[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

GPO not propagating.

Posted on 2010-04-06
13
Medium Priority
?
1,076 Views
Last Modified: 2012-05-09
I have a network running SBS 2003 Std. where I'm trying to turn off Security Center.
In the Default Domain Policy, I've set it to turn off Security Center, but after users have logged out & back in, Security Center still shows up on their systems.
I know there's tools to check on the client PCs what GPOs are propigating, but I'm not familiar with them & where to look for them.
Where should I start?
Thanks!
0
Comment
Question by:bryanchandler
  • 7
  • 5
13 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 29922784
Can you post exactly what GPO you are using and how you have it configured (Enable, Disabled, or Not Configured) as well as how it is linked?
GPRESULT is the client tool you can use to determine what GPOs are running against your machine.  It is used from the Command Shell.
Justin
0
 
LVL 7

Expert Comment

by:Ilya Rubinshteyn
ID: 29924325
Try running gpupdate /force to force the group policy to replicate.
0
 

Author Comment

by:bryanchandler
ID: 29927649
@irnmamont I've already ran gpupdate /force on the network.  I always do when making GPO changes.

I don't want to post the whole policy for security reasons, but the policy in question is:
ComputerConfiguration/AdministrativeTemplates/WindowsComponents/SecurityCenter/TurnOnSecurityCenter (disabled)

It applies to Authenticated Users.

Here's the results from GPRESULT:




Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 11:40:08 AM


RSOP results for *domain*\bchandler on *CLIENTPC* : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*CLIENTPC*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 10:52:28 AM
    Group Policy was applied from:      *SERVER*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *CLIENTPC*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 11:31:33 AM
    Group Policy was applied from:      *SERVER*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
LVL 31

Expert Comment

by:Justin Owens
ID: 29928343
What is the name of your GPO which contains that Policy?
0
 

Author Comment

by:bryanchandler
ID: 29928408
Default Domain Policy (the main one!)
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 29929490
As a matter of habit, Best Practice says to never modify the Default Domain Policy.  Can you remove this setting from your Default Domain Policy and add it to another one or create a new one for it?
It will make troubleshooting this easier.
Justin
0
 

Author Comment

by:bryanchandler
ID: 29935691
@DrUltima:
I removed the setting from Default Domain Policy, created a new linked GPO called "Security Center Policy" w/ "Turn On Security Center" to "disabled", ran GPUPDATE /FORCE on both the server and the client PC I'm tested on, rebooted the client & logged back in.  Security Center is still running.
Here's the latest output from GPRESULT on the test client PC:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 1:06:23 PM


RSOP results for *domain*\bchandler on *clientpc* : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*clientpc*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:01:46 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Security Center Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *clientpc*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:03:50 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Security Center Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 1600 total points
ID: 29936006
Do you have any other policies which may enable this Policy?
0
 

Author Comment

by:bryanchandler
ID: 29938070
I've refreshed & checked each GPO.  Only the one I just created has that setting.
0
 

Author Comment

by:bryanchandler
ID: 29940332
I added "domain users" to the scope of this new GPO & rebooted the test client PC.  Security Center is still running.
Here's the latest GPRESULT:


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 2:02:01 PM


RSOP results for *domain*\bchandler on KKECKRITZ01 : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*clientpc*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:56:50 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Security Center Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *clientpc*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:58:31 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Security Center Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
 

Author Comment

by:bryanchandler
ID: 29941211
I found that the setting for Security Center WAS in fact set to "enabled" in another GPO.  I hadn't looked hard enough.
After removing this setting from that GPO, the other GPO I had created took affect & Security Center is now off.
Thanks Doc!
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 29941438
My pleasure.  Thanks for the update.
0
 

Author Comment

by:bryanchandler
ID: 29941987
So I can assume then that in a GPO setting:
Enabled>Disabled>Not Applied
...as opposed to file security where:
Denied>Not Applied>Enabled?

Thanks for the design consistency Microsoft!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question