Solved

User configuration GPO not applying on XP Pro

Posted on 2009-05-04
13
898 Views
Last Modified: 2012-06-27
I'm stumped on a user configuration not being applied to our XP desktops in 2003 server domain. Computers are in a computer OU with a computer policy and works like a charm. The users are in a user OU with a user policy. I've run a RSoP on a test desktop with a test user and the user settings do show up but they are not applied at the computer. In particular, I'm trying to disable the ability to change display settings (resolution, screensaver, etc.). If I perform a gpupdate /force then policy applies and the display settings are blocked. This doesn't work out well because our users (students) use different computers all over campus. Can anyone shed some light on my situation? I haven't tried loopback processing but I don't think that's the issue given that I have separate OUs for computers and users.
0
Comment
Question by:MarkInAusTX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24298700
Under the COMPUTER CONFIGURATION/POLICIES/ADMIN TEMPLATES/SYSTEM/LOGON make sure "Always wait for the network at computer startup and logon" is enabled. The computer will wait for all policies to be loaded before logging in. This will hopefully help your user configuration settings too.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24298721
You may want to take a look at this and see if GPP solve your problem instead of using GP.

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
[This one has comparison between GPP and GP]
0
 
LVL 18

Expert Comment

by:Americom
ID: 24298759
Is your concerns are that you want the configuation settings be able to adjusts by user or you just have policy didn't get to apply to certain computers? May be I mis-read your description. What a about an example of your problem?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:MarkInAusTX
ID: 24298781
Americom,

Thank you for the suggestion but it appears I need a Server 2008 machine for GPP and I only have Server 2003. The GP client extensions have been deployed to our computers through WSUS with the intent to deploy 2008 soon but not right now.
0
 

Author Comment

by:MarkInAusTX
ID: 24298817
Example of the problem (remember, according RSoP these settings are being applied):

User Joe Student logs on to DesktopA. The computer policies for DesktopA are applied (mainly application assignments) and the user policies for Joe include the prevention of changing the screen resolution, wallpaper, etc.

Joe has logged on and is still able to change the desktop settings. However, if I perform a gpupdate /force while he logged in, the settings are then applied and he loses the ability to change the desktop settings.

If Joe goes to DesktopB, the same problem occurs. The policy appears to apply but he is able to change desktop settings until a gpupdate /force is run.

I've also ran gpresult /z to a log file and it confirmed that the user settings are being sent but are not applying.

I hope that clarifies my situation a little better.
0
 

Author Comment

by:MarkInAusTX
ID: 24298841
Pete,

My hesitation with the setting is that laptops around our campus would have logon problems because they are often used for presentations with network access. How would the cached profile be handled if the computer was waiting for a non-existent network connection?
0
 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24298873
We have a mixture of laptops and desktops around our school. This policy is in place for all machines. This policy only takes affect when there are changes to the GPO or the laptop/desktop is new to AD and is installed at second boot. Try a test in a test OU and apply this setting to a laptop to see what I mean. The "Always wait..." option will kick in after second boot or after you reboot from a GPUPDATE /FORCE command.
0
 

Author Comment

by:MarkInAusTX
ID: 24299192
Pete,

Thank you for the suggestion but this didn't seem to solve my problem. I continue to see the user policy in a log file but the settings do not "stick" until I force a gpupdate.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24299215
In general, "Always wait for the netowork..." setting is not required. It should be used when it is needed.

By default, Windows XP logs a user on in asynchronous mode. Group Policy is then applied in the background after the user is logged on. This results in faster logons.

However, in situations where you need for users to receive software, implement folder redirection, or run new scripts in a single logon, then you may apply a GPO with the setting Always wait for the network at computer startup and logon to the computer. For this setting to take effect, Group Policy must be refreshed or the computer restarted. Keep in mind that computer GPO usually refresh every 90 minutes.

It sounds like your issue may not be a concern other than running gpupdate /force or let the machine reboot a couple of times the GPOs will eventually applied.
0
 
LVL 8

Expert Comment

by:Pete_Zed
ID: 24299221
Could you try to delete the profile on the computer and then it will be recreated with a new profile with the correct settings?
0
 

Author Comment

by:MarkInAusTX
ID: 24299383
I tried deleting the profile and restarted the computer for good measure - still the same problem. "Always wait for the network..." is enabled and doesn't seem to be doing anything for me.

Running gpupdate /force does fix the problem but I can't tell every student to run that before they get started. I've tried placing a script that would run a batch file but that didn't work. The computer has been restarted several times and the GPO is being applied according to the gpresult command.

Maybe this will help...
The user policy specifying to add a "IE provide by..." to IE is working. When I open IE the title bar says "...provided by SMCA". So, why is that policy working and disabling the desktop properties dialog box not working?
0
 

Author Comment

by:MarkInAusTX
ID: 24299426
Below is the User Settings section from the gpresult log file I created. As you can see, several of the policies APPEAR to be applied but I can open the display properties dialog and change screen resolution until I run gpupdate /force.

[Banging head against wall!]

USER SETTINGS
--------------
    CN=Student\,  Test,OU=StudentBody,DC=smca,DC=local
    Last time Group Policy was applied: 5/4/2009 at 4:16:57 PM
    Group Policy was applied from:      srvdc1.smca.local
    Group Policy slow link threshold:   500 kbps
 
    Applied Group Policy Objects
    -----------------------------
        Student User Administrative Policy
        Default Domain Policy
 
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        System Center Essentials All Computers Policy
            Filtering:  Disabled (GPO)
 
        Disable Offline Files
            Filtering:  Disabled (GPO)
 
        Local Group Policy
            Filtering:  Not Applied (Empty)
 
    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        APSpanishExam
        SecGrp Students
        
    Resultant Set Of Policies for User:
    ------------------------------------
 
        Software Installations
        ----------------------
            N/A
 
        Public Key Policies
        -------------------
            N/A
 
        Administrative Templates
        ------------------------
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows NT\SharedFolders
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows NT\Printers
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Messenger\Client
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Applets\Tour
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\MMC
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Messenger\Client
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Control Panel\Desktop
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows\Network Connections
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows NT\Printers
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Internet Explorer\Main
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows\Network Connections
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Internet Explorer\SQM
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows\Directory UI
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Internet Explorer\PhishingFilter
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Messenger\Client
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled
 
            GPO: Student User Administrative Policy
                Setting: Software\Policies\Microsoft\Windows NT\SharedFolders
                State:   Enabled
 
        Folder Redirection
        ------------------
            N/A
 
        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Student User Administrative Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   SMCA
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No
 
        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      Yes
 
        Internet Explorer URLs
        ----------------------
            GPO: Student User Administrative Policy
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A
 
        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False
 
            GPO: Student User Administrative Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No
 
        Internet Explorer Programs
        --------------------------
            GPO: Student User Administrative Policy
                Import the current Program Settings: No

Open in new window

0
 

Accepted Solution

by:
MarkInAusTX earned 0 total points
ID: 24329212
I solved my problem. I use ScriptLogic's Desktop Authority in my environment. A new user was created in the OU that did not use the DA logon script and the user GPO successfully enumerated. So, the problem is with DA.

Carefully reviewing a trace file of the logon script, a flag that cleared all security policies was the culprit. I removed the flag and the user GPO applied successfully.

Thank you to all who helped; this problem was outside of GP and AD and that's what made it so difficult. I'm still trying to understand why gpresult showed the policies had applied if DA had cleared them.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question