Solved

Issues with a new GPO

Posted on 2015-01-23
10
115 Views
Last Modified: 2015-01-26
Hello,
I created a simple GPO to enforce a screen saver of type X and activate within 1800 seconds. The policy is under the Users Configuration. I then went to the Scope and made sure Auth users and Domain users are in the security filtering, and it is linked to the domain XXXXX.local.

I went to a Windows 7 end PC which is on the domain, did several gpupdate/force and ran gpresult /r but keep getting N/A under applied GPO under the User Settings.... what am I missing here.

It is a new Windows 2012 R2 domain which I migrated from Windows 2003 server. The migration went pretty smooth, but maybe I missed something.

Do I need to enable loopback maybe?
0
Comment
Question by:SpiderPig
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 40567104
If you do a verbose output, or run the results wizard in the GPMC GUI, you can see every applied *AND* denied GPO. And why a GPO was denied. Start there.
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 250 total points
ID: 40567184
You also don't need domain user and auth users. Auth users contains domain users.

You don't need loopback if the policy is linked at the domain and contains auth users.
0
 

Author Comment

by:SpiderPig
ID: 40567375
OK so I made some progress and was able to make all the User Config GPOs work. From some reason I cannot seems to get the GPOs with the Computer Config policies to work. For example password policies... I have Auth users in the security filtering, I assume thats why and I need to add computers there, but its a pain in the bXXX to manually add PCs. Is there away to tell it to implement for all hardware or computers in the office? I dont want to maintain security groups for computers... Any ideas?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40567391
Password policies are unique in that they can normally only be implemented at the domain level. The authenticated users group includes all computers. If you want more granular policies, you have to implement Fine Grained Password Policies and that is not a trivial undertaking. TechNet thoroughly documents all of this.
0
 

Author Comment

by:SpiderPig
ID: 40567403
Oh you are right it is working. I tried "Don not require ALT CTRL Del" And the PC I am working on actually got the policy even though when you type GPresult it does not show anything under computer only user policies....
0
 

Author Closing Comment

by:SpiderPig
ID: 40568409
Thank you all. Got it sorted out. It was also something weird with MS Bing Desktop which caused the screen saver to operate outside of the GPO scope. Very strange.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40568418
Whenever you create new Policy, run gpupdate /force on domain controller 1st
Then run gpupdate /force on client computers
Also some computer configuration policies in order to get applied you must reboot the client computer, by simply running gpupdate /force won't help
All user policies will get applied after gpupdate /force on client machines, however some policies do need logoff and logon again in order to get applied

As stated earlier all users and computers \ servers are member of authenticated users group
If you don't want to apply policy only to users or computers, then remove authenticated users from security filtering and add either domain users or domain computers group
OR
more specifically you can create security groups and add required users \ computers in that group
Example:
U might have OU containing all computers, but you wanted to apply GPO to specific computers only within that OU, in that case you can create new security group and add required computers in that group and add that group on security filtering tab, remove authenticated users

U cannot disable default password policy for any domain user unless you create Fine Grained Password Policy
FGPP will override default domain password policy
0
 

Author Comment

by:SpiderPig
ID: 40568792
By the way, if I dont enable the policy by right clicking it, will it still take effect? I noticed that some PCs got the policy even though it was not enabled.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40568905
By default any group policy is enabled only even if its not linked to anywhere (domain level, OU level), you may disable all setting if wanted to, this will prevent GPO setting to be pushed to workstations \ users
Even if GPO is enabled, it will not effect unless you link it to any OU \ domain
Instead of disabling GPO, just unlink it from respective OU \ domain.

The problem here is once GPO is applied on workstation, in reality the changes will get written in computers registry, hence even if you remove \ unlink \ disable policy, registry changes will not get reverted automatically
Either you need to reverse policy setting or push another GPO with reverse setting to revert.
0
 

Author Comment

by:SpiderPig
ID: 40571389
Awesome, thank you. Much appreciated.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
802.1X auth setup and configuration 3 40
Remote Desktop not working 22 60
disk usage reporting tools 27 54
Move the SYSVOL and NTDS folder to another drive 5 37
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question