Solved

User configuration GPO not applying on XP Pro

Posted on 2009-05-04
13
850 Views
Last Modified: 2012-06-27
I'm stumped on a user configuration not being applied to our XP desktops in 2003 server domain. Computers are in a computer OU with a computer policy and works like a charm. The users are in a user OU with a user policy. I've run a RSoP on a test desktop with a test user and the user settings do show up but they are not applied at the computer. In particular, I'm trying to disable the ability to change display settings (resolution, screensaver, etc.). If I perform a gpupdate /force then policy applies and the display settings are blocked. This doesn't work out well because our users (students) use different computers all over campus. Can anyone shed some light on my situation? I haven't tried loopback processing but I don't think that's the issue given that I have separate OUs for computers and users.
0
Comment
Question by:MarkInAusTX
  • 7
  • 3
  • 3
13 Comments
 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24298700
Under the COMPUTER CONFIGURATION/POLICIES/ADMIN TEMPLATES/SYSTEM/LOGON make sure "Always wait for the network at computer startup and logon" is enabled. The computer will wait for all policies to be loaded before logging in. This will hopefully help your user configuration settings too.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24298721
You may want to take a look at this and see if GPP solve your problem instead of using GP.

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
[This one has comparison between GPP and GP]
0
 
LVL 18

Expert Comment

by:Americom
ID: 24298759
Is your concerns are that you want the configuation settings be able to adjusts by user or you just have policy didn't get to apply to certain computers? May be I mis-read your description. What a about an example of your problem?
0
 

Author Comment

by:MarkInAusTX
ID: 24298781
Americom,

Thank you for the suggestion but it appears I need a Server 2008 machine for GPP and I only have Server 2003. The GP client extensions have been deployed to our computers through WSUS with the intent to deploy 2008 soon but not right now.
0
 

Author Comment

by:MarkInAusTX
ID: 24298817
Example of the problem (remember, according RSoP these settings are being applied):

User Joe Student logs on to DesktopA. The computer policies for DesktopA are applied (mainly application assignments) and the user policies for Joe include the prevention of changing the screen resolution, wallpaper, etc.

Joe has logged on and is still able to change the desktop settings. However, if I perform a gpupdate /force while he logged in, the settings are then applied and he loses the ability to change the desktop settings.

If Joe goes to DesktopB, the same problem occurs. The policy appears to apply but he is able to change desktop settings until a gpupdate /force is run.

I've also ran gpresult /z to a log file and it confirmed that the user settings are being sent but are not applying.

I hope that clarifies my situation a little better.
0
 

Author Comment

by:MarkInAusTX
ID: 24298841
Pete,

My hesitation with the setting is that laptops around our campus would have logon problems because they are often used for presentations with network access. How would the cached profile be handled if the computer was waiting for a non-existent network connection?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24298873
We have a mixture of laptops and desktops around our school. This policy is in place for all machines. This policy only takes affect when there are changes to the GPO or the laptop/desktop is new to AD and is installed at second boot. Try a test in a test OU and apply this setting to a laptop to see what I mean. The "Always wait..." option will kick in after second boot or after you reboot from a GPUPDATE /FORCE command.
0
 

Author Comment

by:MarkInAusTX
ID: 24299192
Pete,

Thank you for the suggestion but this didn't seem to solve my problem. I continue to see the user policy in a log file but the settings do not "stick" until I force a gpupdate.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24299215
In general, "Always wait for the netowork..." setting is not required. It should be used when it is needed.

By default, Windows XP logs a user on in asynchronous mode. Group Policy is then applied in the background after the user is logged on. This results in faster logons.

However, in situations where you need for users to receive software, implement folder redirection, or run new scripts in a single logon, then you may apply a GPO with the setting Always wait for the network at computer startup and logon to the computer. For this setting to take effect, Group Policy must be refreshed or the computer restarted. Keep in mind that computer GPO usually refresh every 90 minutes.

It sounds like your issue may not be a concern other than running gpupdate /force or let the machine reboot a couple of times the GPOs will eventually applied.
0
 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24299221
Could you try to delete the profile on the computer and then it will be recreated with a new profile with the correct settings?
0
 

Author Comment

by:MarkInAusTX
ID: 24299383
I tried deleting the profile and restarted the computer for good measure - still the same problem. "Always wait for the network..." is enabled and doesn't seem to be doing anything for me.

Running gpupdate /force does fix the problem but I can't tell every student to run that before they get started. I've tried placing a script that would run a batch file but that didn't work. The computer has been restarted several times and the GPO is being applied according to the gpresult command.

Maybe this will help...
The user policy specifying to add a "IE provide by..." to IE is working. When I open IE the title bar says "...provided by SMCA". So, why is that policy working and disabling the desktop properties dialog box not working?
0
 

Author Comment

by:MarkInAusTX
ID: 24299426
Below is the User Settings section from the gpresult log file I created. As you can see, several of the policies APPEAR to be applied but I can open the display properties dialog and change screen resolution until I run gpupdate /force.

[Banging head against wall!]

USER SETTINGS

--------------

    CN=Student\,  Test,OU=StudentBody,DC=smca,DC=local

    Last time Group Policy was applied: 5/4/2009 at 4:16:57 PM

    Group Policy was applied from:      srvdc1.smca.local

    Group Policy slow link threshold:   500 kbps
 

    Applied Group Policy Objects

    -----------------------------

        Student User Administrative Policy

        Default Domain Policy
 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        System Center Essentials All Computers Policy

            Filtering:  Disabled (GPO)
 

        Disable Offline Files

            Filtering:  Disabled (GPO)
 

        Local Group Policy

            Filtering:  Not Applied (Empty)
 

    The user is a part of the following security groups:

    ----------------------------------------------------

        Domain Users

        Everyone

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        LOCAL

        APSpanishExam

        SecGrp Students

        

    Resultant Set Of Policies for User:

    ------------------------------------
 

        Software Installations

        ----------------------

            N/A
 

        Public Key Policies

        -------------------

            N/A
 

        Administrative Templates

        ------------------------

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows NT\SharedFolders

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows NT\Printers

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Messenger\Client

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Applets\Tour

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\MMC

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Messenger\Client

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Control Panel\Desktop

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows\Network Connections

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows NT\Printers

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Internet Explorer\Main

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows\Network Connections

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Internet Explorer\SQM

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows\Directory UI

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Internet Explorer\PhishingFilter

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Messenger\Client

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                State:   Enabled
 

            GPO: Student User Administrative Policy

                Setting: Software\Policies\Microsoft\Windows NT\SharedFolders

                State:   Enabled
 

        Folder Redirection

        ------------------

            N/A
 

        Internet Explorer Browser User Interface

        ----------------------------------------

            GPO: Student User Administrative Policy

                Large Animated Bitmap Name:      N/A

                Large Custom Logo Bitmap Name:   N/A

                Title BarText:                   SMCA

                UserAgent Text:                  N/A

                Delete existing toolbar buttons: No
 

        Internet Explorer Connection

        ----------------------------

            HTTP Proxy Server:   N/A

            Secure Proxy Server: N/A

            FTP Proxy Server:    N/A

            Gopher Proxy Server: N/A

            Socks Proxy Server:  N/A

            Auto Config Enable:  No

            Enable Proxy:        No

            Use same Proxy:      Yes
 

        Internet Explorer URLs

        ----------------------

            GPO: Student User Administrative Policy

                Home page URL:           N/A

                Search page URL:         N/A

                Online support page URL: N/A
 

        Internet Explorer Security

        --------------------------

            Always Viewable Sites:     N/A

            Password Override Enabled: False
 

            GPO: Student User Administrative Policy

                Import the current Content Ratings Settings:      No

                Import the current Security Zones Settings:       No

                Import current Authenticode Security Information: No

                Enable trusted publisher lockdown:                No
 

        Internet Explorer Programs

        --------------------------

            GPO: Student User Administrative Policy

                Import the current Program Settings: No

Open in new window

0
 

Accepted Solution

by:
MarkInAusTX earned 0 total points
ID: 24329212
I solved my problem. I use ScriptLogic's Desktop Authority in my environment. A new user was created in the OU that did not use the DA logon script and the user GPO successfully enumerated. So, the problem is with DA.

Carefully reviewing a trace file of the logon script, a flag that cleared all security policies was the culprit. I removed the flag and the user GPO applied successfully.

Thank you to all who helped; this problem was outside of GP and AD and that's what made it so difficult. I'm still trying to understand why gpresult showed the policies had applied if DA had cleared them.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now