Solved

Unable to get GPO's to run from 2003R2 to Vista

Posted on 2008-10-08
14
320 Views
Last Modified: 2012-05-05
Hello,

I have a mixed business environment that is compiled of all vista business computers and my server is still running 2003 R2.  I have created all my new gpo's by using my vista machine and I am currently using the updated version of GPMC.  The problem I'm running into is that the gpo's will not run or apply to any of the vista machines.  I have an OU under my DC in GPMC where I have linked the new gpo and it just won't run.  The only way I can get it to run is by link the GPO to my domain , which then runs the GPO on every pc in the domain, including the DC, but it does run my GPO's exactly the way I want them.

I have transferred all the files over from my vista machine to my server and I do know my GPO's work, but I just can't get them to run on my OU's at all.  I tired to run the dcgpofix to create the default gpo's and get an error stating it could not open the active directory object LDAP://......
0
Comment
Question by:Digmypics
  • 8
  • 5
14 Comments
 
LVL 14

Expert Comment

by:dfxdeimos
Comment Utility
So you create an OU named (for example) "Vista" and put all the computer accounts that run Vista underneath it. You then try to apply a GPO object to that OU and it doesn't apply.

What policies are you trying to set? Have you used the RSoP wizard ( http://technet.microsoft.com/en-us/library/cc758010.aspx ) ?
0
 

Author Comment

by:Digmypics
Comment Utility
Hello,

that is correct.. they are there and will not apply.. if it take the GPO and link it to my domain digmypics.com, it applies to all pc's in the entire company including domain controllers.. I'm pretty sure its due to the fact there isn't a default domain policy (not sure why its gone and I can't recreate it using dcgpofix command).
0
 
LVL 14

Expert Comment

by:dfxdeimos
Comment Utility
So when you apply it to the entire domain it applies successfully to the Vista machines also?

If you don't have a Default Domain Policy, I would just create a new (blank) GPO, change its name, and assign it to the domain.

After you do this, try setting it up again with a Vista OU with the GPO associated with it. Run a "gpupdate /force" on one of the Vista machines in question, then use the RSoP Wizard to see where along the way the process is failing.
0
 

Author Comment

by:Digmypics
Comment Utility
yes, when I apply it to the domain it will effect vista and my xp machines with no problems.  As soon as I link the GPO to the OU (vista) it won't apply to any machines on the domain.
I've added the default GPO back in and left them blank, did a gpupdate /force, no effects.
0
 
LVL 14

Expert Comment

by:dfxdeimos
Comment Utility
Please set it up how you would like it to be (seperate OU with the Vista machines in it, seperate GPO applied to that OU) and then run the RSoP wizard on one of the machines. A guide to RSoP can be found in my first post.
This will tell you where the process is being broken / what is being applied.
0
 

Author Comment

by:Digmypics
Comment Utility
All my machines are vista based, we have 2 xp machines that won't be getting any GPO's sent to the.. I just used the XP boxes to test.

I will run the RSoP and see what I can come up with.  
0
 
LVL 14

Expert Comment

by:dfxdeimos
Comment Utility
Great, I will keep an eye on this question for your resonse.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Digmypics
Comment Utility
Hello,

Ok, according to RSoP it is showing as an applied gpo for computer and user.. just the way i want them..  I did the RSoP to use the test account and test computer that won't apply the gpo's.  According to the RSoP everyting is working ok and all my settings are there.

If i log back onto the same machine as the user not the admin of the  domain, and run group policy results, it shows no GPO's being applied.  even tho running the RSoP as domain admin will show it applying to my test account.

0
 
LVL 53

Accepted Solution

by:
McKnife earned 50 total points
Comment Utility
Could it be the simple error of linking computer settings to an OU with user objects or vice versa?
In this case, no wonder linking to the domain root works - that way it gets applied to anything.
0
 

Author Comment

by:Digmypics
Comment Utility
I have the GPO applied to a OU that only has one vista machine in it.  No users, only computers.. I have applied the same gpo to my users OU with the test user account only in it, still get the same problems.  It just doesn't apply or even show in gpresult
0
 

Author Comment

by:Digmypics
Comment Utility
Do GPO's apply to secuirty groups inside of OU's?

To better clarify.. I have my OU(test)with a Group that contains the test machine in it (called tester1) and no users.  Shouldn't the GPO's apply to this group inside the OU?

I pulled the tester1 computer out of domain/computers and into the test OU, removed the group and it will apply now.

When I was running XP I used groups inside of OU's to apply my GPO's so I didn't have to move computers and users out of the default area's.> Maybe this changed in vista?
0
 
LVL 14

Expert Comment

by:dfxdeimos
Comment Utility
Hmm... that I couldn't say for sure but I believe that functionality should be intact. You can test it easy enough by moving a Computer account into that OU. Beware of the order of GPO inheritance Local, Site, Domain, OU
0
 

Author Comment

by:Digmypics
Comment Utility
Yup, its confirmed.. If i pull the physical pc, or user out of their default groups and place them into the OU it works fine and the GPO's apply with no issues.

But moving the users out of the users OU and the computers out of the computers OU, wouldn't this cause other issues in active directory?

The only thing that is really bugging me is that the RSoP is fine and has 100% success when my groups are inside of OU's, but doesn't work in real life.
I have the group  setup as a Global Security group which is what I used to do with my XP enviroment.  Does this need to be changed from global security group to universal distribuion group maybe?
0
 

Author Comment

by:Digmypics
Comment Utility
Does anyone have any ideas to why the GPO's are not applying to group's inside of the OU?  I've been looking into it for days with no luck.

Thanks,
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

There are many reasons a PC runs slower than when it was new, ranging from malicious software intended to mess things up to simple general Windows use.  Your PC performance may slowly degrade over time without you noticing but when you buy a PC from…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now