Solved

Help with GPO not applying (specific to Computer Configuration settings)

Posted on 2011-03-18
5
442 Views
Last Modified: 2012-05-11
Hey everyone, I'd love some assistance with a problem I can't seem to get past; I've altered the Default Domain Policy to include entries for EFS Recovery Agents etc. at the following locations:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates

Everything is great except that these settings do not seem to get pushed out to client machines. (mix of WinXP pro and Win7pro) I've run "gpupdate /force" on the servers (mix of 2k3, 2k3 R2, and 2008 R2) and run "gpupdate" on the clients but no luck. I've been working on this problem for over a day now, so I'm thinking that even without the gpupdate commands things should have updated by now.

Trying to track down the problem I ran RSOP based on the domain, and a particular computer I'm using as a guinea pig; both returned the expected result. I also looked at the syslog for that machine which showed that the GP configuration was updated successfully.

To make things more interesting I did a simple test by adding a new GPO and linking to the domain, then made a simple change in the User Configutation (placed a bookmark in IE); this policy updated on the client just fine. It seems that the user config is working but computer config is not...

Please let me know if anything jumps out as a possible cause or if any other quick checks come to mind, thanks in advance.
0
Comment
Question by:jostafew
  • 4
5 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 35169165
Might want to try this:

"So, in the end, having all the computers in an OU linked to a GPO was not enough. I had to add the computers to a group within that OU, and then specify that group in the Security Filtering section"

Resource: http://www.petri.co.il/forums/showthread.php?t=23325

There is also an article that will take longer to read, but should help here: http://alsolorzano.com/blogs/tips__tricks/archive/2008/06/02/group-policy-preferences-in-a-windows-2003-domain-and-a-windows-2008-domain.aspx
0
 
LVL 3

Author Comment

by:jostafew
ID: 35169492
Hey BCipollone, thank you for the reply. I read over the article at petri.co and tried the same approach on my system;

Within the applicable OU for this site (Langley) I created a security group called Langley Computers and added the test computers to that group. Back in GP Management I added the new Langley Computers group to the list under Delegation and gave that group Read and Apply Group Policy permissions. After all that was another round of gpupdate /force on the server and gpupdate on the clients (Win XP pro and Win7 pro). Sadly still no luck.

I am going to go back and read the alsolorzano.com article now. Please let me know if you have any other thoughts.
0
 
LVL 3

Author Comment

by:jostafew
ID: 35183244
Still working on this problem.... I defined another test setting :

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do not require CTRL+ALT+DEL

and that applied OK on both my XP and Win7 machine.... so that tells me that everything is working as it should (correctly linked to OU's, permissions OK etc.) but the machines just will not take the Public Key Policies!

Any other thoughts?
0
 
LVL 3

Accepted Solution

by:
jostafew earned 0 total points
ID: 35201384
A related thread has provided an answer to this problem; I was using gpedit.msc to view the status of the GPs being applied to the client machine. This was not giving the whole picture. Running rsop.msc confirmed that the GPOs were applied. I was also able to confirm the recovery agents' certificates being added to the encrypted files under the details section in the advanced properties of an encrypted file.

BCipollone thank you for your input.
0
 
LVL 3

Author Closing Comment

by:jostafew
ID: 35230095
0

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now