Solved: GPO Being Filtered Out

I guess not but have you put any WMI filtering on this to restrict? Hav you looked using gpresult.exe /z or /v . can you post any results please.

Steve Knight

I presume you will get something like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
xxxxx
Filtering: Disabled (GPO)

bjettinger

ASKER

That is correct. The following GPO's were not applied because they were filtered out.

Steve Knight

And what else does it then say when you run gpresult with verbose options /v or /z?

Jay_Jay70

you havent got any other policies above with no over ride permissions?

glennbrown2

are you applying the policy to a computer OU?? I did this before and received the same error.

Also, check the security tab on the GPO and make sure the correct permissions are configured for users.

you should use the gpresult as dragon-it has suggested and post the results......this will help.

artthegeek

You're not alone in this policy inheritance conflict stuff.

Microsoft now has a great snap-in: RSoP (Resultant Set of Policy): http://support.microsoft.com/default.aspx?scid=kb;en-us;323276
It has an very user-friendly GUI to help diagnose policy inheritance.

Netman66

Please post the section under this: The following GPOs were not applied because they were filtered out

What I need to see is this (although yours may be different):

Filtering: Disabled (GPO)

Steve Knight

As requested 10 mins after the Q was logged...

Netman66

I realize that.

bjettinger

ASKER

The following is the Gpresult /v

Applied Group Policy Objects
-----------------------------
General Watson Workstations SUS Update GPO V1.0
Default Domain Policy V1.4

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Special Function US NY Carmel Empower Workstation GPO V1.1
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
USNYDSK0299$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy V1.4
Policy: MinimumPasswordAge
Computer Setting: 2

GPO: Default Domain Policy V1.4
Policy: PasswordHistorySize
Computer Setting: 24

GPO: Default Domain Policy V1.4
Policy: LockoutDuration
Computer Setting: 4294967295

GPO: Default Domain Policy V1.4
Policy: ResetLockoutCount
Computer Setting: 30

GPO: Default Domain Policy V1.4
Policy: MinimumPasswordLength
Computer Setting: 8

GPO: Default Domain Policy V1.4
Policy: LockoutBadCount
Computer Setting: 6

GPO: Default Domain Policy V1.4
Policy: MaximumPasswordAge
Computer Setting: 90

Audit Policy
------------
N/A

User Rights
-----------
GPO: Default Domain Policy V1.4
Policy: SystemtimePrivilege
Computer Setting: Administrators

Security Options
----------------
GPO: Default Domain Policy V1.4
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy V1.4
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: Default Domain Policy V1.4
Policy: ForceLogoffWhenHourExpire
Computer Setting: Enabled

GPO: Default Domain Policy V1.4
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled

GPO: Default Domain Policy V1.4
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled

GPO: Default Domain Policy V1.4
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: Default Domain Policy V1.4
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: General Watson Workstations SUS Update GPO V1.0
Setting: Software\Policies\Microsoft\Windows NT\SystemRestore
State: Enabled

R SETTINGS
-----------
CN=Bill Ettinger (Administrative Account),OU=Administrative Accounts,OU=Admi
tration,DC=na,DC=watson,DC=com
Last time Group Policy was applied: 7/24/2006 at 11:07:48 AM
Group Policy was applied from: usnysrv0013.na.watson.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy V1.4

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Power Users
BUILTIN\Users
BUILTIN\Administrators
DP-Ccat-001-R
AP-Citrix-004-Admin
AP-Citrix-003-Admin
DP-MRPIISupply-001-R
OP-IDs-001-R
DP-Watsonprodu-001-R
DP-LocAdmin-001-R
DP-SAPEndUser-001-R
PP-Audit-001-R
AP-Websens-001-GUser
DP-SupAudits-001-R
PP-ECR-001-C
Dp-SLCtraining-001-R
DP-GPOBackup-001-C
DP-IS-001-C
DP-MRPII-001-R
DP-changedecis-001-R
Citrix XP Admins
DP-SAPUAT-001-R
DP-ProjectExch-001-C
PP-Change-001-R
PP-CFG-002-C
!usnysrv0004
OP-AppsInst-001-Admin
DP-csgroups-001-C
DP-Steris-001-C
Domain Admins
PP-HUD-001-R
DP-Templates-001-R
DP-ITProjectRe-001-R
DP-MiamiTrans-001-R
!wks-Workstation-001
!uscasrt0003
AP-Argent-001-Admin
DP-ITinfrastru-001-R
DP-NewSAPAccou-001-R
PP-Chuck-001-R
DP-SDLCandPMM-001-R
AP-Altiris-001-GOP
OP-Wireless-001-User
PP-Auditdoc-001-R
OP-AppsInst-001-Admin-Local
DP-GPOBackup-001-C-Local
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
N/A

Internet Explorer Connection
----------------------------
N/A

Internet Explorer URLs
----------------------
N/A

Internet Explorer Security
--------------------------
N/A

Internet Explorer Programs
--------------------------
N/A

>

glennbrown2

it sounds like you are applying a user GPO to a computer OU (or vice versa)

Steve Knight

OK, I can't see any user assigned GPO's there that have been filtered out. Perhaps this is because you have run it as your admin user and they are not applied to

OU=Administrative Accounts,OU=Administration,DC=na,DC=watson,DC=com
or OU=Administration,DC=na,DC=watson,DC=com

Where is the GPO applied to and where is the user who it should apply to (and what is it called). Have a look at the commandline options on gpresult to run it as a different user (I don't have XP here to check syntax). gpresult /?

Steve

bjettinger

ASKER

The GPO is using the User Configuration part as screen saver timeout is in that area. It is also a computer OU that the GPO is being applied to. Here is more information from Gpresult:

N:\>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/24/2006 at 11:48:37 AM

RSOP results for WATSON_DOMAIN\bettinge on USNYDSK0299 : Logging Mode
----------------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: WATSON_DOMAIN
Domain Type: Windows 2000
Site Name: CAR01
Roaming Profile:
Local Profile: C:\Documents and Settings\bettinge
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation,OU=CAR,OU=NY,OU=US,DC
=na,DC=watson,DC=com
Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
Group Policy was applied from: usnysrv0013.na.watson.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
General Watson Workstations SUS Update GPO V1.0
Default Domain Policy V1.4

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Special Function US NY Carmel Empower Workstation GPO V1.1
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
USNYDSK0299$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

USER SETTINGS
--------------
CN=Bill Ettinger,OU=Users,OU=CAR,OU=NY,OU=US,DC=na,DC=watson,DC=com
Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
Group Policy was applied from: usnysrv0013.na.watson.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy V1.4

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Power Users
BUILTIN\Users
BUILTIN\Administrators
DP-Ccat-001-R
AP-Citrix-004-Admin
AP-Citrix-003-Admin
DP-MRPIISupply-001-R
DP-INFOLIB-001-R
OP-IDs-001-R
DP-Watsonprodu-001-R
DP-SAPEndUser-001-R
AP-Websens-001-GUser
DP-SupAudits-001-R
DP-ProjectDoc-001-R
Dp-SLCtraining-001-R
DP-IS-001-C
DP-MRPII-001-R
DP-changedecis-001-R
DP-MSAccess200-001-R
OP-Remote-001-Users
DP-SAPUAT-001-R
DP-Facilities-003-C
OP-ITNocPage-001-Users
DP-ProjectExch-001-C
OP-AppsInst-001-Users
DP-ScoreMRPII-001-R
DP-Steris-001-C
Domain Admins
DP-Templates-001-R
DP-ITProjectRe-001-R
DP-MiamiTrans-001-R
DP-ScoreSite-001-R
AP-HotDox-001-UsersC
DP-MSAccess200-002-C
AP-Argent-001-Admin
DP-ITinfrastru-001-R
DP-NewSAPAccou-001-R
DP-SDLCandPMM-001-R
OP-Wireless-001-User
DP-Documentsma-001-C
OP-AppsInst-001-Users-Local
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

N:\>

Netman66

What is the policy name that you made the changes to that are not applying?

Steve Knight

If it is a computer OU that it is being applied to and it is a user config. then nothing will happen, it needs assigning to a container with the users is....

Steve

bjettinger

ASKER

The policy name is "Special Function US NY Carmel Empower Workstation GPO V1.1". The GPO is set to be read by all authenticated users so it should apply to them.

Netman66

OK it's applying to the workstation, but the Computer Config is empty.

I don't see it applying at all to the User - so as Dragon-it has stated above, the User Accounts must be in the path of the policy.

Netman66

Good eyes.

Since the users won't likely be there, then loopback is the only way to go on that policy.

bjettinger

ASKER

I will test your suggestions tomorrow! Thanks for the help!

bjettinger

ASKER

I want to thank all for their help!! This seems to have solved problem. I did accept Netman66's answer but want to give Dragon-It honorable mention!!

Steve Knight

Er it was actually I that suggested loopback would solve :-(

Netman66

Agreed. Dragon-IT actually suggested this - I was simply agreeing with him.

Please post a Q in Community Support to reopen this and assign points accordingly.

Steve Knight

Sounds fair to me, thanks. I am a fair way behind you in points though, think you might take a bit of catching up mind somehow ;-)