GPOs only deploying to Domain, Application server...why?

[XiZiT]

Hey guys this is my setup at work:
1 Domain Controller server
1 Application server
10 Client PCs
all connected through a Linksys 4port VPN + 24 port switch.
So far no client PCs have firewalls enabled because there not in use yet.

Here is a sample GPO:
User Configuration
--> Administrative Templates
--> Desktop
--> Active Desktop
3. under the "Active Desktop" i changed these options:
Active Desktop Wallpaper - enabled and set the unc
path of the wallpaper, bmp.
Allow Only Bitmapped Wallpaper - enabled
Enable Active Desktop - enable
Disable All Items - enable
Prohibit Changes - enable
4. then i went to the:
User Configuration
--> Administrative Templates
--> Control Panel
--> Display
Disable Changing Wallpaper - enable

When I log in with an Administrator account into the actual DS or AS, I see the changes. But if I login with any client machine, I don't see any changes!

 

[BZeto]

Did you apply it to the OU that contains your workstations?

 

[stash]

Since it's a user policy, you need to apply it to an OU containing the user accounts, not an OU containing workstations (unless you want to use loopback processing).

 

[XiZiT]

Hey guys, I was given this advice before but not sure what that means to "apply it to an OUT containing user accounts not workstations."

When I go to gpmc.msc (Group Policy Mgt) I see the following;

Group Policy Management
+Forest: MyDomain.com
+Domains > MyDomain.com (with a blue exclamation point?)
>Default Domain Policy
>Desktop Change Policy (i created)
> Domain Controllers
>Default Domain Controllers Policy
> Group Policy Objects
>Default Domain Policy
>Desktop Change Policy (i created)
>Default Domain Controllers Policy
> WMI Filters
+Sites
+Group Policy Modeling
Group Policy Results

 

[XiZiT]

This is what I currently do to implement a GPO:
I drag the policy from "Group Policy Objects" into "MyDomain.com". It then asks Do you want to link this GPO to the Domain? At which point I say Yes and it is under MyDomain.com.

That is what I do yet no workstation machine gets the new policy applied when a user logs into the domain from their machine.

 

[stash]

The blue exclamation means you have the block inheritence flag set at the domain level. This will prevent settings from GPOs at the parent level from applying. This shouldn't be causing any problems, since the parent level to the domain is the site, and there are no site policies by default.

Start with some basic troubleshooting on the clients. Check the application logs on the clients for userenv errors, netlogon errors, winlogon errors, etc. If group policy is applying successfully on a machine, you should see a 1704 informational event. Do the clients have DNS correctly configured?

Again, you are making changes in the user portion of a GPO, meaning it will only apply to user accounts. Since you are applying at the top of the domain, it doesn't really matter. But if you were applying it to an OU further down the hierarchy, that OU would need to contain the user accounts that you want to apply the changes to. Or if you were making changes in the computer section of a GPO, the OU would need to contain the workstations you want to apply it to.

Group Policy is a fundemental part of managing an Active Directory environment. Since you appear to be doing this for work, I highly suggest you get one of the easy to learn, but informative books on AD and Server 2003 in general, such as Mastering Windows Server 2003 by Mark Minasi. It will teach you the basics of how GPOs work, how precedence works when they are applied, and how to manage them.