GPO not applying
Hi all,
I have a standalone 2003 server which is a DC & I have joined 15 PCs to its Domain successfully.
I have implemented a GPO to lockdown those PCs, but the GPO isnt applying to any of the PCs.
The Link is Enabled & Enforced.
I have ran gpresult on the PCs which states that the gpo is not found.
I have made sure the securities are right i.e. Authenticated Users = Read priveleges.
I have it on the right OU, which contains accounts, Computers are in another OU.
I have only used User settings.
I dont have loopback processing enabled.
I have ran Windows Server 2003 Resource Kit Tools using gpotools cmd which says the GPO is ok.
Has anyone else got any other suggestions?
I have a standalone 2003 server which is a DC & I have joined 15 PCs to its Domain successfully.
I have implemented a GPO to lockdown those PCs, but the GPO isnt applying to any of the PCs.
The Link is Enabled & Enforced.
I have ran gpresult on the PCs which states that the gpo is not found.
I have made sure the securities are right i.e. Authenticated Users = Read priveleges.
I have it on the right OU, which contains accounts, Computers are in another OU.
I have only used User settings.
I dont have loopback processing enabled.
I have ran Windows Server 2003 Resource Kit Tools using gpotools cmd which says the GPO is ok.
Has anyone else got any other suggestions?
I've had issues like this before, and came back a day later to find it working. Computer settings sometimes take a day or two to kick in, no idea why.
What is the operating system of the workstations? Are the users logging on with domain user accounts(not local user accounts)? Check in the event logs on some of the workstations and see if there are any GPO-related errors. The source of the errors would be Userenv or SceCli.
What are you trying to lock down? Does the GPO apply to computer or user objects? If user objects, have you tried applying the GPO as a domain administrator?
Have you checked the event logs on an affected machine to see if there are any events relating to group policies (specifically failures)?
Have you checked the event logs on an affected machine to see if there are any events relating to group policies (specifically failures)?
ASKER
GPO applies to User settings.
It has been a few days since I set it and still nothing.
Operating system = XP
It has been a few days since I set it and still nothing.
Operating system = XP
1.Is the OU contains Users to which the GPO is linked ( user setting GPO)?
2.Login as the user and run the gpupdate /force and check if the GPO applies to the client.
3.Is the GPO not applying to any client?
4.Make sure that the user ( Authenticated) have Read and Apply Group policy permission for the GPO.
2.Login as the user and run the gpupdate /force and check if the GPO applies to the client.
3.Is the GPO not applying to any client?
4.Make sure that the user ( Authenticated) have Read and Apply Group policy permission for the GPO.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have not had a chance to do the checks from above, I will complete these tomorrow. I will post the results here then.
My DNS is primarily pointed at the DC server, then secondarily pointed at the router gateway. i.e 192.168.1.5
192.168.1.1
Is that correct?
My DNS is primarily pointed at the DC server, then secondarily pointed at the router gateway. i.e 192.168.1.5
192.168.1.1
Is that correct?
ASKER
Yes the Users are in the right OU that has the GPO applied.
The Users are logging in with Domain Accounts.
There are no entries in the Event Log of Userenv or SceCli type or of any logon nature.
I'm just trying to lockdown basic things like no Run command etc... & I'm trying to repoint the Docs & Desktop folders to the server & I have a logon script in the gpo to map a shared drive, so nothing out of the ordinary.
I have ran gpupdate /force on the clients & server & it still hasn't made a difference.
The GPO is not applying to any client.
Authenticated User has Read & Apply group policy set to allow.
Gpresult states that 'INFO: The policy object does not exist'
The Users are logging in with Domain Accounts.
There are no entries in the Event Log of Userenv or SceCli type or of any logon nature.
I'm just trying to lockdown basic things like no Run command etc... & I'm trying to repoint the Docs & Desktop folders to the server & I have a logon script in the gpo to map a shared drive, so nothing out of the ordinary.
I have ran gpupdate /force on the clients & server & it still hasn't made a difference.
The GPO is not applying to any client.
Authenticated User has Read & Apply group policy set to allow.
Gpresult states that 'INFO: The policy object does not exist'
What OU are the users in? Where did you create and link the GPO (i.e., at the domain level or at the OU level)? Please describe how this is configured. I know that you said it was in the right OU, but by your description of the GPResult message, it sounds as though the group policy is not being applied to the OU that contains your user accounts. In the group policy management console, click on your GPO and then do a screen capture of the Scope information. Then click on the Settings tab. When the report appears, right-click and print it to a file and post that screen capture and file here for analysis.
You should remove the secondary DNS server (your router IP address) from the server and all workstations. It's not doing anything useful.
You should remove the secondary DNS server (your router IP address) from the server and all workstations. It's not doing anything useful.
Check if any GPO has been set to Nooveride ( which is applied on parent level or at the same level).To get the list of GPo applied to the user, Run gpresult and check the Nooverride setting of each GPO.
http://technet.microsoft.com/en-us/library/cc978255.aspx
http://technet.microsoft.com/en-us/library/cc978255.aspx
ASKER
All sorted. Thanks for the help
ASKER
Thanks