GPO only gets applied sometimes

[acl03]

I have a 2003 Native-mode domain. I also have a Windows 2008 Std. Member server.

I am trying to apply a GPO (with User settings) to only non-admin users logging into this server. I do not want this GPO to be applied to Domain Admins.

This is what I did, and when logging into the server as a non-admin, sometimes the GPO does not apply, sometimes it does (I can not figure out which circumstances lead to the GPO applying).

1. Create new OU for this server
2. Create and link a GPO on this OU.
3. Enable Loopback processing in the GPO
4. Change some user settings in the GPO.
5. In security filtering, added "Domain Admins" and created a rule, checking DENY for "Apply Group Policy".

Does this sound correct? Could windows 2008 be causing this?



Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[acl03]

Forgot to mention...

When logged in a non-admin on the 2008 box, if I run these commands when the policy does not apply:

gpresult /r
Only user config comes up, not computer config

gpresult /r /scope COMPUTER
I get ERROR: Access Denied


And as an admin user:

gpresult /r
I get both computer and user, but the policy itself says Denied (Security) which is correct






Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[jcirafic]

Hi acl03,

In step 4 you said that you changed some user settings in the GPO. Does the OU contain only the computer account for the server2008? If yes, then a user policy setting would not work but a computer policy setting would. Just an idea, I may be misunderstanding the setup. Hope this helps..

 

[acl03]

jcirafic,

Yes, the computer account is the only account in the OU. User settings on the GPO should still effect user accounts because I have turned on the "Enable Loopback Processing" setting in the policy.

I want alternate user settings applied to users only when logging into this server.




Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[jcirafic]

Below is the canned explanation..

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.

Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains.


did you use replace or merge? (not sure if this matters)does this feature work in windows 2003 on a windows 2008 server? I just wonder whether it is reliable on a newer OS like 2008.

 

[acl03]

For what it's worth, the GPO seems to be applied properly all the time now. I think it may have just needed another reboot....


I used merge, as the users have settings from another GPO that I still want applied.



Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!