Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows 2008 GPO Denied Security Error

Posted on 2013-10-23
6
Medium Priority
?
746 Views
Last Modified: 2013-10-31
Hello,
Here are the basics:
Windows 2008 R2 Server, Windows 7 workstation, Group Policy Management, User Configuration>Policies>Internet Explorer Maintenance

-I have created 2 security groups in AD. One for Computers, One for Users
-I have created a new GPO to set a local policy on the windows 7 workstations under computer configuration (works fine) and user policy to add browser configurations (does not work). I changed the names of the actual domain to DOMAIN in the error log and blacked it out in the attached pic of the GPO Settings. Under delegation the WDS Security Group has read and AGP allowed. This is being tested on 1 workstation and one user only. I have tried recreating this. Same results. Verified everything I think I can verify. Same results. There was an older proxy policy removed and no longer in user however on the workstation when running gpresult I still see the user results as the old policy name and the old policy settings although the policy is no longer in place at all as you can see from attached picture.  Thanks in advance. I have scoured the internet and tried many different things. Any help would be appreciated.

from the error log
The following Group Policy objects were not applicable because they were filtered out :

Local Group Policy
      Not Applied (Empty)
WDS Test
      Denied (Security)
Details:
DescriptionString Local Group Policy Not Applied (Empty) WDS Test Denied (Security)  
  GPOInfoList <GPO ID="Local Group Policy"><Name>Local Group Policy</Name><Version>0</Version><SOM>Local</SOM><FSPath>C:\Windows\System32\GroupPolicy\Machine</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO ID="{47DE7E55-B477-45B6-8D6D-CAA3B85F4AFD}"><Name>WDS Test</Name><Version>-65535</Version><SOM>LDAP://DC=DOMAIN,DC=com</SOM><FSPath>\\DOMAIN.com\SysVol\DOMIAN.com\Policies\{47DE7E55-B477-45B6-8D6D-CAA3B85F4AFD}\Machine</FSPath><Reason>DENIED-SECURITY</Reason></GPO>
gposettings.jpg
0
Comment
Question by:jsgould
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 12

Expert Comment

by:Sommerblink
ID: 39600425
Have you tried splitting the policy into two policies? One with the computer-side policies (disable the user side of the GP) and the computer group as a security filter and another policy with the user-side policies (and disable the computer side of the GP) with the user group as the security filter?

As far as I know, if the security filter fails any of the groups, the whole GPO fails.
0
 

Author Comment

by:jsgould
ID: 39600449
ok i'll try that and see.
0
 

Author Comment

by:jsgould
ID: 39601375
that didn't do anything. Question I have 2 windows 2008 servers. both with GPO loaded. First should it be loaded on both servers and for some reason one server has Internet explorer maintenance under user windows settings and the other server does not have it? could this be causing the problem? would it matter if i removed gpo from one of the servers?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jsgould
ID: 39603071
Well i think i have found the issue and it's ie10 related although I think there needs to be a change or addition somewhere. I need to use GPP but when I goto Internet Settings>new> I only have options for for ie8 and below Ie9 and IE 10 are not listed. I have tried downloading the templates for ie 9 and ie10 and following the instructions (  for example http://www.microsoft.com/en-us/download/details.aspx?id=8386)  I get nothing still just ie 8.
0
 

Accepted Solution

by:
jsgould earned 0 total points
ID: 39603115
I found another solution. I use a registry edit from GPP on the client station. Makes everything easier.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable, ProxyServer and ProxyOverride, AutoConfigURL
0
 

Author Closing Comment

by:jsgould
ID: 39613561
I wasn't getting answers and many people had this issue, So I found another source and it works well
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question