Solved

Can't get User Configuration GPO to work

Posted on 2014-10-24
21
295 Views
Last Modified: 2014-10-27
I am pulling my hair out and need some help.  I have numerous Computer Configuration policies that all seem to work, at least they show up in gpresult with a winning GPO that makes sense.  However, I have several User Configuration policies that don't show up in gpresult and don't work.  For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU).  So - I link the Domain Server OU at the top of the Scope for this GPO, and under security filtering, I add "Administrators" which I search from the domain search box and it finds.  So I think this means that if an Administrator group member is logged into a Domain Server, the GPO should apply.  That does not happen.  In gpresult, the only mention of my policy is under Computer Configuration and it shoes "Denied" as "Empty".  Ok, I can reason that since there are no Computer Configuration items in the policy that could be empty.  But why do I not see this GPO mentioned in the User Configuration part of the report? In fact the only User Configuration policies that show applied are those in the Default Domain Policy - my others are just missing.  The report shows the computer name as a member of the Domain Server group, and shows the user as domain/administrator, a member of the Administrators group.  I think I am missing something fundamental in this process since I have been hacking at it off and on for a while and still don't have it right.  Help me learn how to get this corrected!  Thanks.
0
Comment
Question by:dvanaken
  • 8
  • 7
  • 4
  • +1
21 Comments
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
User policies should be linked to an OU containing USERS not computers.

OR You need to enable lookback processing on your computer policy.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Any setting under user configuration can only be applied to a user *object.* So by linking it to an OU with no user objects, you are implicitly filtering out all users, and thus ...empty.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Almost true Cliff, except as I say, in the case of loopback processing.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Which may, in fact, be applicable here if the OP only wants this screensaver policy on the servers and noball machines (as it sounds like) ...but I wanted to wait and see what they came back with before delving into that scenario. Loopback processing confuses so many people (same does inheritance, the enforced check box, delegation...)
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
It does beg the question though....

" For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU)."

Who else except an administrator would be allowed to log onto domain Servers?

It sounds as if you are assigning your group policies generally rather than where they are needed.

If a Domain Server only has Domain Administrators loging into it, then do not apply a policy that does things you dont want them to be affected by.

The structure of your AD and the placement of your GPO's is a fine art! Get it right and the job is simple.  Do it all without understanding impact and it can lead to a nightmare.
0
 

Author Comment

by:dvanaken
Comment Utility
Thank you all.  I should have mentioned that I tried to use an OU with users in it but the Administrators group is in (I think) "Builtin" and I wasn't sure if I could just move that to a new group.  So if I either move Administrators group OR I move the actual users that have admin privileges into a new OU and link it that sounds like step one.    So is it ok to just move objects into a new OU?

Neilsr - you are correct that only Admins will be logging into Domain servers.  The reason I have to use User config is that the options I want to control only exist in User policies - not in Computer (if they did I would be past this issue since my Computer configs seem to work).

So say I can get properly linked to a User OU, for security filtering I cannot select the Domain Servers OU - if I add the computers checkbox I can select individual servers - is that the only way to accomplish this?

Thanks again - I'm feeling more optimistic that I'll get this nailed down.  Waiting for your collective advice...
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.

Like I say, its all about the structure and layout and how you view USERS as against ADMINS.

TIP:

If you are a Domain Admin then have two Accounts. One of then is a standard USER account for logging into your PC and doing mundane work like word, emails, web browsing. The second is your ADMIN account that you ONLY use to elevate privilege WHEN NEEDED.

Do not make the common mistake of thinking that because you are an admin that you must be logged in as an admin every second you are on a computer. This is a HUGE security flaw and a common mistake.

If your normal user accounts are  first.lastname  then have YOUR first.lastname account as a user but also have a first.lastname.admin account for when you REALLY NEED to be a domain admin.

You can then have your ADMIN User accounts in a different OU to USERS and apply different policies easily.
0
 

Author Comment

by:dvanaken
Comment Utility
Neilsr-

I don't understand this comment - can you expand a bit?

BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.


Also what about the questions I asked in my last post - I would really like your thoughts.  Your big-picture comments are helpful but they will require some reflection to fully understand. I don't think I can do any major restructuring in this moment -I am trying to respond to a request to get a few GPOs working.

Thanks again.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Try adding the computer objects for the domain servers into the security filtering section of the policy you are trying to apply.

I do agree with the Neilsr and Cliff though, it does look like your Group Policy structure at the moment is far from optimal. You may want to look at sorting this out once we've sorted out your issue above.
0
 

Author Comment

by:dvanaken
Comment Utility
So it is not possible to add an OU to security filtering - only computer objects themselves?  Again I tried this but how do I make a new OU that has Administrators group in it? Can I drag the group from builtin to a new OU? This seems to be where I am stuck.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
Comment Utility
Your GPO is linked to an OU so the security filtering does not come into it.  You cant filter by an OU at all no.
OU's are where you link GPO's to in the first place.

If you want a GPO to ONLY affect a small number of users, either...

place those users in an OU of there own and link a GPO to that OU
OR
leave them in with every other user, create an AD GROUP and put JUST those few users in the group and then use security filtering so that the policy ONLY applies to members of that group.

BUILTIN/Administrators is NOT Domain admins.  

If you are talking about ALL Domain Admins on ALL Servers then just dont ever apply the policy with the screen saver in it to DOMAIN Administrators.
0
 

Author Comment

by:dvanaken
Comment Utility
Aha. Now making sense. If I create an ad group with my subset of users and use sec filtering on it, can I still add just the server computer objects into security filtering?  In other words can both users and computer objects be used in sec filters?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Almost....

The only way a policy can affect BOTH computer AND USERS is if the policy is set for Loopback Processing. (Complex discussion if you thought this was tough going to grasp :P )

Its far simpler just to say that ADMIN Accounts are ONLY used for Admin and User accounts are used for every day use.
That way your Admin Accounts can be excluded from the policy full stop.
0
 

Author Comment

by:dvanaken
Comment Utility
Neilsr-  I will avoid loopback processing for now.  I have a scheme that is working but I have two questions (and then I'm done with this).

1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?  

If you can answer these for me, I will be done with many thanks for your persistence!
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
Only if the OU in question does not have any Group Policies linked to it. Let's say this picture illustrates (hypothetically) your current OU and GPO setup: http://i.technet.microsoft.com/dynimg/IC499497.jpg

If you were to move the DOMAIN\Administrator account into the Accounting OU in the above picture, the Account Security GPO - which has been LINKED to the Accounting OU - will apply to all users in this OU, including the Administrator account that we have (hypothetically) moved into this OU. Now, you can actually prevent specific group policies from applying to certain user accounts but that's a discussion for another day.
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.

Hope this makes some sense!
0
 

Author Comment

by:dvanaken
Comment Utility
Neilsr-

Thanks for replying.  I have this exactly and it works:

Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.


But I still want to select the computers (my servers) that it applies to so I can either list them individually in Sec Filtering, or group them somehow.  Hence this question:

2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Sorry, I'm not Neilsr :)

If you only want the User Configuration settings to apply to certain computers then you will need to use what's called the Loopback policy which has been mentioned in some of the replies above.

This is where things can get complicated though. Firstly, the Loopback Policy setting can be found here:
In the Group Policy Microsoft Management Console, click Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing mode

This Group Policy setting has two options: Merge or Replace. Here's a good article by a fellow EE expert regarding the use of the Loopback policy: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html

Once you have fully understood the implications of using either Merge or Replace (whichever one you go with will depend on the existing policies in your environment - something which we do not have access to), you can move the computer objects into a separate OU, then create a new GPO with the User Group Policy loopback processing mode enabled along with the User Settings you want to apply.
0
 

Author Comment

by:dvanaken
Comment Utility
Sorry, my bad VB-ITS.

I currently have this working where I am applying this User policy only to certain machines by linking the GPO to a set of Users and then using Security Filtering to specify the machines.  It has not required loopback processing to work.

I am simply looking for a way to re-organize my ADUC so that I can use a group name in the Security Filtering rather than list the machines separately.    

So I am trying to learn if I can put the servers in a AD group inside their OU so I can refer to that group in security filtering.   The other option I had asked about was to place the entire OU in a group.  The goal of both these would be to have a single name to use in Security Filtering to refer to the chosen servers.

Can you shed light on these options?  Thanks.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
Comment Utility
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
YES.  USERS is a CONTAINER and NOT an OU. You can not link policies to a Container, ONLY to OU's, therefore it is safe to do so.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Ahh right, sorry I didn't realise you already had it working with the method above.

I'm not sure if it'll work with the Security Filtering section in Group Policy as I've never tried it, but yes you can add computer objects to a group. Here's how: http://technet.microsoft.com/en-us/library/cc780108(v=ws.10).aspx#BKMK_winui
0
 

Author Closing Comment

by:dvanaken
Comment Utility
Thank you both for getting my head cleared up on this - I have a much better understanding now. Best regards.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now