Windows 7 Vs Windows XP GPO

Posted on 2013-01-21
Last Modified: 2013-02-17
We have multiple client Domains, and one is using Interactive Logons. One of our other domains is about to use Interactive logons as well, but testing is not going well. The Windows XP PCs are getting both the User and the Computer settings within the GPO, but The Windows 7 PCs are only getting the User portion of the Policy.  The same policy contains the Machine and the User settings of the policy.

For testing, we are using the same userid.

Both PCs are in the same OU

Doug anyone have any suggestions ?

Question by:PreludeAdmin
LVL 11

Expert Comment

by:Venugopal N
ID: 38801473
Any specific setting under Computer policy is not applying or the hole Computer policy for win 7 is not applying.

For better picture , can you run the gpresult and post the result from both the System?
LVL 27

Expert Comment

by:Jason Watkins
ID: 38801667
Also, make sure the settings you are looking to apply can do so for Windows 7 and not just XP. Can you clarify what you mean by "Interactive Login"? I take that to mean someone sitting in front of the keyboard and getting in that way.
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38801839
We have multiple client Domains, and one is using Interactive Logons

ONLY ONE! Every machine here uses an interactive logon, except the headless servers. Or have you had the settings in the local policies and they are using a local account vice a domain account to logon?  Or are we talking terminal services logon ?

It is better to split machine components from user components. It will save you a lot of work later on.
LVL 10

Expert Comment

ID: 38805364
If you have the User components and the machine components in the same GPO, that is fine - It will certainly work that way, but remember, the user GPOs are read from the OU where the user exists, and the machine GPOs are read from the OU structure where the machine exists, so unless the machine and user are in the same OU (or the GPO is linked to a parent that includes BOTH ous underneath it), you'll have to have the OU linked in 2 places..

In otherwords, if you have your OU structure like this:


In this example, if the GPO is only connected to one OU, it better be at the "Company" level, because this is the only common parent between the two nodes where the PC and user are.

This is why admins usually create GPOs that have user settings only, and connect them to the user OU, and then a separate GPO with the machine settings, and connect it to the OU where the computers are, otherwise it's easy to forget what is getting loaded from what.

Note - If you're using "Loopback processing" (set in the machine settings) then everything I said above is wrong - In the case of loopback processing, the user GPOs are read from the location of the computer, but this is not standard, so I'm assuming you're NOT doing this (and SHOULDNT, unless you understand it, and need that for some reason).  

As already mentioned, the GPRESULT output will tell a lot, and also it would be nice to know what you mean by interactive login..

Author Comment

ID: 38814437
The user and computer components of the GPO are only there for testing.  

When just the computer settings were used, GPresult showed that the GPO was being applied to both computers, but only the XP box was actually doing what the GPO was specifying.  I added the user portion to verify, and the user setting was visible on both.
LVL 10

Expert Comment

ID: 38816764
I found this article:

THis says that on Win7 machines, you need the title AND text before the message will show..  You have both of them in there though, so I'm not sure what to think..  

Just to verify - You do have the GPO attached to the OU where the machine exists, not just where the user exists in the AD, right?  Can you do the GPResult?

Author Comment

ID: 38855557
Thanks Steve, I saw that article as well.   I do have both sections completed.  We do have this GPO implemented on another 2008 R2 domain and working fine.

The GPO ID is {89D0F80A-FF70-4C31-BFBB-99C52FDC40ED}, and I have attached he gpresult output
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.


Author Comment

ID: 38856749
If i go to secpol.msc on the Win7 PC and edit the same settings that are set in the GPO, I get the expected logon behavior.   It's just like the PC is not reading the assigned GPO
LVL 10

Expert Comment

ID: 38857807
So..  I dont see a GPO listed with that GUID, so I'm assuming it's the "User Agreement Policy" that shows it's being applied?  

Are the user account AND computer account both in the /Facilities/GPOTest OU?

Author Comment

ID: 38859743
The user account has been there all along, but the computer account was not originally there. (Remember, the Win7 box was not working as expected, but the Win XP box was working)

I added the Win7 computer to the OU (before yesterday) as well, but I have not seen any difference.
LVL 10

Expert Comment

ID: 38859821
Have you booted the Win7 box since moving it?  the machine settings dont take affect until you boot..  You might want to do a GPUpdate /Force and then boot it to test..

Author Comment

ID: 38864755
I've bounced it MANY times, so just for grins, I put the PC onto the Domain where the GPO is working and lo and behold the User agreement didn't appear there either.  I'm wondering if it's not a desktop  issue instead of a Domain issue.

We're going to get a fresh built win7 PC on the Domain where the GPO works and if it does, THEN move it to the other domain.

I'll post an update after our desktop group gets me a newly imaged PC

Accepted Solution

PreludeAdmin earned 0 total points
ID: 38880155
I've got the GPO applying properly now, and I don't think it was the PC's image.

In addition to applying the GPO to the specific username and the computer name, I ended up adding "Authenticated Users" as well.

Sorry to waste everyone's time, but thanks for the input

Author Closing Comment

ID: 38898154
individual user account and computer account was not enough for the GPO to apply completely

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows 7 Share with XP 22 70
Sophos Enterprise migration to Cloud? 2 17
Microsoft Lync 2013 4 44
Hard drive full, but how? 13 53
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now