Solved

Server 2003 R2 Group Policies not delopying

Posted on 2007-11-30
34
458 Views
Last Modified: 2010-05-18
I have a server with 2003 R2 installed and several clients running XP Pro.
Everything has been setup on the server, DHCP, Printers etc. All clients are connected to the domain.
However, No client will install any managed software, or apply any policy.
I belive the problem is a simple assignent or permision issue, this is my first full client/server setup from scratch.

Details:
Group policy management snap in installed.
Several GPOs created, one for printers, one for software deployment (Office 2K) and one for mapped folders.

I have created a new organizational unit in active directory and moved all clients to this folder. (Named ICT Suite) I have also created two groups called Staff and Pupils, again all staff and pupils have been created in these OU's.

All clients are a member of Domain Computers only,

In the Scope tab of the GPO I have added Domain Computers to the Security Filtering Pane.
(All GPO's are enabled under Details Tab)



0
Comment
Question by:madlan
  • 14
  • 9
  • 8
  • +2
34 Comments
 
LVL 9

Expert Comment

by:cmorffew
ID: 20382025
Which portion of the GPO's have you applied your settings i.e. Users or Computers?
0
 
LVL 1

Author Comment

by:madlan
ID: 20382049
Computers for now, will do users once computers are working.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382078
Hi madlan,

Did you link the policy object you created to the OU? Right click on the OU and select 'Link an Existing GPO...)

Hope this helps.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20382109
By default, Authenticated Users is on the scope - this group contains the Domain Users and Domain Computers groups already.  Unless you need to Filter policies that you don't want applying to mixed computers in a single OU then you don't need to change any default security entries.

On XP there is a feature called "FastBoot" that actually logs in using cached credentials while the network stack is initializing (to save logon time).  This feature causes Group Policy to require 2 and sometime 3 reboots before the policy starts applying.  

You can change this behaviour here:

Computer Config>Admin Templates>System>Logon ::

Always wait for the network at computer startup and logon = Enabled.

0
 
LVL 1

Author Comment

by:madlan
ID: 20382148
Thanks netman, I have done that now. I have been using gpupdate /force /sync /boot on clients after loging in as administrator. The Clients will not apply any setting in any GPO, I have linked several GPO's to the OU the Client machines are located in, and also under the .local (same location as the DDP)
0
 
LVL 1

Author Comment

by:madlan
ID: 20382162
This Server and clients have been setup from scratch, all vanilla settings, software and hardware.
The server was setup using the manage your server console. DHCP and user logons are working fine. Its just GPO's that seem to not work.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20382192
Can you post the output from one of the workstations for gpresult?


0
 
LVL 1

Author Comment

by:madlan
ID: 20382234
gpresult states "The User /beehve/administrator Does not have RSOP data"
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382286
Check to make sure the users have read access.
0
 
LVL 1

Author Comment

by:madlan
ID: 20382360
After running rsop.msc on the client, it states the RSoP data is invalid, reason Invalid Namespace.


You mean the security settings on the Delegation tab of each GPO?
I have:
Administrator
Administrators
Doamin Admins
Domain Computers
Enterprise Admins
Enterprise Domain Controler
System

All set to edit, delete, modify.

0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382395
This would be the security access on the OU. Authenticated users should have at least Read access.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20382436
http://technet2.microsoft.com/windowsserver/en/library/11ff9236-b2a2-497f-8a0f-74f66fb452a81033.mspx?mfr=true

Most often this error is caused by a corrupted profile.

If you have roaming profiles then save the user's My Documents folder content and delete the server and local copies of that user's profile and log in again.  I think you'll find this fixes it.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 20382449
The OU ACEs are not likely wrong.  Leave the defaults as they are unless someone has been dinking with them.

0
 
LVL 1

Author Comment

by:madlan
ID: 20382455
How do I access the security for the OU? I cannot see any security options under AD?
0
 
LVL 1

Author Comment

by:madlan
ID: 20382474
Remember this is a new network, no users exist, except a few test users.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382478
Right Click on the OU and select properties. Click on the security Tab.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20382520
If this is a new installation the ACEs are fine.  Don't go changing stuff like this lightly.

0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 2

Expert Comment

by:theric76
ID: 20382524
Hi madlan,
First try to run on the server from Group Policy Management a Group Policy Result for that specific Computer account and the user account you are using to log on. In the results check out if your settings are being applied:
- If the policy is applied correctly on server-side, be sure not to have any firewall software running on client PC (particulary Norton Firewall blocks ICMP traffic by default), the error you reported is specific to that issue.
- If the policy is not applied correctly on server-side, be sure that the policy you created has "Apply to" permission enabled for Domain Computers.

Hope this helps
theric
0
 
LVL 1

Author Comment

by:madlan
ID: 20382529
There is no security tap, only General, Managed By, Com+, Group Policy Both in AD and GPM consoles.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382571
Are you logged on to a domain controller, or using the AD .msc? I would recommend doing this from a DC.
0
 
LVL 1

Author Comment

by:madlan
ID: 20382619
I have a single DC server, with several clients (all XP pro)

Here is the output of the gpresult running on the server under administrator account:


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/30/2007 at 3:26:52 PM



RSOP data for BEEHIVE\Administrator on SERVER : Logging Mode
-------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SERVER,OU=Domain Controllers,DC=Beehive,DC=local
    Last time Group Policy was applied: 11/30/2007 at 3:22:11 PM
    Group Policy was applied from:      server.Beehive.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        BEEHIVE
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy
        Printers

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=Beehive,DC=local
    Last time Group Policy was applied: 11/30/2007 at 2:41:49 PM
    Group Policy was applied from:      server.Beehive.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        BEEHIVE
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Printers
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Group Policy Creator Owners
        Enterprise Admins
        Schema Admins
       
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382701
Can you run the RSOP from the OU's the GPO's are linked to and post?
Thanks.
0
 
LVL 1

Author Comment

by:madlan
ID: 20382727
I have turned windows firewall off on a client, still the same issue.
The clients take quite along time to logon to the server, at least 3 - 4 minutes at the "applying your personal settings screen"

Could there be an issue with the way the clients were connected to the domain?
I  used the network ID wizard on the clients, and the administrator account of the server to connect them.
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382747
Here is a very good article that may help you resolve this issue ...

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Hope this helps!
0
 
LVL 1

Author Comment

by:madlan
ID: 20382758
RSOP fails on all client machines, stating the namespace is invalid.
It runs fine on the server, opening the Resultant set of Policy window.
Is this what you mean?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 20382772
Where are your clients pointing to for DNS?  Everything inside your network MUST use your own DNS server.

0
 
LVL 1

Author Comment

by:madlan
ID: 20382807
using ipconfig/all on a client, the DNS servers are set to the ISPs given numbers.
0
 
LVL 4

Assisted Solution

by:oldPCguy
oldPCguy earned 200 total points
ID: 20382851
That would definitly cause a problem. Nice catch Netman66. I think you may still have a security issue, but getting the DC added as the primary DNS will help alot. You can always add DNS forwarding to your DC.
0
 
LVL 1

Author Comment

by:madlan
ID: 20382910
Under the DHCP management console, under Server options, I have two settings, Router and DNS.
Should I remote the two DNS servers from the DNS entry, and add the servers IP address?
0
 
LVL 4

Expert Comment

by:oldPCguy
ID: 20382938
You will want to add the DC as the primary DNS. You can leave one of the ISP DNS addresses or remove them and set up DNS forwarding from the DC.
0
 
LVL 1

Author Comment

by:madlan
ID: 20382974
Amazing, its working now, the clients are installing managed software.
The internet is not working, obviously because of the DNS.
Where do I set the DNS forwarding on the DC?
Thanks for your help guys, I belive you both helped with the solution,
thankyou again.

madlan.
0
 
LVL 2

Expert Comment

by:theric76
ID: 20383016
You can add your ISP's DNS servers in DNS management console on your server, open your server's properties and search for "Forwarding servers" tab.
Good shot netman66.
theric
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20383431
Exactly.  Never give anything inside your network the ISP DNS server address.  Only use your server then Forward to the ISP from it.

This is an example of why you don't use anything but your own DNS.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 20383436
I should add, setup option 003, 005 and 006 in DHCP.  The router is 003, and 005 & 006 are for your DNS server - nothing else.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now