Windows 7 Vs Windows XP GPO

Posted on 2013-01-21
Last Modified: 2013-02-17
We have multiple client Domains, and one is using Interactive Logons. One of our other domains is about to use Interactive logons as well, but testing is not going well. The Windows XP PCs are getting both the User and the Computer settings within the GPO, but The Windows 7 PCs are only getting the User portion of the Policy.  The same policy contains the Machine and the User settings of the policy.

For testing, we are using the same userid.

Both PCs are in the same OU

Doug anyone have any suggestions ?

Question by:PreludeAdmin
LVL 11

Expert Comment

by:Venugopal N
ID: 38801473
Any specific setting under Computer policy is not applying or the hole Computer policy for win 7 is not applying.

For better picture , can you run the gpresult and post the result from both the System?
LVL 27

Expert Comment

by:Jason Watkins
ID: 38801667
Also, make sure the settings you are looking to apply can do so for Windows 7 and not just XP. Can you clarify what you mean by "Interactive Login"? I take that to mean someone sitting in front of the keyboard and getting in that way.
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 38801839
We have multiple client Domains, and one is using Interactive Logons

ONLY ONE! Every machine here uses an interactive logon, except the headless servers. Or have you had the settings in the local policies and they are using a local account vice a domain account to logon?  Or are we talking terminal services logon ?

It is better to split machine components from user components. It will save you a lot of work later on.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 10

Expert Comment

ID: 38805364
If you have the User components and the machine components in the same GPO, that is fine - It will certainly work that way, but remember, the user GPOs are read from the OU where the user exists, and the machine GPOs are read from the OU structure where the machine exists, so unless the machine and user are in the same OU (or the GPO is linked to a parent that includes BOTH ous underneath it), you'll have to have the OU linked in 2 places..

In otherwords, if you have your OU structure like this:


In this example, if the GPO is only connected to one OU, it better be at the "Company" level, because this is the only common parent between the two nodes where the PC and user are.

This is why admins usually create GPOs that have user settings only, and connect them to the user OU, and then a separate GPO with the machine settings, and connect it to the OU where the computers are, otherwise it's easy to forget what is getting loaded from what.

Note - If you're using "Loopback processing" (set in the machine settings) then everything I said above is wrong - In the case of loopback processing, the user GPOs are read from the location of the computer, but this is not standard, so I'm assuming you're NOT doing this (and SHOULDNT, unless you understand it, and need that for some reason).  

As already mentioned, the GPRESULT output will tell a lot, and also it would be nice to know what you mean by interactive login..

Author Comment

ID: 38814437
The user and computer components of the GPO are only there for testing.  

When just the computer settings were used, GPresult showed that the GPO was being applied to both computers, but only the XP box was actually doing what the GPO was specifying.  I added the user portion to verify, and the user setting was visible on both.
LVL 10

Expert Comment

ID: 38816764
I found this article:

THis says that on Win7 machines, you need the title AND text before the message will show..  You have both of them in there though, so I'm not sure what to think..  

Just to verify - You do have the GPO attached to the OU where the machine exists, not just where the user exists in the AD, right?  Can you do the GPResult?

Author Comment

ID: 38855557
Thanks Steve, I saw that article as well.   I do have both sections completed.  We do have this GPO implemented on another 2008 R2 domain and working fine.

The GPO ID is {89D0F80A-FF70-4C31-BFBB-99C52FDC40ED}, and I have attached he gpresult output

Author Comment

ID: 38856749
If i go to secpol.msc on the Win7 PC and edit the same settings that are set in the GPO, I get the expected logon behavior.   It's just like the PC is not reading the assigned GPO
LVL 10

Expert Comment

ID: 38857807
So..  I dont see a GPO listed with that GUID, so I'm assuming it's the "User Agreement Policy" that shows it's being applied?  

Are the user account AND computer account both in the /Facilities/GPOTest OU?

Author Comment

ID: 38859743
The user account has been there all along, but the computer account was not originally there. (Remember, the Win7 box was not working as expected, but the Win XP box was working)

I added the Win7 computer to the OU (before yesterday) as well, but I have not seen any difference.
LVL 10

Expert Comment

ID: 38859821
Have you booted the Win7 box since moving it?  the machine settings dont take affect until you boot..  You might want to do a GPUpdate /Force and then boot it to test..

Author Comment

ID: 38864755
I've bounced it MANY times, so just for grins, I put the PC onto the Domain where the GPO is working and lo and behold the User agreement didn't appear there either.  I'm wondering if it's not a desktop  issue instead of a Domain issue.

We're going to get a fresh built win7 PC on the Domain where the GPO works and if it does, THEN move it to the other domain.

I'll post an update after our desktop group gets me a newly imaged PC

Accepted Solution

PreludeAdmin earned 0 total points
ID: 38880155
I've got the GPO applying properly now, and I don't think it was the PC's image.

In addition to applying the GPO to the specific username and the computer name, I ended up adding "Authenticated Users" as well.

Sorry to waste everyone's time, but thanks for the input

Author Closing Comment

ID: 38898154
individual user account and computer account was not enough for the GPO to apply completely

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to take ownership of long file names 8 72
Outlook 2010 fail to get past load profile 10 36
rds question 5 35
How to manage Hyper-V 2016 from Windows 7 Pro 2 43
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question