GPO Being Filtered Out

I have created a newly linked GPO to one of my OU's in Active Directory. All the GPO's that are linked to this OU are being applied except this newly linked GPO which "was not applied because it was filtered out" at the PC. The GPO being filtered is only disabling the timeout for the screen saver in the User Configuration section of the GPO.
bjettingerAsked:
Who is Participating?
 
Steve KnightConnect With a Mentor IT ConsultancyCommented:
Hmm, having seen this "  CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation," perhaps it is a job for loopback processing?  Are these Kiosks intended to have this setting for anyone who logs on by any chance, is that what are you trying to do?

If you assing user policies to computers it will do nothing
If you assign computer policies to users it will do nothing

Policies only apply at the current OU level and below unless they are linked ot other OU's or are Site policies which are applied to all machines in a site (which is defined by the subnet they are on in sites & services).

Steve
0
 
Steve KnightIT ConsultancyCommented:
I guess not but have you put any WMI filtering on this to restrict?  Hav you looked using gpresult.exe /z or /v .  can you post any results please.
0
 
Steve KnightIT ConsultancyCommented:
I presume you will get something like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
xxxxx
Filtering: Disabled (GPO)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
bjettingerAuthor Commented:
That is correct. The following GPO's were not applied because they were filtered out.
0
 
Steve KnightIT ConsultancyCommented:
And what else does it then say when you run gpresult with verbose options /v or /z?
0
 
Jay_Jay70Commented:
you havent got any other policies above with no over ride permissions?
0
 
glennbrown2Commented:
are you applying the policy to a computer OU??  I did this before and received the same error.

Also, check the security tab on the GPO and make sure the correct permissions are configured for users.

you should use the gpresult as dragon-it has suggested and post the results......this will help.
0
 
artthegeekCommented:
You're not alone in this policy inheritance conflict stuff.

Microsoft now has a great snap-in:  RSoP (Resultant Set of Policy):  http://support.microsoft.com/default.aspx?scid=kb;en-us;323276
It has an very user-friendly GUI to help diagnose policy inheritance.
0
 
Netman66Commented:
Please post the section under this:  The following GPOs were not applied because they were filtered out

What I need to see is this (although yours may be different):  

Filtering: Disabled (GPO)
0
 
Steve KnightIT ConsultancyCommented:
As requested 10 mins after the Q was logged...
0
 
Netman66Commented:
I realize that.

0
 
bjettingerAuthor Commented:
The following is the Gpresult /v

 Applied Group Policy Objects
 -----------------------------
     General Watson Workstations SUS Update GPO V1.0
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Special Function US NY Carmel Empower Workstation GPO V1.1
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)

 The computer is a part of the following security groups:
 --------------------------------------------------------
     BUILTIN\Administrators
     Everyone
     Debugger Users
     BUILTIN\Users
     USNYDSK0299$
     Domain Computers
     NT AUTHORITY\NETWORK
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for Computer:
 ----------------------------------------

     Software Installations
     ----------------------
         N/A

     Startup Scripts
     ---------------
         N/A

     Shutdown Scripts
     ----------------
         N/A

     Account Policies
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordAge
             Computer Setting:  2

         GPO: Default Domain Policy V1.4
             Policy:            PasswordHistorySize
             Computer Setting:  24

         GPO: Default Domain Policy V1.4
             Policy:            LockoutDuration
             Computer Setting:  4294967295

         GPO: Default Domain Policy V1.4
             Policy:            ResetLockoutCount
             Computer Setting:  30

         GPO: Default Domain Policy V1.4
             Policy:            MinimumPasswordLength
             Computer Setting:  8

         GPO: Default Domain Policy V1.4
             Policy:            LockoutBadCount
             Computer Setting:  6

         GPO: Default Domain Policy V1.4
             Policy:            MaximumPasswordAge
             Computer Setting:  90

     Audit Policy
     ------------
         N/A

     User Rights
     -----------
         GPO: Default Domain Policy V1.4
             Policy:            SystemtimePrivilege
             Computer Setting:  Administrators

     Security Options
     ----------------
         GPO: Default Domain Policy V1.4
             Policy:            RequireLogonToChangePassword
             Computer Setting:  Not Enabled

         GPO: Default Domain Policy V1.4
             Policy:            PasswordComplexity
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ForceLogoffWhenHourExpire
             Computer Setting:  Enabled

         GPO: Default Domain Policy V1.4
             Policy:            ClearTextPassword
             Computer Setting:  Not Enabled

     Event Log Settings
     ------------------
         N/A

     Restricted Groups
     -----------------
         N/A

     System Services
     ---------------
         N/A

     Registry Settings
     -----------------
         N/A

     File System Settings
     --------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: Default Domain Policy V1.4
             Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Inte
t Settings\ZoneMapKey
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
             State:   Enabled

         GPO: General Watson Workstations SUS Update GPO V1.0
             Setting: Software\Policies\Microsoft\Windows NT\SystemRestore
             State:   Enabled


R SETTINGS
-----------
 CN=Bill Ettinger (Administrative Account),OU=Administrative Accounts,OU=Admi
tration,DC=na,DC=watson,DC=com
 Last time Group Policy was applied: 7/24/2006 at 11:07:48 AM
 Group Policy was applied from:      usnysrv0013.na.watson.com
 Group Policy slow link threshold:   500 kbps

 Applied Group Policy Objects
 -----------------------------
     Default Domain Policy V1.4

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Local Group Policy
         Filtering:  Not Applied (Empty)

 The user is a part of the following security groups:
 ----------------------------------------------------
     Domain Users
     Everyone
     BUILTIN\Power Users
     BUILTIN\Users
     BUILTIN\Administrators
     DP-Ccat-001-R
     AP-Citrix-004-Admin
     AP-Citrix-003-Admin
     DP-MRPIISupply-001-R
     OP-IDs-001-R
     DP-Watsonprodu-001-R
     DP-LocAdmin-001-R
     DP-SAPEndUser-001-R
     PP-Audit-001-R
     AP-Websens-001-GUser
     DP-SupAudits-001-R
     PP-ECR-001-C
     Dp-SLCtraining-001-R
     DP-GPOBackup-001-C
     DP-IS-001-C
     DP-MRPII-001-R
     DP-changedecis-001-R
     Citrix XP Admins
     DP-SAPUAT-001-R
     DP-ProjectExch-001-C
     PP-Change-001-R
     PP-CFG-002-C
     !usnysrv0004
     OP-AppsInst-001-Admin
     DP-csgroups-001-C
     DP-Steris-001-C
     Domain Admins
     PP-HUD-001-R
     DP-Templates-001-R
     DP-ITProjectRe-001-R
     DP-MiamiTrans-001-R
     !wks-Workstation-001
     !uscasrt0003
     AP-Argent-001-Admin
     DP-ITinfrastru-001-R
     DP-NewSAPAccou-001-R
     PP-Chuck-001-R
     DP-SDLCandPMM-001-R
     AP-Altiris-001-GOP
     OP-Wireless-001-User
     PP-Auditdoc-001-R
     OP-AppsInst-001-Admin-Local
     DP-GPOBackup-001-C-Local
     LOCAL
     NT AUTHORITY\INTERACTIVE
     NT AUTHORITY\Authenticated Users

 Resultant Set Of Policies for User:
 ------------------------------------

     Software Installations
     ----------------------
         N/A

     Public Key Policies
     -------------------
         N/A

     Administrative Templates
     ------------------------
         N/A

     Folder Redirection
     ------------------
         N/A

     Internet Explorer Browser User Interface
     ----------------------------------------
         N/A

     Internet Explorer Connection
     ----------------------------
         N/A

     Internet Explorer URLs
     ----------------------
         N/A

     Internet Explorer Security
     --------------------------
         N/A

     Internet Explorer Programs
     --------------------------
         N/A

>
0
 
glennbrown2Commented:
it sounds like you are applying a user GPO to a computer OU (or vice versa)
0
 
Steve KnightIT ConsultancyCommented:
OK, I can't see any user assigned GPO's there that have been filtered out.  Perhaps this is because you have run it as your  admin user and they are not applied to

OU=Administrative Accounts,OU=Administration,DC=na,DC=watson,DC=com
or OU=Administration,DC=na,DC=watson,DC=com

Where is the GPO applied to and where is the user who it should apply to (and what is it called).  Have a look at the commandline options on gpresult to run it as a different user (I don't have XP here to check syntax).  gpresult /?


Steve
0
 
bjettingerAuthor Commented:
The GPO is using the User Configuration part as screen saver timeout is in that area. It is also a computer OU that the GPO is being applied to. Here is more information from Gpresult:

N:\>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/24/2006 at 11:48:37 AM


RSOP results for WATSON_DOMAIN\bettinge on USNYDSK0299 : Logging Mode
----------------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 WATSON_DOMAIN
Domain Type:                 Windows 2000
Site Name:                   CAR01
Roaming Profile:
Local Profile:               C:\Documents and Settings\bettinge
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=USNYDSK0299,OU=Kiosk,OU=Single Function Workstation,OU=CAR,OU=NY,OU=US,DC
=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        General Watson Workstations SUS Update GPO V1.0
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Special Function US NY Carmel Empower Workstation GPO V1.1
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Debugger Users
        BUILTIN\Users
        USNYDSK0299$
        Domain Computers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
    CN=Bill Ettinger,OU=Users,OU=CAR,OU=NY,OU=US,DC=na,DC=watson,DC=com
    Last time Group Policy was applied: 7/24/2006 at 11:37:41 AM
    Group Policy was applied from:      usnysrv0013.na.watson.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy V1.4

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Power Users
        BUILTIN\Users
        BUILTIN\Administrators
        DP-Ccat-001-R
        AP-Citrix-004-Admin
        AP-Citrix-003-Admin
        DP-MRPIISupply-001-R
        DP-INFOLIB-001-R
        OP-IDs-001-R
        DP-Watsonprodu-001-R
        DP-SAPEndUser-001-R
        AP-Websens-001-GUser
        DP-SupAudits-001-R
        DP-ProjectDoc-001-R
        Dp-SLCtraining-001-R
        DP-IS-001-C
        DP-MRPII-001-R
        DP-changedecis-001-R
        DP-MSAccess200-001-R
        OP-Remote-001-Users
        DP-SAPUAT-001-R
        DP-Facilities-003-C
        OP-ITNocPage-001-Users
        DP-ProjectExch-001-C
        OP-AppsInst-001-Users
        DP-ScoreMRPII-001-R
        DP-Steris-001-C
        Domain Admins
        DP-Templates-001-R
        DP-ITProjectRe-001-R
        DP-MiamiTrans-001-R
        DP-ScoreSite-001-R
        AP-HotDox-001-UsersC
        DP-MSAccess200-002-C
        AP-Argent-001-Admin
        DP-ITinfrastru-001-R
        DP-NewSAPAccou-001-R
        DP-SDLCandPMM-001-R
        OP-Wireless-001-User
        DP-Documentsma-001-C
        OP-AppsInst-001-Users-Local
        LOCAL
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users

N:\>
0
 
Netman66Commented:
What is the policy name that you made the changes to that are not applying?

0
 
Steve KnightIT ConsultancyCommented:
If it is a computer OU that it is being applied to and it is a user config. then nothing will happen, it needs assigning to a container with the users is....

Steve
0
 
bjettingerAuthor Commented:
The policy name is "Special Function US NY Carmel Empower Workstation GPO V1.1". The GPO is set to be read by all authenticated users so it should apply to them.
0
 
Netman66Commented:
OK it's applying to the workstation, but the Computer Config is empty.

I don't see it applying at all to the User - so as Dragon-it has stated above, the User Accounts must be in the path of the policy.  

0
 
Netman66Commented:
Good eyes.

Since the users won't likely be there, then loopback is the only way to go on that policy.
0
 
bjettingerAuthor Commented:
I will test your suggestions tomorrow! Thanks for the help!
0
 
bjettingerAuthor Commented:
I want to thank all for their help!! This seems to have solved problem. I did accept Netman66's answer but want to give Dragon-It honorable mention!!
0
 
Steve KnightIT ConsultancyCommented:
Er it was actually I that suggested loopback would solve :-(
0
 
Netman66Commented:
Agreed.  Dragon-IT actually suggested this - I was simply agreeing with him.

Please post a Q in Community Support to reopen this and assign points accordingly.

0
 
Steve KnightIT ConsultancyCommented:
Sounds fair to me, thanks.  I am a fair way behind you in points though, think you might take a bit of catching up mind somehow ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.