Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Help with GPO not applying (specific to Computer Configuration settings)

Posted on 2011-03-18
5
Medium Priority
?
456 Views
Last Modified: 2012-05-11
Hey everyone, I'd love some assistance with a problem I can't seem to get past; I've altered the Default Domain Policy to include entries for EFS Recovery Agents etc. at the following locations:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates

Everything is great except that these settings do not seem to get pushed out to client machines. (mix of WinXP pro and Win7pro) I've run "gpupdate /force" on the servers (mix of 2k3, 2k3 R2, and 2008 R2) and run "gpupdate" on the clients but no luck. I've been working on this problem for over a day now, so I'm thinking that even without the gpupdate commands things should have updated by now.

Trying to track down the problem I ran RSOP based on the domain, and a particular computer I'm using as a guinea pig; both returned the expected result. I also looked at the syslog for that machine which showed that the GP configuration was updated successfully.

To make things more interesting I did a simple test by adding a new GPO and linking to the domain, then made a simple change in the User Configutation (placed a bookmark in IE); this policy updated on the client just fine. It seems that the user config is working but computer config is not...

Please let me know if anything jumps out as a possible cause or if any other quick checks come to mind, thanks in advance.
0
Comment
Question by:jostafew
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 35169165
Might want to try this:

"So, in the end, having all the computers in an OU linked to a GPO was not enough. I had to add the computers to a group within that OU, and then specify that group in the Security Filtering section"

Resource: http://www.petri.co.il/forums/showthread.php?t=23325

There is also an article that will take longer to read, but should help here: http://alsolorzano.com/blogs/tips__tricks/archive/2008/06/02/group-policy-preferences-in-a-windows-2003-domain-and-a-windows-2008-domain.aspx
0
 
LVL 3

Author Comment

by:jostafew
ID: 35169492
Hey BCipollone, thank you for the reply. I read over the article at petri.co and tried the same approach on my system;

Within the applicable OU for this site (Langley) I created a security group called Langley Computers and added the test computers to that group. Back in GP Management I added the new Langley Computers group to the list under Delegation and gave that group Read and Apply Group Policy permissions. After all that was another round of gpupdate /force on the server and gpupdate on the clients (Win XP pro and Win7 pro). Sadly still no luck.

I am going to go back and read the alsolorzano.com article now. Please let me know if you have any other thoughts.
0
 
LVL 3

Author Comment

by:jostafew
ID: 35183244
Still working on this problem.... I defined another test setting :

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do not require CTRL+ALT+DEL

and that applied OK on both my XP and Win7 machine.... so that tells me that everything is working as it should (correctly linked to OU's, permissions OK etc.) but the machines just will not take the Public Key Policies!

Any other thoughts?
0
 
LVL 3

Accepted Solution

by:
jostafew earned 0 total points
ID: 35201384
A related thread has provided an answer to this problem; I was using gpedit.msc to view the status of the GPs being applied to the client machine. This was not giving the whole picture. Running rsop.msc confirmed that the GPOs were applied. I was also able to confirm the recovery agents' certificates being added to the encrypted files under the details section in the advanced properties of an encrypted file.

BCipollone thank you for your input.
0
 
LVL 3

Author Closing Comment

by:jostafew
ID: 35230095
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question