Server 2003 R2 Group Policies not delopying

I have a server with 2003 R2 installed and several clients running XP Pro.
Everything has been setup on the server, DHCP, Printers etc. All clients are connected to the domain.
However, No client will install any managed software, or apply any policy.
I belive the problem is a simple assignent or permision issue, this is my first full client/server setup from scratch.

Details:
Group policy management snap in installed.
Several GPOs created, one for printers, one for software deployment (Office 2K) and one for mapped folders.

I have created a new organizational unit in active directory and moved all clients to this folder. (Named ICT Suite) I have also created two groups called Staff and Pupils, again all staff and pupils have been created in these OU's.

All clients are a member of Domain Computers only,

In the Scope tab of the GPO I have added Domain Computers to the Security Filtering Pane.
(All GPO's are enabled under Details Tab)



LVL 1
madlanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Netman66Connect With a Mentor Commented:
Where are your clients pointing to for DNS?  Everything inside your network MUST use your own DNS server.

0
 
cmorffewCommented:
Which portion of the GPO's have you applied your settings i.e. Users or Computers?
0
 
madlanAuthor Commented:
Computers for now, will do users once computers are working.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
oldPCguyCommented:
Hi madlan,

Did you link the policy object you created to the OU? Right click on the OU and select 'Link an Existing GPO...)

Hope this helps.
0
 
Netman66Commented:
By default, Authenticated Users is on the scope - this group contains the Domain Users and Domain Computers groups already.  Unless you need to Filter policies that you don't want applying to mixed computers in a single OU then you don't need to change any default security entries.

On XP there is a feature called "FastBoot" that actually logs in using cached credentials while the network stack is initializing (to save logon time).  This feature causes Group Policy to require 2 and sometime 3 reboots before the policy starts applying.  

You can change this behaviour here:

Computer Config>Admin Templates>System>Logon ::

Always wait for the network at computer startup and logon = Enabled.

0
 
madlanAuthor Commented:
Thanks netman, I have done that now. I have been using gpupdate /force /sync /boot on clients after loging in as administrator. The Clients will not apply any setting in any GPO, I have linked several GPO's to the OU the Client machines are located in, and also under the .local (same location as the DDP)
0
 
madlanAuthor Commented:
This Server and clients have been setup from scratch, all vanilla settings, software and hardware.
The server was setup using the manage your server console. DHCP and user logons are working fine. Its just GPO's that seem to not work.
0
 
Netman66Commented:
Can you post the output from one of the workstations for gpresult?


0
 
madlanAuthor Commented:
gpresult states "The User /beehve/administrator Does not have RSOP data"
0
 
oldPCguyCommented:
Check to make sure the users have read access.
0
 
madlanAuthor Commented:
After running rsop.msc on the client, it states the RSoP data is invalid, reason Invalid Namespace.


You mean the security settings on the Delegation tab of each GPO?
I have:
Administrator
Administrators
Doamin Admins
Domain Computers
Enterprise Admins
Enterprise Domain Controler
System

All set to edit, delete, modify.

0
 
oldPCguyCommented:
This would be the security access on the OU. Authenticated users should have at least Read access.
0
 
Netman66Commented:
http://technet2.microsoft.com/windowsserver/en/library/11ff9236-b2a2-497f-8a0f-74f66fb452a81033.mspx?mfr=true

Most often this error is caused by a corrupted profile.

If you have roaming profiles then save the user's My Documents folder content and delete the server and local copies of that user's profile and log in again.  I think you'll find this fixes it.

0
 
Netman66Commented:
The OU ACEs are not likely wrong.  Leave the defaults as they are unless someone has been dinking with them.

0
 
madlanAuthor Commented:
How do I access the security for the OU? I cannot see any security options under AD?
0
 
madlanAuthor Commented:
Remember this is a new network, no users exist, except a few test users.
0
 
oldPCguyCommented:
Right Click on the OU and select properties. Click on the security Tab.
0
 
Netman66Commented:
If this is a new installation the ACEs are fine.  Don't go changing stuff like this lightly.

0
 
theric76Commented:
Hi madlan,
First try to run on the server from Group Policy Management a Group Policy Result for that specific Computer account and the user account you are using to log on. In the results check out if your settings are being applied:
- If the policy is applied correctly on server-side, be sure not to have any firewall software running on client PC (particulary Norton Firewall blocks ICMP traffic by default), the error you reported is specific to that issue.
- If the policy is not applied correctly on server-side, be sure that the policy you created has "Apply to" permission enabled for Domain Computers.

Hope this helps
theric
0
 
madlanAuthor Commented:
There is no security tap, only General, Managed By, Com+, Group Policy Both in AD and GPM consoles.
0
 
oldPCguyCommented:
Are you logged on to a domain controller, or using the AD .msc? I would recommend doing this from a DC.
0
 
madlanAuthor Commented:
I have a single DC server, with several clients (all XP pro)

Here is the output of the gpresult running on the server under administrator account:


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 11/30/2007 at 3:26:52 PM



RSOP data for BEEHIVE\Administrator on SERVER : Logging Mode
-------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=SERVER,OU=Domain Controllers,DC=Beehive,DC=local
    Last time Group Policy was applied: 11/30/2007 at 3:22:11 PM
    Group Policy was applied from:      server.Beehive.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        BEEHIVE
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy
        Printers

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=Beehive,DC=local
    Last time Group Policy was applied: 11/30/2007 at 2:41:49 PM
    Group Policy was applied from:      server.Beehive.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        BEEHIVE
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Printers
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Group Policy Creator Owners
        Enterprise Admins
        Schema Admins
       
0
 
oldPCguyCommented:
Can you run the RSOP from the OU's the GPO's are linked to and post?
Thanks.
0
 
madlanAuthor Commented:
I have turned windows firewall off on a client, still the same issue.
The clients take quite along time to logon to the server, at least 3 - 4 minutes at the "applying your personal settings screen"

Could there be an issue with the way the clients were connected to the domain?
I  used the network ID wizard on the clients, and the administrator account of the server to connect them.
0
 
oldPCguyCommented:
Here is a very good article that may help you resolve this issue ...

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Hope this helps!
0
 
madlanAuthor Commented:
RSOP fails on all client machines, stating the namespace is invalid.
It runs fine on the server, opening the Resultant set of Policy window.
Is this what you mean?
0
 
madlanAuthor Commented:
using ipconfig/all on a client, the DNS servers are set to the ISPs given numbers.
0
 
oldPCguyConnect With a Mentor Commented:
That would definitly cause a problem. Nice catch Netman66. I think you may still have a security issue, but getting the DC added as the primary DNS will help alot. You can always add DNS forwarding to your DC.
0
 
madlanAuthor Commented:
Under the DHCP management console, under Server options, I have two settings, Router and DNS.
Should I remote the two DNS servers from the DNS entry, and add the servers IP address?
0
 
oldPCguyCommented:
You will want to add the DC as the primary DNS. You can leave one of the ISP DNS addresses or remove them and set up DNS forwarding from the DC.
0
 
madlanAuthor Commented:
Amazing, its working now, the clients are installing managed software.
The internet is not working, obviously because of the DNS.
Where do I set the DNS forwarding on the DC?
Thanks for your help guys, I belive you both helped with the solution,
thankyou again.

madlan.
0
 
theric76Commented:
You can add your ISP's DNS servers in DNS management console on your server, open your server's properties and search for "Forwarding servers" tab.
Good shot netman66.
theric
0
 
Netman66Commented:
Exactly.  Never give anything inside your network the ISP DNS server address.  Only use your server then Forward to the ISP from it.

This is an example of why you don't use anything but your own DNS.

0
 
Netman66Commented:
I should add, setup option 003, 005 and 006 in DHCP.  The router is 003, and 005 & 006 are for your DNS server - nothing else.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.