[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Group Policy applies User settings but not Computer settings.

Posted on 2012-03-11
11
Medium Priority
?
344 Views
Last Modified: 2012-05-29
I am setting up a new Windows Server 2008 R2 with a test environment of a Windows 7 PC and a Windows XP PC.  I have created Users and Groups and defined several GPOs for different Groups, where generally each set of Users in a Group have been placed in their own OU, and the test PCs are in separate sub-OUs for each Operating System (Win7 and WinXP) beneath an OU for Computers.

When testing various GPOs I find that settings for both Users and Computers work for the Users on WinXP PCs, but only for Users on Win7 PCs.  I have run RSoP on the test Win7 PC when logged in as different Users, and on each occassion a message saying "access denied" for the computer settings in the GPO, and "no data collected" in the results.

I cannot see any relevant Events in the Event Logs that would help.  I have disabled UAC on the Windows 7 test PC, but no change.

What access permissions are not applied so that the GPO's Computer settings work?
0
Comment
Question by:Axiomit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 11

Expert Comment

by:Ackles
ID: 37707926
Hi,
Not seeing results in policy doesn't mean that computer policy is not applied, it just means that the current user is not having permission to see the policy applied.

A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37707936
On Windows Vista and later, regular users can only see the user half of the
RSoP by default. They must be delegated the “Read Group Policy Result data” right over the computer they want to gather the information for.

Go on GPMC , click on GPO , go to delegation tab & then for the group of users click on Permissions Drop Down & then assign them, Read Group Policy Results Data.

Log on W7 machine, run gpupdate /force & then see gpresult.

A
0
 
LVL 1

Author Comment

by:Axiomit
ID: 37710649
Thanks  -  I think you are on the right track.  When I login as domain administrator onto Win7 PC and re-run the RSoP for the previous user on that PC I get both Computer and User settings displayed.

Then on the server I opened GPMC, selected a GPO, selected delegation tab,  right clicked on a user group and the drop down list showed:-
Read
Edit settings
Edit settings, delete, modify security
Remove

No trace of "Read Group Policy Results Data"

This is on a server 2008 R2 - is it different here?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:Axiomit
ID: 37710686
I would be much happier testing my GPOs if I could see the RSoP for each user on the logged on PC.  I suppose that I could make each user a (temporary) member of Domain Admins just to run the RSoP but is really distorting the results!
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37710789
Why don't you just run RSOP from GPMC on Server?
But before you do that, enable this policy so firewall lets you go through:

Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | Windows Firewall: Allow Inbound Remote Administration Exception

One more thing, the user has to logon once on the PC of which you want the RSOP to run.

Let me know, if that works for you?

A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37906175
Any News?
0
 
LVL 1

Author Comment

by:Axiomit
ID: 37939134
I have found that I have to disable the Windows Firewall as it applies to the Domain so that I can get GPOs to work for Computer as well as users with Windows 7 client PCs and 2008 R2 server OS.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37939141
How did you reach to that conclusion?
0
 
LVL 1

Author Comment

by:Axiomit
ID: 37943302
I was getting "Access denied" errrors when trying to implement the Computer settings in a GPO - there seemed to be a connection between the Firewall settings and being able to browse PCs from the server 2008 R2.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 37943526
As a test can you please give one of the client a Static IP with Primary DNS specified?
A
0
 
LVL 11

Accepted Solution

by:
Ackles earned 1500 total points
ID: 37943572
See, the policy I gave you up is actually poking a hole in Firewall to run RSOP from the GPMC.
However, even if the Firewall is on it should not restrict from applying GPO.
If that is happening then there is something to be resolved, as you don't want to bring the Firewall down (I guess).
But, even if you bring down the Domain Firewall, it shouldn't matter much. (that is purely your decision).

Just for bit of convenience you can configure these two GPO's also at Domain Level:
1) Computer Configuration | Policies | Administrative Templates | System | Logon Always wait for the network at computer startup and logon policy

This GPO will make sure that all the GPO's apply before the user log's on. That way you will be sure that policies are applied before user get's in.

2) Computer Configuration | Policies | Administrative Templates | System | Verbose vs Normal Status messages

This will make sure that you not only see the stupid windows circle when the user logs on, but tells you exactly what is happening as to what policies are being applied.

A
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question