Computers not affected by group policy

Discussion in 'Active Directory' started by sprucio, Oct 23, 2006.

  1. sprucio

    sprucio Guest

    I have a Windows 2003 domain and am trying to implement a group policy. For
    testing purposes, I picked out an easy setting: force classic start menu.

    Assuming that I have a forest named contoso.com, I create a new OU called
    "workstations." Under here, I create a new group policy with the setting that
    I wrote above.

    Once a computer succesfully joins the domain, the computer name is displayed
    under "Computers." I then move the computer and put it into the OU
    workstation.

    After running "gpupdate /force," I don't see much change. I logout and log
    back in to see if the changes take place but nothing happens.

    I presume that I am doing something wrong here. Can anyone give me some
    guidenance as to how I can solve this problem?
     
    sprucio, Oct 23, 2006
    #1
    1. Advertisements

  2. sprucio

    T. Uranjek Guest

    Hi!

    First, you can use gpupdate ()or GPMC on domain controller command line
    tool, to find out which policies are being apllied on your client computer.

    HTH

    Toni
     
    T. Uranjek, Oct 23, 2006
    #2
    1. Advertisements

  3. sprucio

    sprucio Guest

    I already have gpmc on the domain controllers. Can you be a bit more
    descriptive ?

    Thanks.
     
    sprucio, Oct 23, 2006
    #3
  4. sprucio

    Paul Jensen Guest

    If it's a computer policy, you'll have to reboot, not just logout.

    If it's not working after that, logon to that box and run gpresult, it will
    list all the GPO's that are in effect. Make sure it's in that list.

    Hope that helps.
     
    Paul Jensen, Oct 23, 2006
    #4
  5. sprucio

    T. Uranjek Guest

    T. Uranjek, Oct 23, 2006
    #5
  6. sprucio

    sprucio Guest

    Nifty tool. As I don't have the computer in front of me, I can't run it now.

    Paul, the method I used above (moving the computer to the workstation OU),
    is that correct way to do things?
     
    sprucio, Oct 23, 2006
    #6
  7. sprucio

    Paul Jensen Guest

    Yes, you should always move the computers out of the computer container into
    their designated OU's.

    One HUGE reason to do this, is the fact that you can't link a GPO to the
    default "Computers" container. ITs a container, not an OU.

    So, it's very common to have Computer OU's for each department because they
    likely have similar requirements as far as GPO's are concerned.

    good luck.
     
    Paul Jensen, Oct 23, 2006
    #7
  8. sprucio

    Herb Martin Guest

    I wouldn't use "GPUpdate" to "find out" if they are being
    applied but rather: GPResult.exe.

    RSoP is another (graphical but more tedious in some ways)
    tools for viewing the result. (Resulant Set of Policy)

    GPResult is quick and easy to just get a list of the policies
    that were applied to either/both the Computer or User.

    With switches /v (verbose) or /z (zuper verbose) you can get
    even more info quickly.
     
    Herb Martin, Oct 23, 2006
    #8
  9. sprucio

    Herb Martin Guest

    A Computer must either be directly in the OU where the policy
    is linked OR within a child of the place it was linked (GPOs
    inherit down the OU trees.)

    Policies do NOT affect groups (directly) due to linking, but
    permissions are required: Read and Apply Policy both.

    Group policies are actually misnamed since they have almost
    nothing to do with groups (except that permissions can be used
    to filter the policies.)
     
    Herb Martin, Oct 23, 2006
    #9
  10. sprucio

    sprucio Guest

    Guys, thanks all for the help thus far.

    I checked this last night and under "computer settings -> applied group
    policy objects", it had the group policy I had made in the following order.

    --------
    WSUS
    Default Domain Policy
    -------
    Under "user settings" there were none that were inherited.

    Other than the "workstation" OU that I made, I do have another OU called
    "user group" which has more sub OU's such as "admin" or "accounting" and
    such. On these OU's I have no group policy set. Would this effect why I'm not
    inheriting the policies?
     
    sprucio, Oct 26, 2006
    #10
  11. sprucio

    Herb Martin Guest

    No. Policies are applied if they are linked (and not filtered
    out by permissions or WMI*). When there are multiple policies
    linked to the same container they are applied in order**, last
    one overrides the others by default but all are applied.

    *Unless you "block inheritance" on a container.

    **Unless you mark an earlier policy "no override" (aka
    "enforced.)

    One common mistake is to link a policy to the computer
    OU and expect it to affect users (or vice versa), or even
    link it where a group was created which has no effect if
    the user or computer is located elsewhere.
     
    Herb Martin, Oct 27, 2006
    #11
  12. sprucio

    sprucio Guest

    Herb,

    My previous gp results:

    ---------------------------
    WSUS
    Default Domain Policy
    ---------------------------

    WSUS right now has one thing set, "force classic start menu." The default
    domain policy has not bee changed. With the way this is set, does WSUS apply
    first and then does the default domain policy override any settings that was
    set by WSUS?
     
    sprucio, Oct 27, 2006
    #12
  13. sprucio

    Herb Martin Guest

    Darn, I get confused by that output and seldom do it that
    way....I just look in the GP Management console and know
    that the order is first to last (1 to N) and the later override
    previous policies linked on the same container. For different
    containers the order is Site, Domain, OU (parent), ou(child),
    ou (etc.)

    Last wins unless earlier is marked Enforced (aka No Override).

    You can use GPResult with /v (verbose) or /z (zuper verbose)
    to see precisely what is applied and the result.
     
    Herb Martin, Oct 27, 2006
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.