GPOs only deploying to Domain, Application server...why? 1

[xAOx]

Hey guys this is my setup at work:
1 Domain Controller server
1 Application server
10 Client PCs
all connected through a Linksys 4port VPN + 24 port switch.
So far no client PCs have firewalls enabled because there not in use yet. All connect through our domain though.

Here is a sample GPO I tried to implement (even enforce)!
User Configuration
--> Administrative Templates
--> Desktop
--> Active Desktop
3. under the "Active Desktop" i changed these options:
Active Desktop Wallpaper - enabled and set the unc
path of the wallpaper, bmp.
Allow Only Bitmapped Wallpaper - enabled
Enable Active Desktop - enable
Disable All Items - enable
Prohibit Changes - enable
4. then i went to the:
User Configuration
--> Administrative Templates
--> Control Panel
--> Display
Disable Changing Wallpaper - enable

When I log in with an Administrator account into the actual DS or AS, I see the changes. But if I login to any client machine, I don't see any changes! This was even the case with special management tools that sent out GPOs but I've never seen it work on any client PC!

I tried gpupdate /force

 

[beefstew]

Have you tried running GPResult from the client PC's? This will tell you if the policy is being applied or not

 

[ncotton]

Which OU have you linked this GPO too?

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[xAOx]

Hey guys, I was given advice before to link it to the right OUT ("apply it to an OU containing user accounts not workstations.") but where do i drag the policy too? Below is what my GPM looks like;


Group Policy Management
+Forest: MyDomain.com
+Domains > MyDomain.com (with a blue exclamation point?)
>Default Domain Policy
>Desktop Change Policy (i created)
> Domain Controllers
>Default Domain Controllers Policy
> Group Policy Objects
>Default Domain Policy
>Desktop Change Policy (i created)
>Default Domain Controllers Policy
> WMI Filters
+Sites
+Group Policy Modeling
Group Policy Results

Which one of these do I drag "Desktop Change Policy" to? I linked it into MyDomain.com.

 

[ncotton]

well, All GPOs should fall dirrectly under Group Policy Objects.

You should never make alterations to teh defaults, except for password policies.

Any settings you want to create should be sensibly grouped, into seperate GPOs, either a GPO that has a group of settings for a particular scenario or function, so i.e "Set Internet\Email settings" or a gpo for a specific set of targets, so i.e, for ALL ACCOUNTS MACHINES or ALL PERSONNEL USERS.

You should either create seperate OUs for a structured approach, or you can apply all policies to the Domain for blanket coverage.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[xAOx]

Ok pardon my ignorance but I assumed when I create a policy it is located inside Group Policy Objects. Then what I do is; I drag the policy from "Group Policy Objects" into "MyDomain.com". It then asks Do you want to link this GPO to the Domain? At which point I say Yes and it is under MyDomain.com. Isn't that what you mean?

That is what I do yet no workstation machine gets the new policy applied when a user logs into the domain from their machine.

 

[ncotton]

Sort of....if you look closely....the policy will remain under Group Policy Objects, when you "link" it, thats what you are doing....linking, not moving, if you look under the OU/Domain that you have linked it, the policy will be there, but the icon will have the windows arrow for shortcut.

You just confussed me the way you have listed above a folder called Desktop Change Policy and seemingly, inside that, you have listed Default Domain Controler Policy

Your Structure should look like this ( ^ for a linked GPO, not a physical GPO)

Domains
-mydomain.com
  | ^Default Domain Policy
  | ^CoverAllDomainpol
  -Domain Controllers
    | ^ Default Domain Controllers Policy
  -TestSubOU1
    | ^ CoverAllSubOUpol
    | ^ SubOU1pol
  -TestSubOU2
    | ^ CoverAllSubOUpol
    | ^ SubOU2pol
  -Group Policy Objects
    |Default Domain Controllers Policy
    |Default Domain Policy
    |CoverAllDomainpol
    |CoverAllSubOUpol
    |SubOU1pol
    |SubOU2pol
  -WMI Filters
Sites
Group Policy Modeling
Group Policy Results

I actually skim read your structure and didn't notice just an error in tabbing, and you had it right, but just typed all that out so it can stay.

You're actual problem, again, I missed the Blue Exclamation Mark.

On your Default Domain Policy you have selected Block Inheritence, that means that it will not pull down policy other than that defined in the policy actually applied to that OU. Right click on the OU, and deselect "Block Inheritence"

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[xAOx]

NCotton first of all, thank you very much for assisting me with this matter. If I solve this problem it will make my systems implementation a lot easier. I am attaching a picture of how my GPMC looks like;
<a href="

http://usera.imagecave.com/xAOx/GPO.JPG"><img

src="

http://usera.imagecave.com/xAOx/icth_GPO.JPG.jpg"></a>

I unchecked block inheritance yet *some* computers still do not receive a policy. I guess beyond this picture, there's nothing more you can do but if you can verify atleast the hierarchy that would be great.

 

[ncotton]

Everything looks fine, but run this

From the GPMC
>Group Policy Modeling > right click > Group Policy Modeling Wizard
>Next
>Next
>User Information > User = a user that is experiencing the problem, in format of domain.com\username
>Computer Inforamation > Computer > a machine that is experiencing this problem, in format of domain.com\computer
>Check "Skip to fial page of wizard"
>Next
>Finish
>The report will run and give you a full set of policy settings that SHOULD (theorectically) be applied with that specific user logging on that specific machine. THIS IS NOT A RESULT, it is a predicted, to make sure there is no issues in the assignment anywhere.
>Click the settings tab in the report pane
>The format is similar to the policy settings view, but this includes all settings that should be applied, the value and the GPO that it came from. Here you can see if, under User Settings, your Desktop setting should be getting applied.

Forgot to mention, to see wallpaper changes....you need to reboot the client, after a refresh has happened. Even after reboot, depending on how the policies are processed, the size\amount of different policies etc, you may find even rebooting will (apply the policy), but will be after tha wallpaper has already been applied.

On the client > start > run > gpupdate /force > ok > after refresh has been annouced and cmd closed > reboot client.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[xAOx]

I found the Group Policy Modeling Wizard very interesting and useful for future uses. Unfortunately, even though my GPOs look to be setup correctly and the GPM Wizard shows all the users/computers as successfully configured for the Desktop policy, I am still not seeing it on 2 (out of 10). I've had similiar issues with WSUS not being able to send out its stuff to these computers too, so I'm still assuming there's some kind of block in the middle. Here is an attached screenshot of the Wizard result that shows the policy *should* be appliet, yet on these PCs "gpresult" shows nothing about this policy.

<IMG SRC="

http://usera.imagecave.com/xAOx/wizard.JPG">

 

[Beau71]

First of all you need to setup some OUs. Then make sure that the SoM is correct. You may want to try the Resultant Set of Policy by right clicking on the user within Active Directory Users and Computers, going to all tasks, then selecting Resultant Set of Policy(Logging). Once you run this on the user, it will show you the errors for both the user and the computer if you right click and go to properties on them

 

[xAOx]

Wow! This whole time the issue with those client PCs was an erroneous DNS setting! For some reason the router was giving out a DNS adress of .2 instead of .20 (Domain Controller).

This was a problem before and I thought I had fixed it up but I guess some PCs were still getting their IPs automatically from the router instead of manually.

But anyway thanks Neil, the advice you gave helped me with another issue. And Beau, I didn't know about the logging thing, so I will use that for the future.

Thank you both.