Solved

GPO not applying properly to new systems in different OUs.

Posted on 2006-11-14
19
781 Views
Last Modified: 2008-02-01
Note:  I am a Junior Sys Admin and this is URGENT, so please go easy on me!

I have one single AD server (W23K Enterprise).  Several OUs have been defined.  What I am trying to use the "Restricted Groups" to push "Local Administrators" and "Network Operators" to the PCs so I don't have to define each individually in every new PC.  This is already working for one of the OUs where I am pushing local admins and network operators, but over the last 14 hrs I have been attempting the same in a new group of PCs in a new OU and have had no luck.
All 17 PCs where this is working were cloned from the first PC in that working OU.  Additional PCs in the new OU were also cloned from the same image, so they all have the same base configuration (and they all are exactly the same hardware).  
I have redone the GPO, block inheritance, disabled firewall(s), etc.  What's even worse is that if I do a "gpresult /v" in one of the new PCs in the new OU, I can see the GPO went through (see partial output below), but when I see the local users by typing "nusrmgr.cpl" I don't have those users there and their privilege isn't working (see output below, and if I log in with jfarrance account that it's supposed to be an admin, she really can't do nothing).  THIS IS URGENT!!! I have 96 more PCs to implement in the next few hours and resolving this is critical.

C:\Documents and Settings\barnys>gpresult /v

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/14/2006 at 7:24:41 AM


RSOP results for SUNNYVALE\barnys on PC51DW1 : Logging Mode
------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 SUNNYVALE
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\barnys
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PC51DW1,OU=Sunnyvale-PCs-DW1,DC=sv,DC=edu,DC=juniper,DC=net
    Last time Group Policy was applied: 11/14/2006 at 5:54:16 AM
    Group Policy was applied from:      ad1.sv.edu.juniper.net
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        GPO-DW1
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PC51DW1$
        Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  4

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: GPO-DW1
                Groupname: Administrators
                Members:   SUNNYVALE\barnys
                           SUNNYVALE\fairchild
                           SUNNYVALE\jfarrance

            GPO: GPO-DW1
                Groupname: Network Configuration Operators
                Members:   SUNNYVALE\student01dw1

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


0
Comment
Question by:barnysanchez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +3
19 Comments
 
LVL 5

Expert Comment

by:trarthur
ID: 17939019
What happens when you apply the known good GPO to the OU that is giving you problems?  

Couple things to verify if you haven't already:

Use the Group Policy Management Console to manage your GPOs

Make sure the security filtering has Authenticated Users as a member (default unless you have changed it)

Create a GPO specifically for changing the local group membership.  Don't apply any other policies with it.



Let us know.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17939341
Strange, RSoP is showing ht restricted groups.  I presume gpresult isn't showing a conflicting policy that is overriding the restricted groups from elsewhere?

presumably then also

net localgroup Administrators
and
net localgroup "Network Configuration Operators"
or even
net localgroup

doesn't show them either?

Any different after a reboot of the workstation?

Steve
0
 

Author Comment

by:barnysanchez
ID: 17939368
OK, two sets of tests were running.

Test 1:
In working PCs under working OU I made a change to add additional Admins, logged in to one of the PCs in that OU, did "gpupdate" and voila!  everything worked as expected.  I did this just to reassure that my GPO itself is working properly and that it hasn't broken.

Test 2:  
I unlinked the GPO that I was applying to the second OU and linked the GPO used in the PCs from test 1 (so now we have two OUs using the exact same GPO), did "gpupdate" in a computer for the new OU, rebooted, did "gpudate /Force" and the problem for which I originally wrote persists.  Doing "gpresult /v" shows me the whole list of Admins that I am pushing via the GPO, but none show under nusrmgr.cpl and logging in as one of those administrators proves indeed that they don't have admin rights.

Also, I am using Group Policy Management Console to manage my GPOs, and yes! the security filtering has Authenticated Users as a member.
As per applying a GPO specifically for changing local group membership, this is something I've done and obtained the same results, however the working GPO has not only this but a whole bunch of other settings and everything seems to work fine. Even when I log in as "student01n1" -notice from below output that I am trying to make part of the Network Operator Group", I can log in and the rest of restrictions are being enforced (like not being able to change the desktop background), but the capacity of changing the NIC settings is not there.  So the GPO is partially working except for whatever I am pushing for the "Restricted Groups".   Again, all of this works like a charm in PCs under the other OU.

The partial output of "gpresult /v":
C:\Documents and Settings\barnys>gpresult /v

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/14/2006 at 8:33:48 AM


RSOP results for SUNNYVALE\barnys on PC51DW1 : Logging Mode
------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 SUNNYVALE
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\barnys
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=PC51DW1,OU=Sunnyvale-PCs-DW1,DC=sv,DC=edu,DC=juniper,DC=net
    Last time Group Policy was applied: 11/14/2006 at 8:33:24 AM
    Group Policy was applied from:      ad1.sv.edu.juniper.net
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Computer Locks
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        PC51DW1$
        Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  4

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            GPO: Computer Locks
                Groupname: Administrators
                Members:   SUNNYVALE\barnys
                           SUNNYVALE\fairchild
                           SUNNYVALE\instructorn1
                           SUNNYVALE\jfarrance
                           SUNNYVALE\studenttest

            GPO: Computer Locks
                Groupname: Network Configuration Operators
                Members:   SUNNYVALE\instructorn1
                           SUNNYVALE\student01n1
                           SUNNYVALE\student02n1
                           SUNNYVALE\student03n1
                           SUNNYVALE\student04n1
                           SUNNYVALE\student05n1
                           SUNNYVALE\student06n1
                           SUNNYVALE\student07n1
                           SUNNYVALE\student08n1
                           SUNNYVALE\student09n1
                           SUNNYVALE\student10n1
                           SUNNYVALE\student11n1
                           SUNNYVALE\student12n1
                           SUNNYVALE\student13n1
                           SUNNYVALE\student14n1
                           SUNNYVALE\student15n1
                           SUNNYVALE\student16n1

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Computer Locks
                Setting: Software\Policies\Microsoft\Windows NT\CurrentVersion\W
inlogon
                State:   Enabled


0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:barnysanchez
ID: 17939458
To dragon-it:
Correct!  the ouput of the commands you indicated "net localgroup XXX" is consistent with what I see when launching nusrmgr.cpl, but not so with the "gpresult /v" output which displays the entire list of Admins and Network Operators that I am trying to push.

No difference if I reboot the PC (which is what I've been doing all along really) or if I do "gpupdate /Force".  Now doing "gpupdate /Force" and displaying the results again I can see changes when I add or remove users in the GPO definition, but they just simply don't want to come up in the PC at nusrmgr.cpl.

Bizarre, huh?
0
 

Author Comment

by:barnysanchez
ID: 17939502
By the way, worth mentioning two things (just in case).
1)  All of the PCs (including the AD) I am accessing remotely.  Don't think this has anything to do with the problem at all, but just in case.
2)  I have removed and rejoined 3 of the affected PCs in the new OU to the AD just as a test, but nothing (of course don't want to keep doing this because I will be deploying a few hundred in about the next week or so).

Thanks,
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17939870
Create a new GPO for just modifying the groups.  And make sure that Computer Configuration is enabled.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17939984
I was about to suggest that last comment... I.e. try a new different group.

Also just do a scan of gpresult output for the restricted groups in case there is somehow another gpo overriding (I know it shouldn't, all looks fine in rsop).

Any event log errors?

Steve
0
 

Author Comment

by:barnysanchez
ID: 17940020
Trarthur:

I just did that.  I ditched the GPO link to the new OU (which is the working GPO applied to the first OU working fine) and created a new GPO just for this task. Exactly the same is happening.  I see the list of admins with "gpresult /v" but not with nusrmgr.cpl.

I also did the following Test 3:
I moved one of the new PCs into the OU that is working, rebooted hoping that it would get the same settings as all the current 17 PCs in the same OU, but the problem is still occurring. It's almost like something at the PC is blocking the proper acceptance of the policies.  Is there a way to like "reset" GPO settings at the PC level?

I tell-ya, I am gonna get bald by the end of the day!

Thanks,
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17940088
Hmm...that is strange.  

There is some logging that can be enabled on the PC that will give you quite a bit of GPO related information.

Registry hacks:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Miscellaneous/Registryhackstoturn-onverboseGPOlogging.html

You'll need to increase the size of the event logs, because you will get a LOT of entries.
0
 

Author Comment

by:barnysanchez
ID: 17940121
Trarthur and Dragon-IT:

Created a new OU, moved the PCs there, created a new GPO for only that, rebooted PCs (twice)... and the same, no change!

Trarthur... I am going to try the logging based on link info provided and communicate back!

Thanks,
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17940297
Strange isn't  it.  There are some docs about 2000 but I assume this is XP obviously.

http://support.microsoft.com/kb/258595

I presume you havnt got some software installed designed to protect the user from dodgy apps such as anti spyware or av that might be stopping the changing of the memberships?
0
 

Author Comment

by:barnysanchez
ID: 17940336
Dragon-IT... you are assuming correct.  This is XP systems talking to a Windows 2003 Enterprise server.
No tools have been installed.  As per my previous input, not only are the new PCs clones of the current-working PCs, but also the GPO are kicking in to some extended.  Only the Administrators section isn't working.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17943256
OK, I haven't completely read everything above, however Restricted Groups is a confusing thing.

First of all, you do NOT want to enforce membership of the local Administrators group - this will remove any member not exclusively defined in your policy.

You want to ADD membership to the local Administrators group instead.

Remove the settings you made for Restricted Groups.  

Since you already appear to have enforced membership then it's likely that the default groups that belong in the local Administrators group have been removed - so we need to put them back.

1)  On the Default Domain Policy - configure a new Restricted Group.  Browse to Domain Admins.  Select OK.  On the next applet, in the lower section where it states "This group is a member of", click ADD then manually type Administrators.  Finish up and exit out of the Restricted Groups applet.  This should put the Domain Admins Group into the local Administrators group on every domain workstation and solve one problem.

2)  On each OU where membership will differ, you want to create a new GPO for Restricted Groups and repeat the steps above to add in the non-default groups you want.  If you have some groups that need to be in ALL local Administrators groups then add them to the Default Domain Policy so that it affects all PCs in the domain.  You only want to create and link new GPOs to OUs where you want ADDITIONAL groups added in.

By using the upper portion of the Restricted Groups applet you are REPLACING the membership of the group in question.  If you do this over multiple OUs you end up with membership that is not consistent with your goals.

Let us know if you need more explanation.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17945178
lol, finally got the time to look at this and got beaten to the cake by the cavalry :-)
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17945389
Good points, had missed that, silly really 'cos I always do it the other way around except on polcies designed to fix the local Admins group and remove any manually added users... it should still add these people though, surely?  Wonder if his other GPO is doing it the other way?

Steve
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17946187
It's likely working exactly as it should, but replacing membership with each GPO ends up in a tug of war for the outcome.

Normally, it's L-S-D-OU down to the client, but this can be changed in GPMC so the outcome is not one you would expect.

0
 

Author Comment

by:barnysanchez
ID: 18134034
This is long due and I apologize for posting days after, but I wanted to give an update.  After days and days of troubleshooting, reading logs, testing over and over again, I decided to reclone the new group of PCs (exactly the same image used for ALL previous PCs), and then things started working again.

What was the problem??  I HAVE NO IDEA... gotta love MS Windows.....

So I appreciate all the suggestions and ideas, and comments, but unfortunately none really help me fix the problem, which to the date it is still unclear to me what caused this behavior.

Thanks,

Barny Sanchez
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18414288
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2003 File Server upgrade 11 86
Robocopy Doesn't Retain Shared Folders After Copying 5 85
2003 Server DNS/FS errors 6 81
Shared files and folders migration 2 66
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question