Can't get User Configuration GPO to work

I am pulling my hair out and need some help.  I have numerous Computer Configuration policies that all seem to work, at least they show up in gpresult with a winning GPO that makes sense.  However, I have several User Configuration policies that don't show up in gpresult and don't work.  For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU).  So - I link the Domain Server OU at the top of the Scope for this GPO, and under security filtering, I add "Administrators" which I search from the domain search box and it finds.  So I think this means that if an Administrator group member is logged into a Domain Server, the GPO should apply.  That does not happen.  In gpresult, the only mention of my policy is under Computer Configuration and it shoes "Denied" as "Empty".  Ok, I can reason that since there are no Computer Configuration items in the policy that could be empty.  But why do I not see this GPO mentioned in the User Configuration part of the report? In fact the only User Configuration policies that show applied are those in the Default Domain Policy - my others are just missing.  The report shows the computer name as a member of the Domain Server group, and shows the user as domain/administrator, a member of the Administrators group.  I think I am missing something fundamental in this process since I have been hacking at it off and on for a while and still don't have it right.  Help me learn how to get this corrected!  Thanks.
dvanakenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
User policies should be linked to an OU containing USERS not computers.

OR You need to enable lookback processing on your computer policy.
0
Cliff GaliherCommented:
Any setting under user configuration can only be applied to a user *object.* So by linking it to an OU with no user objects, you are implicitly filtering out all users, and thus ...empty.
0
Neil RussellTechnical Development LeadCommented:
Almost true Cliff, except as I say, in the case of loopback processing.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Cliff GaliherCommented:
Which may, in fact, be applicable here if the OP only wants this screensaver policy on the servers and noball machines (as it sounds like) ...but I wanted to wait and see what they came back with before delving into that scenario. Loopback processing confuses so many people (same does inheritance, the enforced check box, delegation...)
0
Neil RussellTechnical Development LeadCommented:
It does beg the question though....

" For example, i have one that  is designed to stop the screen saver from running if someone in the *Administrators* group is logged onto a *Domain Server* (an OU)."

Who else except an administrator would be allowed to log onto domain Servers?

It sounds as if you are assigning your group policies generally rather than where they are needed.

If a Domain Server only has Domain Administrators loging into it, then do not apply a policy that does things you dont want them to be affected by.

The structure of your AD and the placement of your GPO's is a fine art! Get it right and the job is simple.  Do it all without understanding impact and it can lead to a nightmare.
0
dvanakenAuthor Commented:
Thank you all.  I should have mentioned that I tried to use an OU with users in it but the Administrators group is in (I think) "Builtin" and I wasn't sure if I could just move that to a new group.  So if I either move Administrators group OR I move the actual users that have admin privileges into a new OU and link it that sounds like step one.    So is it ok to just move objects into a new OU?

Neilsr - you are correct that only Admins will be logging into Domain servers.  The reason I have to use User config is that the options I want to control only exist in User policies - not in Computer (if they did I would be past this issue since my Computer configs seem to work).

So say I can get properly linked to a User OU, for security filtering I cannot select the Domain Servers OU - if I add the computers checkbox I can select individual servers - is that the only way to accomplish this?

Thanks again - I'm feeling more optimistic that I'll get this nailed down.  Waiting for your collective advice...
0
Neil RussellTechnical Development LeadCommented:
BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.

Like I say, its all about the structure and layout and how you view USERS as against ADMINS.

TIP:

If you are a Domain Admin then have two Accounts. One of then is a standard USER account for logging into your PC and doing mundane work like word, emails, web browsing. The second is your ADMIN account that you ONLY use to elevate privilege WHEN NEEDED.

Do not make the common mistake of thinking that because you are an admin that you must be logged in as an admin every second you are on a computer. This is a HUGE security flaw and a common mistake.

If your normal user accounts are  first.lastname  then have YOUR first.lastname account as a user but also have a first.lastname.admin account for when you REALLY NEED to be a domain admin.

You can then have your ADMIN User accounts in a different OU to USERS and apply different policies easily.
0
dvanakenAuthor Commented:
Neilsr-

I don't understand this comment - can you expand a bit?

BUT if your group policy is in the correct place, the one that APPLIES THE screen saver in the first place and aply this to the OU that contains "User Accounts" only, not server Admins, then the question of disabling that policy for admins on servers vanishes.


Also what about the questions I asked in my last post - I would really like your thoughts.  Your big-picture comments are helpful but they will require some reflection to fully understand. I don't think I can do any major restructuring in this moment -I am trying to respond to a request to get a few GPOs working.

Thanks again.
0
VB ITSSpecialist ConsultantCommented:
Try adding the computer objects for the domain servers into the security filtering section of the policy you are trying to apply.

I do agree with the Neilsr and Cliff though, it does look like your Group Policy structure at the moment is far from optimal. You may want to look at sorting this out once we've sorted out your issue above.
0
dvanakenAuthor Commented:
So it is not possible to add an OU to security filtering - only computer objects themselves?  Again I tried this but how do I make a new OU that has Administrators group in it? Can I drag the group from builtin to a new OU? This seems to be where I am stuck.
0
Neil RussellTechnical Development LeadCommented:
Your GPO is linked to an OU so the security filtering does not come into it.  You cant filter by an OU at all no.
OU's are where you link GPO's to in the first place.

If you want a GPO to ONLY affect a small number of users, either...

place those users in an OU of there own and link a GPO to that OU
OR
leave them in with every other user, create an AD GROUP and put JUST those few users in the group and then use security filtering so that the policy ONLY applies to members of that group.

BUILTIN/Administrators is NOT Domain admins.  

If you are talking about ALL Domain Admins on ALL Servers then just dont ever apply the policy with the screen saver in it to DOMAIN Administrators.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dvanakenAuthor Commented:
Aha. Now making sense. If I create an ad group with my subset of users and use sec filtering on it, can I still add just the server computer objects into security filtering?  In other words can both users and computer objects be used in sec filters?
0
Neil RussellTechnical Development LeadCommented:
Almost....

The only way a policy can affect BOTH computer AND USERS is if the policy is set for Loopback Processing. (Complex discussion if you thought this was tough going to grasp :P )

Its far simpler just to say that ADMIN Accounts are ONLY used for Admin and User accounts are used for every day use.
That way your Admin Accounts can be excluded from the policy full stop.
0
dvanakenAuthor Commented:
Neilsr-  I will avoid loopback processing for now.  I have a scheme that is working but I have two questions (and then I'm done with this).

1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?  

If you can answer these for me, I will be done with many thanks for your persistence!
0
VB ITSSpecialist ConsultantCommented:
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
Only if the OU in question does not have any Group Policies linked to it. Let's say this picture illustrates (hypothetically) your current OU and GPO setup: http://i.technet.microsoft.com/dynimg/IC499497.jpg 

If you were to move the DOMAIN\Administrator account into the Accounting OU in the above picture, the Account Security GPO - which has been LINKED to the Accounting OU - will apply to all users in this OU, including the Administrator account that we have (hypothetically) moved into this OU. Now, you can actually prevent specific group policies from applying to certain user accounts but that's a discussion for another day.
2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.

Hope this makes some sense!
0
dvanakenAuthor Commented:
Neilsr-

Thanks for replying.  I have this exactly and it works:

Going from your original post, it appears you only want to get the User Configuration policies to apply. To do this, create a separate GPO containing JUST the User Configuration settings you need, then link it to an OU containing the relevant users that you want it applying to.


But I still want to select the computers (my servers) that it applies to so I can either list them individually in Sec Filtering, or group them somehow.  Hence this question:

2. My servers are listed in an OU but I can't specify an OU in security filtering.  If I put them in a AD group inside their OU can I then refer to that group in security filtering?  Or can I place the OU in a group?
0
VB ITSSpecialist ConsultantCommented:
Sorry, I'm not Neilsr :)

If you only want the User Configuration settings to apply to certain computers then you will need to use what's called the Loopback policy which has been mentioned in some of the replies above.

This is where things can get complicated though. Firstly, the Loopback Policy setting can be found here:
In the Group Policy Microsoft Management Console, click Computer ConfigurationAdministrative TemplatesSystemGroup PolicyUser Group Policy loopback processing mode

This Group Policy setting has two options: Merge or Replace. Here's a good article by a fellow EE expert regarding the use of the Loopback policy: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html

Once you have fully understood the implications of using either Merge or Replace (whichever one you go with will depend on the existing policies in your environment - something which we do not have access to), you can move the computer objects into a separate OU, then create a new GPO with the User Group Policy loopback processing mode enabled along with the User Settings you want to apply.
0
dvanakenAuthor Commented:
Sorry, my bad VB-ITS.

I currently have this working where I am applying this User policy only to certain machines by linking the GPO to a set of Users and then using Security Filtering to specify the machines.  It has not required loopback processing to work.

I am simply looking for a way to re-organize my ADUC so that I can use a group name in the Security Filtering rather than list the machines separately.    

So I am trying to learn if I can put the servers in a AD group inside their OU so I can refer to that group in security filtering.   The other option I had asked about was to place the entire OU in a group.  The goal of both these would be to have a single name to use in Security Filtering to refer to the chosen servers.

Can you shed light on these options?  Thanks.
0
Neil RussellTechnical Development LeadCommented:
1.  Can I move domain\administrator (currently in AD group called "Users") into an OU without any side effects?
YES.  USERS is a CONTAINER and NOT an OU. You can not link policies to a Container, ONLY to OU's, therefore it is safe to do so.
0
VB ITSSpecialist ConsultantCommented:
Ahh right, sorry I didn't realise you already had it working with the method above.

I'm not sure if it'll work with the Security Filtering section in Group Policy as I've never tried it, but yes you can add computer objects to a group. Here's how: http://technet.microsoft.com/en-us/library/cc780108(v=ws.10).aspx#BKMK_winui
0
dvanakenAuthor Commented:
Thank you both for getting my head cleared up on this - I have a much better understanding now. Best regards.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.