Solved

Help with GPO not applying (specific to Computer Configuration settings)

Posted on 2011-03-18
5
446 Views
Last Modified: 2012-05-11
Hey everyone, I'd love some assistance with a problem I can't seem to get past; I've altered the Default Domain Policy to include entries for EFS Recovery Agents etc. at the following locations:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates

Everything is great except that these settings do not seem to get pushed out to client machines. (mix of WinXP pro and Win7pro) I've run "gpupdate /force" on the servers (mix of 2k3, 2k3 R2, and 2008 R2) and run "gpupdate" on the clients but no luck. I've been working on this problem for over a day now, so I'm thinking that even without the gpupdate commands things should have updated by now.

Trying to track down the problem I ran RSOP based on the domain, and a particular computer I'm using as a guinea pig; both returned the expected result. I also looked at the syslog for that machine which showed that the GP configuration was updated successfully.

To make things more interesting I did a simple test by adding a new GPO and linking to the domain, then made a simple change in the User Configutation (placed a bookmark in IE); this policy updated on the client just fine. It seems that the user config is working but computer config is not...

Please let me know if anything jumps out as a possible cause or if any other quick checks come to mind, thanks in advance.
0
Comment
Question by:jostafew
  • 4
5 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 35169165
Might want to try this:

"So, in the end, having all the computers in an OU linked to a GPO was not enough. I had to add the computers to a group within that OU, and then specify that group in the Security Filtering section"

Resource: http://www.petri.co.il/forums/showthread.php?t=23325

There is also an article that will take longer to read, but should help here: http://alsolorzano.com/blogs/tips__tricks/archive/2008/06/02/group-policy-preferences-in-a-windows-2003-domain-and-a-windows-2008-domain.aspx
0
 
LVL 3

Author Comment

by:jostafew
ID: 35169492
Hey BCipollone, thank you for the reply. I read over the article at petri.co and tried the same approach on my system;

Within the applicable OU for this site (Langley) I created a security group called Langley Computers and added the test computers to that group. Back in GP Management I added the new Langley Computers group to the list under Delegation and gave that group Read and Apply Group Policy permissions. After all that was another round of gpupdate /force on the server and gpupdate on the clients (Win XP pro and Win7 pro). Sadly still no luck.

I am going to go back and read the alsolorzano.com article now. Please let me know if you have any other thoughts.
0
 
LVL 3

Author Comment

by:jostafew
ID: 35183244
Still working on this problem.... I defined another test setting :

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do not require CTRL+ALT+DEL

and that applied OK on both my XP and Win7 machine.... so that tells me that everything is working as it should (correctly linked to OU's, permissions OK etc.) but the machines just will not take the Public Key Policies!

Any other thoughts?
0
 
LVL 3

Accepted Solution

by:
jostafew earned 0 total points
ID: 35201384
A related thread has provided an answer to this problem; I was using gpedit.msc to view the status of the GPs being applied to the client machine. This was not giving the whole picture. Running rsop.msc confirmed that the GPOs were applied. I was also able to confirm the recovery agents' certificates being added to the encrypted files under the details section in the advanced properties of an encrypted file.

BCipollone thank you for your input.
0
 
LVL 3

Author Closing Comment

by:jostafew
ID: 35230095
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question