Windows 7 Vs Windows XP GPO

Posted on 2013-01-21
Last Modified: 2013-02-17
We have multiple client Domains, and one is using Interactive Logons. One of our other domains is about to use Interactive logons as well, but testing is not going well. The Windows XP PCs are getting both the User and the Computer settings within the GPO, but The Windows 7 PCs are only getting the User portion of the Policy.  The same policy contains the Machine and the User settings of the policy.

For testing, we are using the same userid.

Both PCs are in the same OU

Doug anyone have any suggestions ?

Question by:PreludeAdmin
LVL 11

Expert Comment

by:Venugopal N
ID: 38801473
Any specific setting under Computer policy is not applying or the hole Computer policy for win 7 is not applying.

For better picture , can you run the gpresult and post the result from both the System?
LVL 27

Expert Comment

by:Jason Watkins
ID: 38801667
Also, make sure the settings you are looking to apply can do so for Windows 7 and not just XP. Can you clarify what you mean by "Interactive Login"? I take that to mean someone sitting in front of the keyboard and getting in that way.
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 38801839
We have multiple client Domains, and one is using Interactive Logons

ONLY ONE! Every machine here uses an interactive logon, except the headless servers. Or have you had the settings in the local policies and they are using a local account vice a domain account to logon?  Or are we talking terminal services logon ?

It is better to split machine components from user components. It will save you a lot of work later on.
LVL 10

Expert Comment

ID: 38805364
If you have the User components and the machine components in the same GPO, that is fine - It will certainly work that way, but remember, the user GPOs are read from the OU where the user exists, and the machine GPOs are read from the OU structure where the machine exists, so unless the machine and user are in the same OU (or the GPO is linked to a parent that includes BOTH ous underneath it), you'll have to have the OU linked in 2 places..

In otherwords, if you have your OU structure like this:


In this example, if the GPO is only connected to one OU, it better be at the "Company" level, because this is the only common parent between the two nodes where the PC and user are.

This is why admins usually create GPOs that have user settings only, and connect them to the user OU, and then a separate GPO with the machine settings, and connect it to the OU where the computers are, otherwise it's easy to forget what is getting loaded from what.

Note - If you're using "Loopback processing" (set in the machine settings) then everything I said above is wrong - In the case of loopback processing, the user GPOs are read from the location of the computer, but this is not standard, so I'm assuming you're NOT doing this (and SHOULDNT, unless you understand it, and need that for some reason).  

As already mentioned, the GPRESULT output will tell a lot, and also it would be nice to know what you mean by interactive login..

Author Comment

ID: 38814437
The user and computer components of the GPO are only there for testing.  

When just the computer settings were used, GPresult showed that the GPO was being applied to both computers, but only the XP box was actually doing what the GPO was specifying.  I added the user portion to verify, and the user setting was visible on both.
LVL 10

Expert Comment

ID: 38816764
I found this article:

THis says that on Win7 machines, you need the title AND text before the message will show..  You have both of them in there though, so I'm not sure what to think..  

Just to verify - You do have the GPO attached to the OU where the machine exists, not just where the user exists in the AD, right?  Can you do the GPResult?

Author Comment

ID: 38855557
Thanks Steve, I saw that article as well.   I do have both sections completed.  We do have this GPO implemented on another 2008 R2 domain and working fine.

The GPO ID is {89D0F80A-FF70-4C31-BFBB-99C52FDC40ED}, and I have attached he gpresult output
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!


Author Comment

ID: 38856749
If i go to secpol.msc on the Win7 PC and edit the same settings that are set in the GPO, I get the expected logon behavior.   It's just like the PC is not reading the assigned GPO
LVL 10

Expert Comment

ID: 38857807
So..  I dont see a GPO listed with that GUID, so I'm assuming it's the "User Agreement Policy" that shows it's being applied?  

Are the user account AND computer account both in the /Facilities/GPOTest OU?

Author Comment

ID: 38859743
The user account has been there all along, but the computer account was not originally there. (Remember, the Win7 box was not working as expected, but the Win XP box was working)

I added the Win7 computer to the OU (before yesterday) as well, but I have not seen any difference.
LVL 10

Expert Comment

ID: 38859821
Have you booted the Win7 box since moving it?  the machine settings dont take affect until you boot..  You might want to do a GPUpdate /Force and then boot it to test..

Author Comment

ID: 38864755
I've bounced it MANY times, so just for grins, I put the PC onto the Domain where the GPO is working and lo and behold the User agreement didn't appear there either.  I'm wondering if it's not a desktop  issue instead of a Domain issue.

We're going to get a fresh built win7 PC on the Domain where the GPO works and if it does, THEN move it to the other domain.

I'll post an update after our desktop group gets me a newly imaged PC

Accepted Solution

PreludeAdmin earned 0 total points
ID: 38880155
I've got the GPO applying properly now, and I don't think it was the PC's image.

In addition to applying the GPO to the specific username and the computer name, I ended up adding "Authenticated Users" as well.

Sorry to waste everyone's time, but thanks for the input

Author Closing Comment

ID: 38898154
individual user account and computer account was not enough for the GPO to apply completely

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now