?
Solved

Group Policy on Windows 2008 R2 DC not working and report also saying it's a Windows 2000 domain?

Posted on 2011-04-19
16
Medium Priority
?
3,398 Views
Last Modified: 2012-05-11
I have been adding entries to the Group Policy Manager on our Windows 2008 R2 domain controller.  This is a single Domain Controller setup.  For some reason the Group Policies don't all seem to be working.  I am a little confused at to what has gone wrong.
Also, after reading a couple of entries on this website I ran "gpresult /R" on the domain controller and on Domain type it says Windows 2000 when I'm sure when I ran dcpromo when I first installed it I set it to Windows 2008 R2.

Output is as follows;

C:\Users\Administrator>gpresult /R

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 19/04/2011 at 09:49:18


RSOP data for MYDOMAIN\Administrator on RS1 : Logging Mode
---------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=RS1,OU=Domain Controllers,DC=MYDOMAIN,DC=co,DC=uk
    Last time Group Policy was applied: 19/04/2011 at 09:47:22
    Group Policy was applied from:      RS1.MYDOMAIN.co.uk
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Password GPO
        Internet Explorer GPO
        Deploy Printers GPO
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        RS1$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        Denied RODC Password Replication Group
        System Mandatory Level


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=MYDOMAIN,DC=co,DC=uk
    Last time Group Policy was applied: 19/04/2011 at 08:55:04
    Group Policy was applied from:      RS1.MYDOMAIN.co.uk
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Internet Explorer GPO
        Deploy Printers GPO
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Password GPO
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
        High Mandatory Level


So 2 questions I guess, how do I find out what the actual domain type is and if it isn't Windows 2008 R2 how to set it that high?  And secondly how to get my group policies working?

We have a network with a mix of Windows XP Pro, Windows 7 Pro (32 and 64bit) and 2 Windows Vista Business (both 32bit).
group-policy-manager.JPG
0
Comment
Question by:sjb79
  • 7
  • 5
  • 2
  • +1
16 Comments
 
LVL 11

Accepted Solution

by:
Tasmant earned 572 total points
ID: 35422988
Your Group Policy seems to work fine.
The Domain Level is different from the Operating system version of your Domain Controllers.
You can only upgrade your domain level and forest level if you have no more old domain controllers.
By example, if you have yet a windows 2000 domain controller, you cannot move your domain functionnal level to higher version.
Setting high your domain functionnal level will bring you new features.
You can find all the information needed here (and the 2 pages below this article): http://technet.microsoft.com/en-us/library/cc787290%28WS.10%29.aspx
0
 
LVL 9

Assisted Solution

by:binary_1001010
binary_1001010 earned 572 total points
ID: 35423041
1:  to check what functional level your forest/domain is running , open Active Directory Domains and Trusts.

2:  do you still have windows 2000 DC in your environment?  what other DC do you have? if you have only 2008 R2, just raise the functional level to 2008 R2 . In R2, there is a new Advance polices which will only apply to 2k8 R2 and windows  7 only.
0
 

Author Comment

by:sjb79
ID: 35424129
Hi Tasmant,
Do I just run the dcpromo wizard again and then go through and change the functional level?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:sjb79
ID: 35424143
I've also just noticed under "Applied Group Policy Objects" that not all of the GPO's I've made have been applied, is that because that heading only covers the server or are there GPO's I've made that have not been applied to the domain yet?
0
 

Author Comment

by:sjb79
ID: 35424188
I take it from this snipped my domain is running in Windows Server 2008 R2 function level.

Oh and there will not be any others servers on our network which will be older than Windows 2008 R2 binary_1001010.
ActiveDirectoryDomainsAndTrusts-.jpg
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 572 total points
ID: 35425529
the GPResult you post seems fine.
applied group policy are:
        Default Domain Controllers Policy
        Password GPO
        Internet Explorer GPO
        Deploy Printers GPO
        Default Domain Policy
because you get "Default Domain Controllers Policy", i assume you ran the report on your domain controller. The DC computer accounts are stored in <domain>.co.uk/Domain Controllers, and therefore none of the others GPOs linked on others OUs apply to Domain Controllers.

you can post another GPResult from one of your workstations stored in "<domain>.co.uk/R...Ltd/Computers" and therefore you should see all the gpos linked on your "computers" OU. Not of all them will be in the report, depending if the GPO is empty, denied by WMI Filter or Security group, in which case they should be report in the following section of your report: "The following GPOs were not applied because they were filtered out"

I stay free if you have others questions.
0
 

Author Comment

by:sjb79
ID: 35431581
Ok I've just run that command on my work station and got the following;

C:\>gpresult /R

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 20/04/2011 at 09:11:40


RSOP data for mydomain\stephen on PC6 : Logging Mode
---------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7600
Site Name:                   N/A
Roaming Profile:             \\mydomain.co.uk\Storage\Profiles\stephen.V2
Local Profile:               C:\Users\stephen
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Stephen J. Bines,OU=Technical,OU=mydomainLtd,DC=mydomain,DC=co,DC=uk
    Last time Group Policy was applied: 20/04/2011 at 09:05:15
    Group Policy was applied from:      RS1.mydomain.co.uk
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        mydomain
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        My Documents folder redirect GPO
        Y Drive GPO
        Internet Explorer GPO
        Deploy Printers GPO
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Password GPO
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Clinicians
        Technical
        admin
        High Mandatory Level

C:\>

There are a couple of things that confuse me, 1.  Why it keeps mentioning Windows 2000 when I have checked and found that the DC is running at Windows 2008 R2 level and 2.  why so few of the GPO's are being applied.

I've taken another screen shot from the server with the Group Policy Manager and the Active Directory Users and Computers also open.  I've placed certain GPO's within certain active directory groups as I thought they would only apply to things in that group.

As you can see my PC (PC6) is in the "main office computers" group within the "computers" group and non of those GPOs are apparently being applied.

I expect I've done or am doing something really daft but can you see what it is?
GPM-and-ADUaC.jpg
0
 
LVL 8

Assisted Solution

by:SeaSenor
SeaSenor earned 856 total points
ID: 35432709
Are you trying to apply "User settings" to the computers in this OU??   If so, that won't work.

Please double check.
0
 

Author Comment

by:sjb79
ID: 35432762
ahhh..... That's a good point, hang on I will re-arrange the groups into USERS->Types of users and COMPUTERS->LOCATION OF COMPUTERS
0
 
LVL 8

Assisted Solution

by:SeaSenor
SeaSenor earned 856 total points
ID: 35432766
Also, the Domain Type showing up as Windows 2000 is a sort of known issue:  
a search will reveal many many links and questions about it.  I wouldn't give it much more thought.

here is one on this site if you want to view:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21808403.html

0
 
LVL 9

Assisted Solution

by:binary_1001010
binary_1001010 earned 572 total points
ID: 35438054
where did you apply your policy?  xp or vista?  you need to download client side extensions if you are still using XP , read this link :

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=E60B5C8F-D7DC-4B27-A261-247CE3F6C4F8&displaylang=en
0
 

Author Comment

by:sjb79
ID: 35440106
Hi Guys,
Ok I've had a fiddle with the layout and the GPO's and my workstation (PC6) isn't having the "User Account Logon Picture" being applied.  I've taken a big screen shot with a RDC to the server and the command prompt from my workstation and I can't see the group policy being applied.  I must be doing something really dumb could you guys double check for me please?
screenshot---rs1.JPG
0
 
LVL 8

Assisted Solution

by:SeaSenor
SeaSenor earned 856 total points
ID: 35440458
This screen shot only shows user settings... .which won't show the computer policy being applied.

Can you see it in the screen about the User settings?
0
 
LVL 8

Expert Comment

by:SeaSenor
ID: 35440666
sorry... I meant - can you see it in the screen above the user settings.

0
 

Author Comment

by:sjb79
ID: 35704835
Ok guys I think I've got it now, been doing some reading and fiddling and it's all starting to work.  I think one of the problems was I getting my Computer and User settings mixed up.
0
 
LVL 8

Expert Comment

by:SeaSenor
ID: 35706753

glad we could help...
good luck!!
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question