?
Solved

GPO - User configuration settings not applying

Posted on 2008-11-05
15
Medium Priority
?
1,458 Views
Last Modified: 2012-05-05
GPO - User configuration settings not applying

I have a newly installed Windows 2003  server with a few client machines.
One of the client machines is a public access computer that also needs to be used by members of our staff. I am trying to apply GP settings via AD by using the User Configuration setting in the group policy editor. i.e. Log on as a public user - receive different gpo settings than another user.
Settings I am trying to apply are GUI lockdown, restrict access to system settings etc.

Non of the user settings are applying. I am using loopback processing but to no avail.

My AD structure is as follows -
2 user OU's. 1 for public users, 1 for staff
2 computer OU's - 1 public, 1 staff

I have other OU's that are applying settings just fine i.e the staff user and computer gpo's are ok.
I can't work it out.

Any help much appreciated !!
0
Comment
Question by:rookery-IT
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 22884864
Are the user settings disabled?
Right click at the top of the policy in question (on its name) and then choose properties..
There are check marks at the bottom... Is there any thing checked...?
0
 

Author Comment

by:rookery-IT
ID: 22884894
No settings are not disabled.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22884900
The user configuration will be applied on the basis of which OU the users actual account is in As the computer setting get applied first then the user the computer settings will apply if there is any conflict - unless you use LOOPBACK
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:rookery-IT
ID: 22885080
My OU structue is as follows:

Users_Staff_OU: 5 users
Users_Public_OU: 1 user
Computers_Staff: 5 PC's
Computers_Public: 1 PC

Within the Users_Public I have all the GPO settings defined in User Configuration - No Computer Configuration settings are applied except Loopback.


0
 
LVL 70

Expert Comment

by:KCTS
ID: 22885118
Where are you linking the policy, if you link it to an OU with computers in it, then the user settings will not be appllied (as there are no user accounts in that OU)
0
 

Author Comment

by:rookery-IT
ID: 22885130
Policy is linked to Users_Public which only contains one user, no computers. The computer is linked to Computers_Public
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 22885723
maybe you can run a gpresult /R at command and show us the results?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22885898
In that case if the user who is in the Users_Public OU logs on then the policy should apply - bit it will not apply to anyone else.

Are you using the GPMC? If not download and install it now http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en it will greatly assist troubleshooting
0
 
LVL 1

Expert Comment

by:IQComp
ID: 22886804
Is the policy applied to the OU?  Is the user(s) in the OU?  Is the Windows Firewall enabled?  I have run into problems with applying GPO's when the Windows Firewall is turned on.
0
 
LVL 3

Expert Comment

by:fraserc
ID: 22887661
Hi,

Silly but I have to ask is the policy enforced? If not try this as it will ensure conflicting policy settings are overidden. You should obviously check that it is 'enabled' as well.
If that fails try running gpupdate /force on the machines that are playing up, answer no to both questions and then reboot the machine.

Regards,

Fraser.
0
 

Author Comment

by:rookery-IT
ID: 22896793
Hi in answer to the posts above:

jjmartineziii - thats a good idea. Im away from that dept for a day or two but I will try that - thanks.

IQComp: - Ill try the firewall - its possible it might be enabled - thanks


fraserc: Yes the policy is enforced. Ive done gpupdate /force but its not picking up the GP settings- thanks


Will post back soon. Thank you all.
0
 
LVL 3

Expert Comment

by:fraserc
ID: 22896967
Hi,

Unless I'm mistaken there is no /R switch for gpresult.
I think you must have meant to use verbose...
gpresult /V
Or superverbose
gpresult /Z

F,
0
 

Author Comment

by:rookery-IT
ID: 22922816
Ok, Ive tried Gpresult and it gives me 'INFO: The policy object does not exist' -  any more ideas?

I also deleted all my GPO's and created a new one with which to test.
All thats in it is a logon script that pops up a message - still wont work.

I have several other domain controllers in the organisation and they are all fine - I simply cannot work out why it isnt distributing the gp's
0
 

Accepted Solution

by:
rookery-IT earned 0 total points
ID: 22929669
I have found the solution to problem - DNS

For a client to pick up GP, its DNS server address must be the DNS server on the LAN.
My Domain Controller (which is the DNS server too)  was giving out DNS server addresses outsid eof the LAN to my clients not its own IP address (its a Forward Lookup Zone).

As soon as I manually configured DNS on the client to point towards the Domain Controller/DNS Server, flushed the DNS and GPUPDATE /FORCE 'd it worked straight away.

Thank you all for your comments.
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 22930660
Nice to know! Good you got it taken care of.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question