Solved

GPO Being Filtered Out

Posted on 2006-07-21
28
1,850 Views
Last Modified: 2012-11-23
I have created a newly linked GPO to one of my OU's in Active Directory. All the GPO's that are linked to this OU are being applied except this newly linked GPO which "was not applied because it was filtered out" at the PC. The GPO being filtered is only disabling the timeout for the screen saver in the User Configuration section of the GPO.
0
Comment
Question by:bjettinger
  • 9
  • 6
  • 6
  • +3
28 Comments
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
I guess not but have you put any WMI filtering on this to restrict?  Hav you looked using gpresult.exe /z or /v .  can you post any results please.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
I presume you will get something like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
xxxxx
Filtering: Disabled (GPO)
0
 

Author Comment

by:bjettinger
Comment Utility
That is correct. The following GPO's were not applied because they were filtered out.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
And what else does it then say when you run gpresult with verbose options /v or /z?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
you havent got any other policies above with no over ride permissions?
0
 
LVL 6

Expert Comment

by:glennbrown2
Comment Utility
are you applying the policy to a computer OU??  I did this before and received the same error.

Also, check the security tab on the GPO and make sure the correct permissions are configured for users.

you should use the gpresult as dragon-it has suggested and post the results......this will help.
0
 
LVL 3

Expert Comment

by:artthegeek
Comment Utility
You're not alone in this policy inheritance conflict stuff.

Microsoft now has a great snap-in:  RSoP (Resultant Set of Policy):  http://support.microsoft.com/default.aspx?scid=kb;en-us;323276
It has an very user-friendly GUI to help diagnose policy inheritance.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Please post the section under this:  The following GPOs were not applied because they were filtered out

What I need to see is this (although yours may be different):  

Filtering: Disabled (GPO)
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
As requested 10 mins after the Q was logged...
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
I realize that.

0
 

Author Comment

by:bjettinger
Comment Utility
The following is the Gpresult /v

 Applied Group Policy Objects
 -----------------------------
     General Watson Workstations SUS Update GPO V1.0
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Special Function US NY Carmel Empower Workstation GPO V1.1
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)

 The computer is a part of the following security groups:
 --------------------------------------------------------
     BUILTIN\Administrators
     Everyone
     Debugger Users
     BUILTIN\Users
     USNYDSK0299$
     Domain Computers
     NT AUTHORITY\NETWORK
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for Computer:
 ----------------------------------------

     Software Installations
     ----------------------
         N/A

     Startup Scripts
     ---------------
         N/A

     Shutdown Scripts
     ----------------
         N/A

     Account Policies
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordAge
             Computer Setting:  2

         GPO: Default Domain Policy V1.4
             Policy:            PasswordHistorySize
             Computer Setting:  24

         GPO: Default Domain Policy V1.4
             Policy:            LockoutDuration
             Computer Setting:  4294967295

         GPO: Default Domain Policy V1.4
             Policy:            ResetLockoutCount
             Computer Setting:  30

         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordLength
             Computer Setting:  8

         GPO: Default Domain Policy V1.4
             Policy:            LockoutBadCount
             Computer Setting:  6

         GPO: Default Domain Policy V1.4
             Policy:            MaximumPasswordAge
             Computer Setting:  90

     Audit Policy
     ------------
         N/A

     User Rights
     -----------
         GPO: Default Domain Policy V1.4
             Policy:            SystemtimePrivilege
             Computer Setting:  Administrators

     Security Options
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            RequireLogonToChangePassword
             Computer Setting:  Not Enabled

         GPO: Default Domain Policy V1.4
             Policy:            PasswordComplexity
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ForceLogoffWhenHourExpire
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ClearTextPassword
             Computer Setting:  Not Enabled

     Event Log Settings
     ------------------
         N/A

     Restricted Groups
     -----------------
         N/A

     System Services
     ---------------
         N/A

     Registry Settings
     -----------------
         N/A

     File System Settings
     --------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows NT\SystemRestore
             State:   Enabled


R SETTINGS
-----------
 CN=Bill Ettinger (Administrative Account),OU=Administrative Accounts,OU=Admi
tration,DC=na,DC=watson,DC=com
 Last time Group Policy was applied: 7/24/2006 at 11:07:48 AM
 Group Policy was applied from:      usnysrv0013.na.watson.com
 Group Policy slow link threshold:   500 kbps

 Applied Group Policy Objects
 -----------------------------
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Local Group Policy
         Filtering:  Not Applied (Empty)

 The user is a part of the following security groups:
 ----------------------------------------------------
     Domain Users
     Everyone
     BUILTIN\Power Users
     BUILTIN\Users
     BUILTIN\Administrators
     DP-Ccat-001-R
     AP-Citrix-004-Admin
     AP-Citrix-003-Admin
     DP-MRPIISupply-001-R
     OP-IDs-001-R
     DP-Watsonprodu-001-R
     DP-LocAdmin-001-R
     DP-SAPEndUser-001-R
     PP-Audit-001-R
     AP-Websens-001-GUser
     DP-SupAudits-001-R
     PP-ECR-001-C
     Dp-SLCtraining-001-R
     DP-GPOBackup-001-C
     DP-IS-001-C
     DP-MRPII-001-R
     DP-changedecis-001-R
     Citrix XP Admins
     DP-SAPUAT-001-R
     DP-ProjectExch-001-C
     PP-Change-001-R
     PP-CFG-002-C
     !usnysrv0004
     OP-AppsInst-001-Admin
     DP-csgroups-001-C
     DP-Steris-001-C
     Domain Admins
     PP-HUD-001-R
     DP-Templates-001-R
     DP-ITProjectRe-001-R
     DP-MiamiTrans-001-R
     !wks-Workstation-001
     !uscasrt0003
     AP-Argent-001-Admin
     DP-ITinfrastru-001-R
     DP-NewSAPAccou-001-R
     PP-Chuck-001-R
     DP-SDLCandPMM-001-R
     AP-Altiris-001-GOP
     OP-Wireless-001-User
     PP-Auditdoc-001-R
     OP-AppsInst-001-Admin-Local
     DP-GPOBackup-001-C-Local
     LOCAL
     NT AUTHORITY\INTERACTIVE
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for User:
 ------------------------------------

     Software Installations
     ----------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         N/A

     Folder Redirection
     ------------------
         N/A

     Internet Explorer Browser User Interface
     ----------------------------------------
         N/A

     Internet Explorer Connection
     ----------------------------
         N/A

     Internet Explorer URLs
     ----------------------
         N/A

     Internet Explorer Security
     --------------------------
         N/A

     Internet Explorer Programs
     --------------------------
         N/A

>
0
 
LVL 6

Expert Comment

by:glennbrown2
Comment Utility
it sounds like you are applying a user GPO to a computer OU (or vice versa)
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
OK, I can't see any user assigned GPO's there that have been filtered out.  Perhaps this is because you have run it as your  admin user and they are not applied to

OU=Administrative Accounts,OU=Administration,DC=na,DC=watson,DC=com
or OU=Administration,DC=na,DC=watson,DC=com

Where is the GPO applied to and where is the user who it should apply to (and what is it called).  Have a look at the commandline options on gpresult to run it as a different user (I don't have XP here to check syntax).  gpresult /?


Steve
0
 

Author Comment

by:bjettinger
Comment Utility
The GPO is using the User Configuration part as screen saver timeout is in that area. It is also a computer OU that the GPO is being applied to. Here is more information from Gpresult:

N:\>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/24/2006 at 11:48:37 AM


RSOP results for WATSON_DOMAIN\bettinge on USNYDSK0299 : Logging Mode
----------------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 WATSON_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   CAR01
Roaming Profile:
Local Profile:               C:\Documents and Settings\bettinge
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation,OU=CAR,OU=NY,OU=US,DC
=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        General Watson Workstations SUS Update GPO V1.0
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Special Function US NY Carmel Empower Workstation GPO V1.1
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        USNYDSK0299$
        Domain Computers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
    CN=Bill Ettinger,OU=Users,OU=CAR,OU=NY,OU=US,DC=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Power Users
        BUILTIN\Users
        BUILTIN\Administrators
        DP-Ccat-001-R
        AP-Citrix-004-Admin
        AP-Citrix-003-Admin
        DP-MRPIISupply-001-R
        DP-INFOLIB-001-R
        OP-IDs-001-R
        DP-Watsonprodu-001-R
        DP-SAPEndUser-001-R
        AP-Websens-001-GUser
        DP-SupAudits-001-R
        DP-ProjectDoc-001-R
        Dp-SLCtraining-001-R
        DP-IS-001-C
        DP-MRPII-001-R
        DP-changedecis-001-R
        DP-MSAccess200-001-R
        OP-Remote-001-Users
        DP-SAPUAT-001-R
        DP-Facilities-003-C
        OP-ITNocPage-001-Users
        DP-ProjectExch-001-C
        OP-AppsInst-001-Users
        DP-ScoreMRPII-001-R
        DP-Steris-001-C
        Domain Admins
        DP-Templates-001-R
        DP-ITProjectRe-001-R
        DP-MiamiTrans-001-R
        DP-ScoreSite-001-R
        AP-HotDox-001-UsersC
        DP-MSAccess200-002-C
        AP-Argent-001-Admin
        DP-ITinfrastru-001-R
        DP-NewSAPAccou-001-R
        DP-SDLCandPMM-001-R
        OP-Wireless-001-User
        DP-Documentsma-001-C
        OP-AppsInst-001-Users-Local
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

N:\>
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
What is the policy name that you made the changes to that are not applying?

0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
If it is a computer OU that it is being applied to and it is a user config. then nothing will happen, it needs assigning to a container with the users is....

Steve
0
 

Author Comment

by:bjettinger
Comment Utility
The policy name is "Special Function US NY Carmel Empower Workstation GPO V1.1". The GPO is set to be read by all authenticated users so it should apply to them.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
OK it's applying to the workstation, but the Computer Config is empty.

I don't see it applying at all to the User - so as Dragon-it has stated above, the User Accounts must be in the path of the policy.  

0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
Comment Utility
Hmm, having seen this "  CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation," perhaps it is a job for loopback processing?  Are these Kiosks intended to have this setting for anyone who logs on by any chance, is that what are you trying to do?

If you assing user policies to computers it will do nothing
If you assign computer policies to users it will do nothing

Policies only apply at the current OU level and below unless they are linked ot other OU's or are Site policies which are applied to all machines in a site (which is defined by the subnet they are on in sites & services).

Steve
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Good eyes.

Since the users won't likely be there, then loopback is the only way to go on that policy.
0
 

Author Comment

by:bjettinger
Comment Utility
I will test your suggestions tomorrow! Thanks for the help!
0
 

Author Comment

by:bjettinger
Comment Utility
I want to thank all for their help!! This seems to have solved problem. I did accept Netman66's answer but want to give Dragon-It honorable mention!!
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Er it was actually I that suggested loopback would solve :-(
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Agreed.  Dragon-IT actually suggested this - I was simply agreeing with him.

Please post a Q in Community Support to reopen this and assign points accordingly.

0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Sounds fair to me, thanks.  I am a fair way behind you in points though, think you might take a bit of catching up mind somehow ;-)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now