Cannot Apply Computer Configuration of a Group Policy

What do I need to do to get my Computer Configuration settings in my User group policies to work?

I have three group policies that I cannot apply the Computer Configuration of the group policy.  When I view them in the GPO Management Tool they are enabled and are linked.  They are in the container of the group that I want the policy applied to.  The client machines are members of the domain as well as the users.  They all appear in active directory.  Also, all the GPO's status shows that they are Enabled in the GPO Management Console.

When I run the Group Policy Results it shows me that the User Configurations have been applied but the Computer Configurations have not.  The Group Policy Results Setting Tab show me that there where "No settings defined."  

Another way that I know that the policy is not being applied is that I have one policy set to delete the roaming profile from the local machine when the user logs off.  When I test the policy, the local profile is still there.

I have tested another container group of users that use a different GPO and the same thing happens for them.

I have a mixed server and OS environment.  I use Windows Server 2000 and Windows Advanced Server 2003.  My clients are Windows XP SP2 and Windows Vista.

Any help to resolve this issue would be appreciated.
William_TAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

"They are in the container of the group that I want the policy applied to"? Can you clarify this part of your post?

If you want GPO with Computer settings to apply to computers, you should link GPO to the OU with computer accounts.

HTH

Toni
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
martonejdCommented:
Computer configurations need to be applied to Computers, User configurations to Users.  Try applying it to a Computer or group of computers.
0
Toni UranjekConsultant/TrainerCommented:
Group policy has almost nothing to do with groups. GPO should be linked to OU with computer accounts. Groups are used only for Security filtering.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

William_TAuthor Commented:
I have applied the GPO to a computer, logged in as a user that is linked to the Group Policy and then logged back out.  

I then logged in to the same computer as the administrator and opened the Group Policy Management MMC to run the Group Policy Results wizard on the user I just used.  When I run the wizard for this user I go the the Settings tab and it gives me the message under the Computer Configuration "No Settings defined."

When I look at the GPO and its Computer Configuration section, I can see my settings that have been set, i.e. Windows Security Settings, Administrative Templates, Printers, System/Group Policy, User Profiles, Time Providers, and several IE settings.

Why is it not appling them?

At one time this was not an issue.  They were applied and they did work.  When I look at the GPO Results wizards from previous test I have ran I can see that they were applied, but now they are not.  The only things that have changed since the last time they worked are:  I had to change the operations master for my domain, and several windows updates.

HELP....
0
martonejdCommented:
is the computer you are applying the GPO to linked to that policy?  in the Links section, should be an OU containing computers if the policy has computer configurations.  in the security filtering section, should be computer names
0
William_TAuthor Commented:
Yes.  I have added the testing PC to the security filtering of the first policy below.

I have also noticed that under the Summary of the GPO Policy Results that it has under the Denied GPOs, that my policies' links are disabled.  When I look at the policies themselves it show all links enabled.

Here are the copies of the policies that I am trying to apply.

I have changed the extensions so they would upload, orginally they were html files.
Delete-Local-Profile-Policy-Obje.txt
Domain-IE-Policy-Object.txt
Student-Policy-Object.txt
0
Toni UranjekConsultant/TrainerCommented:
Go to command prompt on client and run "gpresult /v > gpo.txt", then upload gpo.txt here.

The problem is not how your GPOs are configured but how they are linked. If they don't appear on list of applied objects in gpo.txt, they are not linked correctly, if they appear on denied objects list, something is preventing GPO to apply to client computers.
0
William_TAuthor Commented:
Here's the gpo.txt file.

The file states the the links are diabled yet in the GPO management they are linked and enabled.

gpo.txt
0
Toni UranjekConsultant/TrainerCommented:
Do you have any "usernev" related erros in Event Viewer's Application log?
Did you run "gpresult" as member of local Administrators group?
0
William_TAuthor Commented:
No, I do not have any "usernev" errors or any related errors.  I ran the grresult as the test user which is just a member of the Domain Users group and it is not associated with any Admin group or rights.
0
Toni UranjekConsultant/TrainerCommented:
Can you run "gpresult" as member of local Administrator group, to exclude possibilty that regular user account can not access all information from Computer Configuration part.
0
William_TAuthor Commented:
Yes, I can but administrators or not linked to the policies that I am trying to apply only those that are members of the Student OU.  

Here is the gpo.txt file that I ran as an administrator.
gpoadmin.txt
0
Toni UranjekConsultant/TrainerCommented:
We are troubleshooting Computer configuration part of Group Policy objects.

Does all computers experience the same error, does this computer experience any other problems?
0
Toni UranjekConsultant/TrainerCommented:
To which OUs exactly are the following policies linked:

Delete-Local-Profile-Policy-Object
Domain-IE-Policy-Object
Student-Policy-Object
0
William_TAuthor Commented:
To just my student OU.
0
William_TAuthor Commented:
Other than not applying the Computer Configuration section of the policy the computer does not experience any other issues.  
0
Toni UranjekConsultant/TrainerCommented:
Are you aware of the fact that computer which you used for gpresult is not in Student OU but in Computers container?

Move only one computer account from Computers container to Student OU, run "gpupdate /force" and "gpresult" again, any changes?
0
William_TAuthor Commented:
How would this affect other members of other OU's whose computer configuration policy is different from the students'?
0
Toni UranjekConsultant/TrainerCommented:
Computer configuration settings always affect all users the same. It doesn't matter in which OU they (users) are.
0
William_TAuthor Commented:
If I move the GPO to domain container but still have it apply only to the students in the security filtering will it only apply its computer settings if that OU member logs on?

I want the computer configuration of that GPO to only apply itself if that OU member logs on.
0
Toni UranjekConsultant/TrainerCommented:
Hi!

Group policy objects contain two distinctive  groups of settings: Computer Configuration settings and User Configuration settings. When you start computer and your network becomes active, client will check for new versions of GPOs on domain controller. If GPOs have changed, new versions will be downloaded and then Computer settings will be processed. You can observe this part of the process on your screen where it says "Applying computer settings...". When this part is over MSGINA will appear (Ctrl+Alt+Del Window). Now you can enter username and password and only now User configuration setting will be processed.

This means that Computer Configuration settings are ALWAYS processed first, regardless of which user will log on later and that you can't change this behaviour.

There is an "anomaly" in processing group policies called loopback processing. It this case Computer Configuration settings will be processed, than User Configuration settings will be processed and Computer settings will be processed AGAIN in replace or merge mode. Computer Configuration settings will win over User Configuration settings. This special cenario is often used on Terminal Servers or kiosk computers and does not solve your problem.

Security filtering will not help either, usualy security filtering brings nothing but... trouble.

Toni
0
William_TAuthor Commented:
There are settings in the computer configuration that are not found in the user configuration.  I would like to be able to apply these computer configuration setting for one group of users and not for another group.

I attempted to just apply these setting on a test computer but the computer configuration settings of the policy still did not work.  I must missed something.

I am thinking of creating a new OU and then moving a selected group of computers to that OU.  Then I will assign the GPO I want to that new group.  Would that work?
0
Toni UranjekConsultant/TrainerCommented:
Sorry for delay.

But the answer to your last question is still: no.

You can not filter Computer configuration settings based on user's group membership, because these settings are processed before user logs on.

Unfortunately, there is no workaround. I will be very surprised if you or anyone else comes with up with working solution.
0
DCSIMVTCommented:
thanks so much!!!!!!!!!! great
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.