• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

Windows 7 Vs Windows XP GPO

We have multiple client Domains, and one is using Interactive Logons. One of our other domains is about to use Interactive logons as well, but testing is not going well. The Windows XP PCs are getting both the User and the Computer settings within the GPO, but The Windows 7 PCs are only getting the User portion of the Policy.  The same policy contains the Machine and the User settings of the policy.

For testing, we are using the same userid.

Both PCs are in the same OU

Doug anyone have any suggestions ?


Thanks.
0
PreludeAdmin
Asked:
PreludeAdmin
1 Solution
 
Venugopal NCommented:
Any specific setting under Computer policy is not applying or the hole Computer policy for win 7 is not applying.

For better picture , can you run the gpresult and post the result from both the System?
0
 
Jason WatkinsIT Project LeaderCommented:
Also, make sure the settings you are looking to apply can do so for Windows 7 and not just XP. Can you clarify what you mean by "Interactive Login"? I take that to mean someone sitting in front of the keyboard and getting in that way.
0
 
David Johnson, CD, MVPOwnerCommented:
We have multiple client Domains, and one is using Interactive Logons

ONLY ONE! Every machine here uses an interactive logon, except the headless servers. Or have you had the settings in the local policies and they are using a local account vice a domain account to logon?  Or are we talking terminal services logon ?

It is better to split machine components from user components. It will save you a lot of work later on.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
172pilotSteveCommented:
If you have the User components and the machine components in the same GPO, that is fine - It will certainly work that way, but remember, the user GPOs are read from the OU where the user exists, and the machine GPOs are read from the OU structure where the machine exists, so unless the machine and user are in the same OU (or the GPO is linked to a parent that includes BOTH ous underneath it), you'll have to have the OU linked in 2 places..

In otherwords, if you have your OU structure like this:

\Company
     \Users
        \Department1
             JohnDoe
     \Computers
         \WinXP
             WindowsXP-PC
         \Windows7
              JohnDoesPC

In this example, if the GPO is only connected to one OU, it better be at the "Company" level, because this is the only common parent between the two nodes where the PC and user are.

This is why admins usually create GPOs that have user settings only, and connect them to the user OU, and then a separate GPO with the machine settings, and connect it to the OU where the computers are, otherwise it's easy to forget what is getting loaded from what.

Note - If you're using "Loopback processing" (set in the machine settings) then everything I said above is wrong - In the case of loopback processing, the user GPOs are read from the location of the computer, but this is not standard, so I'm assuming you're NOT doing this (and SHOULDNT, unless you understand it, and need that for some reason).  

As already mentioned, the GPRESULT output will tell a lot, and also it would be nice to know what you mean by interactive login..
0
 
PreludeAdminAuthor Commented:
The user and computer components of the GPO are only there for testing.  

When just the computer settings were used, GPresult showed that the GPO was being applied to both computers, but only the XP box was actually doing what the GPO was specifying.  I added the user portion to verify, and the user setting was visible on both.
GPO.PNG
0
 
172pilotSteveCommented:
I found this article:
http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/d0cfd709-d5f6-415a-8b27-0a78890d9933

THis says that on Win7 machines, you need the title AND text before the message will show..  You have both of them in there though, so I'm not sure what to think..  

Just to verify - You do have the GPO attached to the OU where the machine exists, not just where the user exists in the AD, right?  Can you do the GPResult?
0
 
PreludeAdminAuthor Commented:
Thanks Steve, I saw that article as well.   I do have both sections completed.  We do have this GPO implemented on another 2008 R2 domain and working fine.

The GPO ID is {89D0F80A-FF70-4C31-BFBB-99C52FDC40ED}, and I have attached he gpresult output
result.html
0
 
PreludeAdminAuthor Commented:
If i go to secpol.msc on the Win7 PC and edit the same settings that are set in the GPO, I get the expected logon behavior.   It's just like the PC is not reading the assigned GPO
0
 
172pilotSteveCommented:
So..  I dont see a GPO listed with that GUID, so I'm assuming it's the "User Agreement Policy" that shows it's being applied?  

Are the user account AND computer account both in the /Facilities/GPOTest OU?
0
 
PreludeAdminAuthor Commented:
The user account has been there all along, but the computer account was not originally there. (Remember, the Win7 box was not working as expected, but the Win XP box was working)

I added the Win7 computer to the OU (before yesterday) as well, but I have not seen any difference.
0
 
172pilotSteveCommented:
Have you booted the Win7 box since moving it?  the machine settings dont take affect until you boot..  You might want to do a GPUpdate /Force and then boot it to test..
0
 
PreludeAdminAuthor Commented:
I've bounced it MANY times, so just for grins, I put the PC onto the Domain where the GPO is working and lo and behold the User agreement didn't appear there either.  I'm wondering if it's not a desktop  issue instead of a Domain issue.

We're going to get a fresh built win7 PC on the Domain where the GPO works and if it does, THEN move it to the other domain.

I'll post an update after our desktop group gets me a newly imaged PC
0
 
PreludeAdminAuthor Commented:
I've got the GPO applying properly now, and I don't think it was the PC's image.

In addition to applying the GPO to the specific username and the computer name, I ended up adding "Authenticated Users" as well.

Sorry to waste everyone's time, but thanks for the input
0
 
PreludeAdminAuthor Commented:
individual user account and computer account was not enough for the GPO to apply completely
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now