Solved

Windows 7 Vs Windows XP GPO

Posted on 2013-01-21
14
300 Views
Last Modified: 2013-02-17
We have multiple client Domains, and one is using Interactive Logons. One of our other domains is about to use Interactive logons as well, but testing is not going well. The Windows XP PCs are getting both the User and the Computer settings within the GPO, but The Windows 7 PCs are only getting the User portion of the Policy.  The same policy contains the Machine and the User settings of the policy.

For testing, we are using the same userid.

Both PCs are in the same OU

Doug anyone have any suggestions ?


Thanks.
0
Comment
Question by:PreludeAdmin
14 Comments
 
LVL 11

Expert Comment

by:Venugopal N
ID: 38801473
Any specific setting under Computer policy is not applying or the hole Computer policy for win 7 is not applying.

For better picture , can you run the gpresult and post the result from both the System?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38801667
Also, make sure the settings you are looking to apply can do so for Windows 7 and not just XP. Can you clarify what you mean by "Interactive Login"? I take that to mean someone sitting in front of the keyboard and getting in that way.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 38801839
We have multiple client Domains, and one is using Interactive Logons

ONLY ONE! Every machine here uses an interactive logon, except the headless servers. Or have you had the settings in the local policies and they are using a local account vice a domain account to logon?  Or are we talking terminal services logon ?

It is better to split machine components from user components. It will save you a lot of work later on.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Expert Comment

by:172pilotSteve
ID: 38805364
If you have the User components and the machine components in the same GPO, that is fine - It will certainly work that way, but remember, the user GPOs are read from the OU where the user exists, and the machine GPOs are read from the OU structure where the machine exists, so unless the machine and user are in the same OU (or the GPO is linked to a parent that includes BOTH ous underneath it), you'll have to have the OU linked in 2 places..

In otherwords, if you have your OU structure like this:

\Company
     \Users
        \Department1
             JohnDoe
     \Computers
         \WinXP
             WindowsXP-PC
         \Windows7
              JohnDoesPC

In this example, if the GPO is only connected to one OU, it better be at the "Company" level, because this is the only common parent between the two nodes where the PC and user are.

This is why admins usually create GPOs that have user settings only, and connect them to the user OU, and then a separate GPO with the machine settings, and connect it to the OU where the computers are, otherwise it's easy to forget what is getting loaded from what.

Note - If you're using "Loopback processing" (set in the machine settings) then everything I said above is wrong - In the case of loopback processing, the user GPOs are read from the location of the computer, but this is not standard, so I'm assuming you're NOT doing this (and SHOULDNT, unless you understand it, and need that for some reason).  

As already mentioned, the GPRESULT output will tell a lot, and also it would be nice to know what you mean by interactive login..
0
 

Author Comment

by:PreludeAdmin
ID: 38814437
The user and computer components of the GPO are only there for testing.  

When just the computer settings were used, GPresult showed that the GPO was being applied to both computers, but only the XP box was actually doing what the GPO was specifying.  I added the user portion to verify, and the user setting was visible on both.
GPO.PNG
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 38816764
I found this article:
http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/d0cfd709-d5f6-415a-8b27-0a78890d9933

THis says that on Win7 machines, you need the title AND text before the message will show..  You have both of them in there though, so I'm not sure what to think..  

Just to verify - You do have the GPO attached to the OU where the machine exists, not just where the user exists in the AD, right?  Can you do the GPResult?
0
 

Author Comment

by:PreludeAdmin
ID: 38855557
Thanks Steve, I saw that article as well.   I do have both sections completed.  We do have this GPO implemented on another 2008 R2 domain and working fine.

The GPO ID is {89D0F80A-FF70-4C31-BFBB-99C52FDC40ED}, and I have attached he gpresult output
result.html
0
 

Author Comment

by:PreludeAdmin
ID: 38856749
If i go to secpol.msc on the Win7 PC and edit the same settings that are set in the GPO, I get the expected logon behavior.   It's just like the PC is not reading the assigned GPO
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 38857807
So..  I dont see a GPO listed with that GUID, so I'm assuming it's the "User Agreement Policy" that shows it's being applied?  

Are the user account AND computer account both in the /Facilities/GPOTest OU?
0
 

Author Comment

by:PreludeAdmin
ID: 38859743
The user account has been there all along, but the computer account was not originally there. (Remember, the Win7 box was not working as expected, but the Win XP box was working)

I added the Win7 computer to the OU (before yesterday) as well, but I have not seen any difference.
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 38859821
Have you booted the Win7 box since moving it?  the machine settings dont take affect until you boot..  You might want to do a GPUpdate /Force and then boot it to test..
0
 

Author Comment

by:PreludeAdmin
ID: 38864755
I've bounced it MANY times, so just for grins, I put the PC onto the Domain where the GPO is working and lo and behold the User agreement didn't appear there either.  I'm wondering if it's not a desktop  issue instead of a Domain issue.

We're going to get a fresh built win7 PC on the Domain where the GPO works and if it does, THEN move it to the other domain.

I'll post an update after our desktop group gets me a newly imaged PC
0
 

Accepted Solution

by:
PreludeAdmin earned 0 total points
ID: 38880155
I've got the GPO applying properly now, and I don't think it was the PC's image.

In addition to applying the GPO to the specific username and the computer name, I ended up adding "Authenticated Users" as well.

Sorry to waste everyone's time, but thanks for the input
0
 

Author Closing Comment

by:PreludeAdmin
ID: 38898154
individual user account and computer account was not enough for the GPO to apply completely
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question