GPO not propagating.

I have a network running SBS 2003 Std. where I'm trying to turn off Security Center.
In the Default Domain Policy, I've set it to turn off Security Center, but after users have logged out & back in, Security Center still shows up on their systems.
I know there's tools to check on the client PCs what GPOs are propigating, but I'm not familiar with them & where to look for them.
Where should I start?
Thanks!
bryanchandlerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
Can you post exactly what GPO you are using and how you have it configured (Enable, Disabled, or Not Configured) as well as how it is linked?
GPRESULT is the client tool you can use to determine what GPOs are running against your machine.  It is used from the Command Shell.
Justin
0
Ilya RubinshteynCommented:
Try running gpupdate /force to force the group policy to replicate.
0
bryanchandlerAuthor Commented:
@irnmamont I've already ran gpupdate /force on the network.  I always do when making GPO changes.

I don't want to post the whole policy for security reasons, but the policy in question is:
ComputerConfiguration/AdministrativeTemplates/WindowsComponents/SecurityCenter/TurnOnSecurityCenter (disabled)

It applies to Authenticated Users.

Here's the results from GPRESULT:




Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 11:40:08 AM


RSOP results for *domain*\bchandler on *CLIENTPC* : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*CLIENTPC*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 10:52:28 AM
    Group Policy was applied from:      *SERVER*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *CLIENTPC*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 11:31:33 AM
    Group Policy was applied from:      *SERVER*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Justin OwensITIL Problem ManagerCommented:
What is the name of your GPO which contains that Policy?
0
bryanchandlerAuthor Commented:
Default Domain Policy (the main one!)
0
Justin OwensITIL Problem ManagerCommented:
As a matter of habit, Best Practice says to never modify the Default Domain Policy.  Can you remove this setting from your Default Domain Policy and add it to another one or create a new one for it?
It will make troubleshooting this easier.
Justin
0
bryanchandlerAuthor Commented:
@DrUltima:
I removed the setting from Default Domain Policy, created a new linked GPO called "Security Center Policy" w/ "Turn On Security Center" to "disabled", ran GPUPDATE /FORCE on both the server and the client PC I'm tested on, rebooted the client & logged back in.  Security Center is still running.
Here's the latest output from GPRESULT on the test client PC:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 1:06:23 PM


RSOP results for *domain*\bchandler on *clientpc* : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*clientpc*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:01:46 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Security Center Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *clientpc*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:03:50 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Security Center Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
Justin OwensITIL Problem ManagerCommented:
Do you have any other policies which may enable this Policy?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bryanchandlerAuthor Commented:
I've refreshed & checked each GPO.  Only the one I just created has that setting.
0
bryanchandlerAuthor Commented:
I added "domain users" to the scope of this new GPO & rebooted the test client PC.  Security Center is still running.
Here's the latest GPRESULT:


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/6/2010 at 2:02:01 PM


RSOP results for *domain*\bchandler on KKECKRITZ01 : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 *domain*
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:             
Local Profile:               C:\Documents and Settings\bchandler
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=*clientpc*,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:56:50 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Small Business Server Windows Firewall
        Default Domain Policy
        Small Business Server WSUS Policy
        GFI Monitoring Policy
        Accounty Lockout Policy
        Security Center Policy
        Small Business Server Domain Password Policy
        Small Business Server Client Computer
        Small Business Server Remote Assistance Policy
        Small Business Server Lockout Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Folder Redirection
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        *clientpc*$
        Domain Computers
        SupervisorHOSTSBypas
        

USER SETTINGS
--------------
    CN=Bryan Chandler,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=*domain*,DC=local
    Last time Group Policy was applied: 4/6/2010 at 1:58:31 PM
    Group Policy was applied from:      *server*.*domain*.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Small Business Server Folder Redirection
        Small Business Server Client Computer

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server WSUS Policy
            Filtering:  Denied (Security)

        Nurses2LockdownPolicy
            Filtering:  Denied (Security)

        Accounty Lockout Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

        Small Business Server - Windows Vista policy
            Filtering:  Denied (WMI Filter)
            WMI Filter: Vista

        GFI Monitoring Policy
            Filtering:  Denied (Security)

        Selective Disable Shutdown Policy
            Filtering:  Denied (Security)

        Security Center Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Nurses1LockDownPolicy
            Filtering:  Denied (Security)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Offer Remote Assistance Helpers
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        SBS Mobile Users
        SBS Report Users
        Web Workplace Users
        Offer Remote Assistance Helpers

Open in new window

0
bryanchandlerAuthor Commented:
I found that the setting for Security Center WAS in fact set to "enabled" in another GPO.  I hadn't looked hard enough.
After removing this setting from that GPO, the other GPO I had created took affect & Security Center is now off.
Thanks Doc!
0
Justin OwensITIL Problem ManagerCommented:
My pleasure.  Thanks for the update.
0
bryanchandlerAuthor Commented:
So I can assume then that in a GPO setting:
Enabled>Disabled>Not Applied
...as opposed to file security where:
Denied>Not Applied>Enabled?

Thanks for the design consistency Microsoft!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.