Link to home
Start Free TrialLog in
Avatar of Anthony Whitby
Anthony WhitbyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Group Policy applies User settings but not Computer settings.

I am setting up a new Windows Server 2008 R2 with a test environment of a Windows 7 PC and a Windows XP PC.  I have created Users and Groups and defined several GPOs for different Groups, where generally each set of Users in a Group have been placed in their own OU, and the test PCs are in separate sub-OUs for each Operating System (Win7 and WinXP) beneath an OU for Computers.

When testing various GPOs I find that settings for both Users and Computers work for the Users on WinXP PCs, but only for Users on Win7 PCs.  I have run RSoP on the test Win7 PC when logged in as different Users, and on each occassion a message saying "access denied" for the computer settings in the GPO, and "no data collected" in the results.

I cannot see any relevant Events in the Event Logs that would help.  I have disabled UAC on the Windows 7 test PC, but no change.

What access permissions are not applied so that the GPO's Computer settings work?
Avatar of Ackles
Ackles
Flag of Switzerland image

Hi,
Not seeing results in policy doesn't mean that computer policy is not applied, it just means that the current user is not having permission to see the policy applied.

A
On Windows Vista and later, regular users can only see the user half of the
RSoP by default. They must be delegated the “Read Group Policy Result data” right over the computer they want to gather the information for.

Go on GPMC , click on GPO , go to delegation tab & then for the group of users click on Permissions Drop Down & then assign them, Read Group Policy Results Data.

Log on W7 machine, run gpupdate /force & then see gpresult.

A
Avatar of Anthony Whitby

ASKER

Thanks  -  I think you are on the right track.  When I login as domain administrator onto Win7 PC and re-run the RSoP for the previous user on that PC I get both Computer and User settings displayed.

Then on the server I opened GPMC, selected a GPO, selected delegation tab,  right clicked on a user group and the drop down list showed:-
Read
Edit settings
Edit settings, delete, modify security
Remove

No trace of "Read Group Policy Results Data"

This is on a server 2008 R2 - is it different here?
I would be much happier testing my GPOs if I could see the RSoP for each user on the logged on PC.  I suppose that I could make each user a (temporary) member of Domain Admins just to run the RSoP but is really distorting the results!
Why don't you just run RSOP from GPMC on Server?
But before you do that, enable this policy so firewall lets you go through:

Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | Windows Firewall: Allow Inbound Remote Administration Exception

One more thing, the user has to logon once on the PC of which you want the RSOP to run.

Let me know, if that works for you?

A
Any News?
I have found that I have to disable the Windows Firewall as it applies to the Domain so that I can get GPOs to work for Computer as well as users with Windows 7 client PCs and 2008 R2 server OS.
How did you reach to that conclusion?
I was getting "Access denied" errrors when trying to implement the Computer settings in a GPO - there seemed to be a connection between the Firewall settings and being able to browse PCs from the server 2008 R2.
As a test can you please give one of the client a Static IP with Primary DNS specified?
A
ASKER CERTIFIED SOLUTION
Avatar of Ackles
Ackles
Flag of Switzerland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial