Solved

Can't get User Configuration GPO to work

Posted on 2014-10-24
21
302 Views
Last Modified: 2014-10-27
I am pulling my hair out and need some help.  I have numerous Computer Configuration policies that all seem to work, at least they show up in gpresult with a winning GPO that makes sense.  However, I have several User Configuration policies that don't show up in gpresult and don't work.  For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU).  So - I link the Domain Server OU at the top of the Scope for this GPO, and under security filtering, I add "Administrators" which I search from the domain search box and it finds.  So I think this means that if an Administrator group member is logged into a Domain Server, the GPO should apply.  That does not happen.  In gpresult, the only mention of my policy is under Computer Configuration and it shoes "Denied" as "Empty".  Ok, I can reason that since there are no Computer Configuration items in the policy that could be empty.  But why do I not see this GPO mentioned in the User Configuration part of the report? In fact the only User Configuration policies that show applied are those in the Default Domain Policy - my others are just missing.  The report shows the computer name as a member of the Domain Server group, and shows the user as domain/administrator, a member of the Administrators group.  I think I am missing something fundamental in this process since I have been hacking at it off and on for a while and still don't have it right.  Help me learn how to get this corrected!  Thanks.
0
Comment
Question by:dvanaken
  • 8
  • 7
  • 4
  • +1
21 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40402918
User policies should be linked to an OU containing USERS not computers.

OR You need to enable lookback processing on your computer policy.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40402927
Any setting under user configuration can only be applied to a user *object.* So by linking it to an OU with no user objects, you are implicitly filtering out all users, and thus ...empty.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40402930
Almost true Cliff, except as I say, in the case of loopback processing.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40402940
Which may, in fact, be applicable here if the OP only wants this screensaver policy on the servers and noball machines (as it sounds like) ...but I wanted to wait and see what they came back with before delving into that scenario. Loopback processing confuses so many people (same does inheritance, the enforced check box, delegation...)
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40402953
It does beg the question though....

" For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU)."

Who else except an administrator would be allowed to log onto domain Servers?

It sounds as if you are assigning your group policies generally rather than where they are needed.

If a Domain Server only has Domain Administrators loging into it, then do not apply a policy that does things you dont want them to be affected by.

The structure of your AD and the placement of your GPO's is a fine art! Get it right and the job is simple.  Do it all without understanding impact and it can lead to a nightmare.
0
 

Author Comment

by:dvanaken
ID: 40403217
Thank you all.  I should have mentioned that I tried to use an OU with users in it but the Administrators group is in (I think) "Builtin" and I wasn't sure if I could just move that to a new group.  So if I either move Administrators group OR I move the actual users that have admin privileges into a new OU and link it that sounds like step one.    So is it ok to just move objects into a new OU?

Neilsr - you are correct that only Admins will be logging into Domain servers.  The reason I have to use User config is that the options I want to control only exist in User policies - not in Computer (if they did I would be past this issue since my Computer configs seem to work).

So say I can get properly linked to a User OU, for security filtering I cannot select the Domain Servers OU - if I add the computers checkbox I can select individual servers - is that the only way to accomplish this?

Thanks again - I'm feeling more optimistic that I'll get this nailed down.  Waiting for your collective advice...
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40403235
BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.

Like I say, its all about the structure and layout and how you view USERS as against ADMINS.

TIP:

If you are a Domain Admin then have two Accounts. One of then is a standard USER account for logging into your PC and doing mundane work like word, emails, web browsing. The second is your ADMIN account that you ONLY use to elevate privilege WHEN NEEDED.

Do not make the common mistake of thinking that because you are an admin that you must be logged in as an admin every second you are on a computer. This is a HUGE security flaw and a common mistake.

If your normal user accounts are  first.lastname  then have YOUR first.lastname account as a user but also have a first.lastname.admin account for when you REALLY NEED to be a domain admin.

You can then have your ADMIN User accounts in a different OU to USERS and apply different policies easily.
0
 

Author Comment

by:dvanaken
ID: 40403307
Neilsr-

I don't understand this comment - can you expand a bit?

BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.


Also what about the questions I asked in my last post - I would really like your thoughts.  Your big-picture comments are helpful but they will require some reflection to fully understand. I don't think I can do any major restructuring in this moment -I am trying to respond to a request to get a few GPOs working.

Thanks again.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40403543
Try adding the computer objects for the domain servers into the security filtering section of the policy you are trying to apply.

I do agree with the Neilsr and Cliff though, it does look like your Group Policy structure at the moment is far from optimal. You may want to look at sorting this out once we've sorted out your issue above.
0
 

Author Comment

by:dvanaken
ID: 40403914
So it is not possible to add an OU to security filtering - only computer objects themselves?  Again I tried this but how do I make a new OU that has Administrators group in it? Can I drag the group from builtin to a new OU? This seems to be where I am stuck.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 40403989
Your GPO is linked to an OU so the security filtering does not come into it.  You cant filter by an OU at all no.
OU's are where you link GPO's to in the first place.

If you want a GPO to ONLY affect a small number of users, either...

place those users in an OU of there own and link a GPO to that OU
OR
leave them in with every other user, create an AD GROUP and put JUST those few users in the group and then use security filtering so that the policy ONLY applies to members of that group.

BUILTIN/Administrators is NOT Domain admins.  

If you are talking about ALL Domain Admins on ALL Servers then just dont ever apply the policy with the screen saver in it to DOMAIN Administrators.
0
 

Author Comment

by:dvanaken
ID: 40404036
Aha. Now making sense. If I create an ad group with my subset of users and use sec filtering on it, can I still add just the server computer objects into security filtering?  In other words can both users and computer objects be used in sec filters?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40404058
Almost....

The only way a policy can affect BOTH computer AND USERS is if the policy is set for Loopback Processing. (Complex discussion if you thought this was tough going to grasp :P )

Its far simpler just to say that ADMIN Accounts are ONLY used for Admin and User accounts are used for every day use.
That way your Admin Accounts can be excluded from the policy full stop.
0
 

Author Comment

by:dvanaken
ID: 40406290
Neilsr-  I will avoid loopback processing for now.  I have a scheme that is working but I have two questions (and then I'm done with this).

1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?  

If you can answer these for me, I will be done with many thanks for your persistence!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40406315
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
Only if the OU in question does not have any Group Policies linked to it. Let's say this picture illustrates (hypothetically) your current OU and GPO setup: http://i.technet.microsoft.com/dynimg/IC499497.jpg 

If you were to move the DOMAIN\Administrator account into the Accounting OU in the above picture, the Account Security GPO - which has been LINKED to the Accounting OU - will apply to all users in this OU, including the Administrator account that we have (hypothetically) moved into this OU. Now, you can actually prevent specific group policies from applying to certain user accounts but that's a discussion for another day.
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.

Hope this makes some sense!
0
 

Author Comment

by:dvanaken
ID: 40406327
Neilsr-

Thanks for replying.  I have this exactly and it works:

Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.


But I still want to select the computers (my servers) that it applies to so I can either list them individually in Sec Filtering, or group them somehow.  Hence this question:

2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40406347
Sorry, I'm not Neilsr :)

If you only want the User Configuration settings to apply to certain computers then you will need to use what's called the Loopback policy which has been mentioned in some of the replies above.

This is where things can get complicated though. Firstly, the Loopback Policy setting can be found here:
In the Group Policy Microsoft Management Console, click Computer ConfigurationAdministrative TemplatesSystemGroup PolicyUser Group Policy loopback processing mode

This Group Policy setting has two options: Merge or Replace. Here's a good article by a fellow EE expert regarding the use of the Loopback policy: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html

Once you have fully understood the implications of using either Merge or Replace (whichever one you go with will depend on the existing policies in your environment - something which we do not have access to), you can move the computer objects into a separate OU, then create a new GPO with the User Group Policy loopback processing mode enabled along with the User Settings you want to apply.
0
 

Author Comment

by:dvanaken
ID: 40406410
Sorry, my bad VB-ITS.

I currently have this working where I am applying this User policy only to certain machines by linking the GPO to a set of Users and then using Security Filtering to specify the machines.  It has not required loopback processing to work.

I am simply looking for a way to re-organize my ADUC so that I can use a group name in the Security Filtering rather than list the machines separately.    

So I am trying to learn if I can put the servers in a AD group inside their OU so I can refer to that group in security filtering.   The other option I had asked about was to place the entire OU in a group.  The goal of both these would be to have a single name to use in Security Filtering to refer to the chosen servers.

Can you shed light on these options?  Thanks.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 40406443
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
YES.  USERS is a CONTAINER and NOT an OU. You can not link policies to a Container, ONLY to OU's, therefore it is safe to do so.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40406450
Ahh right, sorry I didn't realise you already had it working with the method above.

I'm not sure if it'll work with the Security Filtering section in Group Policy as I've never tried it, but yes you can add computer objects to a group. Here's how: http://technet.microsoft.com/en-us/library/cc780108(v=ws.10).aspx#BKMK_winui
0
 

Author Closing Comment

by:dvanaken
ID: 40406518
Thank you both for getting my head cleared up on this - I have a much better understanding now. Best regards.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question