Help me with Group policy and windows 2000!!!

[LuckyTaxi]

I'm just about giving up on this GPO stuff. I initially created a GPO by doing the following.

Through AD's User/Computer I right click on the domain name (sacred-heart.org) at the top. Went to the 'Group Policy' tab and created a new GPO named 'Students.' I proceeded to make the necessary changes and all is well. Well, we added some new workstations in our computer lab and the GPO doesnt affect these computers. Well, I shouldnt say that. Changes made to the 'User Configuration' part is fine, but any new changes to the 'User Configuration' and 'Computer Configuration' aren't applied. Things were running smoothly days after we had Win2k up and running. Also, any new user that I add into AD doesnt have GPO applied to them. I copied an existing user's profile for this new user, but it still didnt work.

What am I doing wrong? There are no error messages in the Event log and yes DNS is running fine! Should I create an OU and move the students there? Also, when applying the filters, I gave the group called 'Students' READ and APPLY options. No one else has the apply box checked. If i go ahead and create an OU and move the student accounts there, would I have to play around with the Filtering? Or will the GPO affect those in the OU?

I am tempted to rebuild AD only becuz we have had problems with this server before and we are thinking about replacing the drives. Someone please help!

 

[Saltin]

Well, I shouldnt say that. Changes made to the 'User Configuration' part is fine, but any new changes to the 'User Configuration' and 'Computer Configuration' aren't applied.

Lil, how long are you waiting for these changes before giving up on them?

Try this; go into your Policy, make an obvious change, immediately log in with an account that will be affected by the change, and notice that there is no change.

Now go to the command line and enter

secedit /refreshpolicy machine_policy
then
secedit /refreshpolicy user_policy

(if it's winxp, it's just gpupdate at the command line, much nicer!)

Now look for your change. It should be there.

Group policy can take some time to actually take effect. For some machine based policy to take effect, you have to restart (eg assigning software). Be patient or use secedit to speed things up....

One other thing, if the only permissions you assigned to the GPO are to the students group, then your machine policy wont work. You would need to give the machine's computer account the proper permissions as well.
In most cases, there is absolutely no reason to modfy the default permissions on a GP. The only exception would be if you are specifically denying the application of the policy to a specific account/machine.

 

[LuckyTaxi]

I did the 'secedit....' command and things still didnt work. it doesnt make any sense to me. I even made changes before I left and the following day it still didnt work. What doesnt make sense is that new users that are added aren't even affected one bit by the GPO.

I'm wondering if making the GPO linked to the domain has anythign to do to it.

Now look for your change. It should be there.

One other thing, if the only permissions you assigned to the GPO are to the students group, then your machine policy wont work. You would need to give the machine's computer account the proper permissions as well.
In most cases, there is absolutely no reason to modfy the default permissions on a GP. The only exception would be if you are specifically denying the application of the policy to a specific account/machine.

Hmmm...I thought about this on my way home. I was wondering how the machines would know what to do. So, should I assigned the PCs I want to this GPO? Add it in the "Security" tab and apply READ and APPLY permissions?

 

[Woodie]

Machine settings are only applied at boot time, and refresh time (which is usually quite long).
If the GPO is only ACLed to USER GROUPS, then machines will NEVER get the machine settings.
Unless this is a, all users, all computers, here's our default settings GPO, it's probably best not to mix machine and user settings.
We use ACLs on GPOs on a regular basis, you just have to understand exactly what type of objects are in the group, and what kind of settings you have in the GPO.

If you need to mix the two types of settings, then create a new OU (Students). Make sure that all their userIDs and machines are placed in that OU. Now, take the ACL on the GPO, and make sure that Authenticated Users gets read+apply. (NB: Authenticated Users includes both machines and users!)

We've found that it's best to create the machine account in the right OU *before* you try and add the computer to the domain...it just works better, and leaves fewer orphan computers in the \Computers OU.

Post back w/ your results.

 

[LuckyTaxi]

Rebooted, logged off, did the 'secedit...' command and it still doesnt work. I went ahead and created a OU called "Students" and created a couple of test users in there. I then proceeded to move existing PCs on the domain into the 'Student's OU. Rebooted the machine and it still didnt work.

I might add, local policies on the computer seem to be working, but I really need the 'user Configuration' settings from the GPO.

Also, if I just made a GPO for the 'Students' GPO, should I remove GPO from the domain and domain controller? There are existing GPO linked to them, but this was from the initial setup. I didn't want to remove them until I get the new GPO set up correctly. Could that be the problem? But then again, GPOs linked to OUs are applied last.

 

[Woodie]

What is gpresult telling you about the GPOs you've received, and when you've refreshed them?

 

[Saltin]

Also, if I just made a GPO for the 'Students' GPO, should I remove GPO from the domain and domain controller? There are existing GPO linked to them, but this was from the initial setup. I didn't want to remove them until I get the new GPO set up correctly. Could that be the problem? But then again, GPOs linked to OUs are applied last.

Don't remove the default domain and domain controller GPO's under any circumstances. If you want to make sure only the GPO attached to the Student OU is being applied, check the "no override" box on the properties of the GPO object.
Make sure you have moved the user accounts into the Students GPO if you want User settings to apply to them.
Simplify things by using one GPO for computer and one GPO for user settings. Apply them both to the OU and ensure the student user accounts and machines are in the OU.

If it doesnt work after that, you have bigger problems.

 

[LuckyTaxi]

Don't remove the default domain and domain controller GPO's under any circumstances.

Darn it, I made some changes to the domain and DC gpo. Wonder if that screwed things up. I will try again tomorrow.

 

[Saltin]

Lil,

Make sure the default Domain and DC GPO's don't have "no override" selected. This too would stop your GPO's from applying.

 

[BabeAtBzBoyz]

Did you remember to give the new machines unique machine IDs??? Can really drive you crazy if you didn't!!!

 

[LuckyTaxi]

Originally posted by: BabeAtBzBoyz
Did you remember to give the new machines unique machine IDs??? Can really drive you crazy if you didn't!!!

please explain. how would i go about doing it? i mainly use a lot of the options from the "User Configuration" area.

Well, I did a gpresult and found out it's pulling things from the local group policy. There's a line that reads

-------------------------------------------------------------------------------
"Group policy was applied from: school-house.sacred-heart.org"

The Computer received "Registry" settings from these GPOs:

Local Group Policy
Revison number: 5
Unique Name : Local Group policy
Domain name:
Linked to: Local Computer

The Computer received "Security" settings from these GPOs:

Local Group Policy
Revision Number: 5
Unique Name : Local Group policy
Domain name:
Linked to: Local Computer
------------------------------------------------------------------------------------------

 

[Saltin]

Lil,

Paste the entire results of gpresult when you are logged in as a user that should have policy applied to it.

Also, look into the "No Override" setting. Especially on the default DC GPO. If it is set there issues will arise like the ones you are seeing.

 

[LuckyTaxi]

Originally posted by: Saltin
Lil,

Paste the entire results of gpresult when you are logged in as a user that should have policy applied to it.

Also, look into the "No Override" setting. Especially on the default DC GPO. If it is set there issues will arise like the ones you are seeing.

Is there a way to dump the output of the gpresult command? I tried cutting and pasting and it didnt work.

I applied "no override" to the GPO that i created and NOT to the default DC or default domain.

 

[Saltin]

At the command line

gpresult > c:\results.txt

will dump it into a file called results.txt in your root. You can do that with any command.

spaces on both sides of the >

 

[LuckyTaxi]

stupid me...shouldve known that from using linux all the time!

anyways, i will do it tomorrow...

 

[LuckyTaxi]

Here is the result from gpresult (I ran it from one of the PC i was testing).

------------------------------------------------------------------------------------------------------

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, October 01, 2002 at 10:34:55 AM


Operating System Information:

Operating System Type: Server
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Application Server

###############################################################

User Group Policy results for:

CN=nay dy,OU=Students,DC=sacred-heart,DC=org

Domain Name: SACRED-HEART
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\ndy

The user is a member of the following security groups:

SACRED-HEART\Domain Users
\Everyone
BUILTIN\Users
\LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users


###############################################################

Last time Group Policy was applied: Tuesday, October 01, 2002 at 10:09:31 AM



###############################################################

Computer Group Policy results for:

CN=SH-TERMINAL,OU=Students,DC=sacred-heart,DC=org

Domain Name: SACRED-HEART
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
SACRED-HEART\SH-TERMINAL$
SACRED-HEART\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Tuesday, October 01, 2002 at 9:07:50 AM
Group Policy was applied from: school-house.sacred-heart.org


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy

 

[Woodie]

Comparing to my (domain w/ many GPOs, some ACLed).

User GPOs:
Looks ok. The currently logged in user doesn't appear to be a member of any "special"groups, like STUDENTS, so there's no GPOs that match that might be ACLed to such a group. Note: The Default domain policy doesn't appear in my gpresult either, so its absence is ok.

Computer GPOs:
Something is clearly wrong here: The Default Domain Policy should show up here, under the Registry, Security and EFS Recovery areas.

Are you logged in through TS or at the console? (It makes a difference).

 

[LuckyTaxi]

User GPOs:
Looks ok. The currently logged in user doesn't appear to be a member of any "special"groups, like STUDENTS, so there's no GPOs that match that might be ACLed to such a group. Note: The Default domain policy doesn't appear in my gpresult either, so its absence is ok.

I didnt add the user to the STUDENTS group because I added her to the STUDENTS OU. Under the security tab I assigned "Authenticated Users" READ and APPLY permissions.

Are you logged in through TS or at the console? (It makes a difference).

What do you mean TS or at the console? TS meaning terminal server?

I think I can live w/o the Computer GPO because I need many of the things from the USER GPOs. Any clue as to why that's not working?

 

[Woodie]

TS = Terminal Server

The device you're testing is a Server, and it had TS installed on it, so I want to make sure that you're logging in at the machine, rather than using the TS Client to connect and login at the server.

I think you have a problem with all GPOs...not sure why. Hopefully Saltin will be checking in soon, too.

Ideas:
You've hosed up the Default Domain GPO, or the ACLs on it.
You've hosed up the Default Domain GPO, perhaps in the non-override area?
Somewhere (in the Domain/Forest), someone has changed the Slow-link behavior of GPOs
Somehow, this client has changed the Slow-link behavior of GPOs
Is the Student GPO double-linked? (to the Domain AND to the Students OU) Still shouldn't break it.

 

[LuckyTaxi]

The device you're testing is a Server, and it had TS installed on it, so I want to make sure that you're logging in at the machine, rather than using the TS Client to connect and login at the server.

Yea, i was testing it on my terminal server. I also tested it on various workstations, but it still didnt work.

Ideas:
You've hosed up the Default Domain GPO, or the ACLs on it.
You've hosed up the Default Domain GPO, perhaps in the non-override area?
Somewhere (in the Domain/Forest), someone has changed the Slow-link behavior of GPOs
Somehow, this client has changed the Slow-link behavior of GPOs
Is the Student GPO double-linked? (to the Domain AND to the Students OU) Still shouldn't break it.

I think I did screw up the ACL on the Default Domain GPO. We will be rebuilding AD this weekend. Other problems come into play also.

Also, since we are rebuilding AD, whats the best way to handle the workstations rejoining the domain? Demote them to workgroup status and then rejoin or just rejoin them? The domain name will not change. I will have to retype all user names again. We have other problems associated with the server so I dont mind fdisking it! GRRRR

 

[Woodie]

I would move the wkstns to a workgroup, and then back to the domain. You'll have to create new machine accounts as well.

We found that keeping the wkstns in the right OUs was very difficult, with different areas doing workstation builds. We make the builder (or a delegate) create the machine account, in the correct OU, BEFORE the machine is joined to the domain. That way, we don't have to do OU moves of machines, since the machine finds its account, in the correct OU when the join takes place.

The TS issue is that some GPOs won't run if you a logging in via TS, rather than a console logon.

 

[Saltin]

TS could definetly have something to do with the problem.

It appears from your GPRESULT that no GPO's save the local GP are being applied. This is cause for concern.
My guess is the ACL's on your Group Policies are borked, but who knows....

If you want to get to the root of it, I suggest Q250842, Troubleshooting Group Policy Application Problems.
It will be a little time consuming, and might be redundant b/c you are re-building anyhow, but it would be in your professional interest to try and determine what went/is going wrong.

 

[Woodie]

Bump to find out what happened over the weekend...

 

[LuckyTaxi]

You've got PM