these Kiosks intended to have this setting for anyone who logs on by any chance, is that what are you trying to do?

If you assing user policies to computers it will do nothing
If you assign computer policies to users it will do nothing

Policies only apply at the current OU level and below unless they are linked ot other OU's or are Site policies which are applied to all machines in a site (which is defined by the subnet they are on in sites & services).

Steve
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17170680
Good eyes.

Since the users won't likely be there, then loopback is the only way to go on that policy.
0
 

Author Comment

by:bjettinger
ID: 17171321
I will test your suggestions tomorrow! Thanks for the help!
0
 

Author Comment

by:bjettinger
ID: 17176601
I want to thank all for their help!! This seems to have solved problem. I did accept Netman66's answer but want to give Dragon-It honorable mention!!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17176635
Er it was actually I that suggested loopback would solve :-(
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17176954
Agreed.  Dragon-IT actually suggested this - I was simply agreeing with him.

Please post a Q in Community Support to reopen this and assign points accordingly.

0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17177154
Sounds fair to me, thanks.  I am a fair way behind you in points though, think you might take a bit of catching up mind somehow ;-)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question