[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Cannot Apply Computer Configuration of a Group Policy

Posted on 2008-01-25
24
Medium Priority
?
1,799 Views
Last Modified: 2011-10-19
What do I need to do to get my Computer Configuration settings in my User group policies to work?

I have three group policies that I cannot apply the Computer Configuration of the group policy.  When I view them in the GPO Management Tool they are enabled and are linked.  They are in the container of the group that I want the policy applied to.  The client machines are members of the domain as well as the users.  They all appear in active directory.  Also, all the GPO's status shows that they are Enabled in the GPO Management Console.

When I run the Group Policy Results it shows me that the User Configurations have been applied but the Computer Configurations have not.  The Group Policy Results Setting Tab show me that there where "No settings defined."  

Another way that I know that the policy is not being applied is that I have one policy set to delete the roaming profile from the local machine when the user logs off.  When I test the policy, the local profile is still there.

I have tested another container group of users that use a different GPO and the same thing happens for them.

I have a mixed server and OS environment.  I use Windows Server 2000 and Windows Advanced Server 2003.  My clients are Windows XP SP2 and Windows Vista.

Any help to resolve this issue would be appreciated.
0
Comment
Question by:William_T
  • 11
  • 10
  • 2
  • +1
24 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 2000 total points
ID: 20745493
Hi!

"They are in the container of the group that I want the policy applied to"? Can you clarify this part of your post?

If you want GPO with Computer settings to apply to computers, you should link GPO to the OU with computer accounts.

HTH

Toni
0
 
LVL 3

Expert Comment

by:martonejd
ID: 20745497
Computer configurations need to be applied to Computers, User configurations to Users.  Try applying it to a Computer or group of computers.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20745537
Group policy has almost nothing to do with groups. GPO should be linked to OU with computer accounts. Groups are used only for Security filtering.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 

Author Comment

by:William_T
ID: 20787932
I have applied the GPO to a computer, logged in as a user that is linked to the Group Policy and then logged back out.  

I then logged in to the same computer as the administrator and opened the Group Policy Management MMC to run the Group Policy Results wizard on the user I just used.  When I run the wizard for this user I go the the Settings tab and it gives me the message under the Computer Configuration "No Settings defined."

When I look at the GPO and its Computer Configuration section, I can see my settings that have been set, i.e. Windows Security Settings, Administrative Templates, Printers, System/Group Policy, User Profiles, Time Providers, and several IE settings.

Why is it not appling them?

At one time this was not an issue.  They were applied and they did work.  When I look at the GPO Results wizards from previous test I have ran I can see that they were applied, but now they are not.  The only things that have changed since the last time they worked are:  I had to change the operations master for my domain, and several windows updates.

HELP....
0
 
LVL 3

Expert Comment

by:martonejd
ID: 20788009
is the computer you are applying the GPO to linked to that policy?  in the Links section, should be an OU containing computers if the policy has computer configurations.  in the security filtering section, should be computer names
0
 

Author Comment

by:William_T
ID: 20788257
Yes.  I have added the testing PC to the security filtering of the first policy below.

I have also noticed that under the Summary of the GPO Policy Results that it has under the Denied GPOs, that my policies' links are disabled.  When I look at the policies themselves it show all links enabled.

Here are the copies of the policies that I am trying to apply.

I have changed the extensions so they would upload, orginally they were html files.
Delete-Local-Profile-Policy-Obje.txt
Domain-IE-Policy-Object.txt
Student-Policy-Object.txt
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20788512
Go to command prompt on client and run "gpresult /v > gpo.txt", then upload gpo.txt here.

The problem is not how your GPOs are configured but how they are linked. If they don't appear on list of applied objects in gpo.txt, they are not linked correctly, if they appear on denied objects list, something is preventing GPO to apply to client computers.
0
 

Author Comment

by:William_T
ID: 20788921
Here's the gpo.txt file.

The file states the the links are diabled yet in the GPO management they are linked and enabled.

gpo.txt
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20788994
Do you have any "usernev" related erros in Event Viewer's Application log?
Did you run "gpresult" as member of local Administrators group?
0
 

Author Comment

by:William_T
ID: 20789077
No, I do not have any "usernev" errors or any related errors.  I ran the grresult as the test user which is just a member of the Domain Users group and it is not associated with any Admin group or rights.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20789199
Can you run "gpresult" as member of local Administrator group, to exclude possibilty that regular user account can not access all information from Computer Configuration part.
0
 

Author Comment

by:William_T
ID: 20789818
Yes, I can but administrators or not linked to the policies that I am trying to apply only those that are members of the Student OU.  

Here is the gpo.txt file that I ran as an administrator.
gpoadmin.txt
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20790702
We are troubleshooting Computer configuration part of Group Policy objects.

Does all computers experience the same error, does this computer experience any other problems?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20790793
To which OUs exactly are the following policies linked:

Delete-Local-Profile-Policy-Object
Domain-IE-Policy-Object
Student-Policy-Object
0
 

Author Comment

by:William_T
ID: 20791166
To just my student OU.
0
 

Author Comment

by:William_T
ID: 20791191
Other than not applying the Computer Configuration section of the policy the computer does not experience any other issues.  
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20791322
Are you aware of the fact that computer which you used for gpresult is not in Student OU but in Computers container?

Move only one computer account from Computers container to Student OU, run "gpupdate /force" and "gpresult" again, any changes?
0
 

Author Comment

by:William_T
ID: 20796764
How would this affect other members of other OU's whose computer configuration policy is different from the students'?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20803370
Computer configuration settings always affect all users the same. It doesn't matter in which OU they (users) are.
0
 

Author Comment

by:William_T
ID: 20878239
If I move the GPO to domain container but still have it apply only to the students in the security filtering will it only apply its computer settings if that OU member logs on?

I want the computer configuration of that GPO to only apply itself if that OU member logs on.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20878770
Hi!

Group policy objects contain two distinctive  groups of settings: Computer Configuration settings and User Configuration settings. When you start computer and your network becomes active, client will check for new versions of GPOs on domain controller. If GPOs have changed, new versions will be downloaded and then Computer settings will be processed. You can observe this part of the process on your screen where it says "Applying computer settings...". When this part is over MSGINA will appear (Ctrl+Alt+Del Window). Now you can enter username and password and only now User configuration setting will be processed.

This means that Computer Configuration settings are ALWAYS processed first, regardless of which user will log on later and that you can't change this behaviour.

There is an "anomaly" in processing group policies called loopback processing. It this case Computer Configuration settings will be processed, than User Configuration settings will be processed and Computer settings will be processed AGAIN in replace or merge mode. Computer Configuration settings will win over User Configuration settings. This special cenario is often used on Terminal Servers or kiosk computers and does not solve your problem.

Security filtering will not help either, usualy security filtering brings nothing but... trouble.

Toni
0
 

Author Comment

by:William_T
ID: 20880193
There are settings in the computer configuration that are not found in the user configuration.  I would like to be able to apply these computer configuration setting for one group of users and not for another group.

I attempted to just apply these setting on a test computer but the computer configuration settings of the policy still did not work.  I must missed something.

I am thinking of creating a new OU and then moving a selected group of computers to that OU.  Then I will assign the GPO I want to that new group.  Would that work?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20928176
Sorry for delay.

But the answer to your last question is still: no.

You can not filter Computer configuration settings based on user's group membership, because these settings are processed before user logs on.

Unfortunately, there is no workaround. I will be very surprised if you or anyone else comes with up with working solution.
0
 

Expert Comment

by:DCSIMVT
ID: 25486403
thanks so much!!!!!!!!!! great
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question