Group Policies. Please save my sanity!!! 2

[SoulSe]

It's late and I'm tired.

Here's the score:

I've set up a new OU in Active Dir and created a group in the OU. I've added all the users I want to restrict to this group and set a Group Policy for the OU. I also made sure that the group had permissions to read and apply the policy.

Than I edited the policy, for example, one of the settings I enabled was to hide the display settings. The problem? When the users login, none of the restrictions are applied, but they are applied to the admin. on the server.

Please help me! I know the policy automatically refreshes when the user login. So what now?

 

[CSUKNic]

I have been having the same problem, but I think I have solved it. Try authorising login on the server machine and then login. Once you have done this all the setting seem to take effect. Then log out and try logging in on a remote terminal.. This SHOULD work..

 

[tertone100]

Was this setting if the user configuration or computer configuration? Depending on the policy configuration of the GPO, you may have to add the computer account to the OU. If the GPO is applied to the computer, re-boot or use SECEDIT /REFRESHPOLICY MACHINE_POLICY to apply the settings.

 

[SoulSe]

I still can't get it going. The restrictions I set were under "administrative templates," does this mean they only apply to the administrator? And if so, where I can I set the same restrictions for domain users?

 

[welshguy]

Administrative templates can be applied to anyone.
They merely refer to the area of the registry that the policy settings are applied to.

I'll ask the first question I always I ask when encountering GPO problems. Is DNS set up properly ?
Is the client pointing at this DNS server ?

If no you have your answer

Otherwise - it's time to troubleshoot - check this out.

thread616-104650

There are many other reasons why GPOs are not being applied - another cause could be replication. That is specially the two parts of the GPO - (GPC and GPT) are not synchronised - you can check this by using replmon tool to check GPO status on a DC.

Also you should run gpresult from the client to see if it's trying to apply the policy.

Get some more details and we'll all try and help
Cheers

 

[welshguy]

Soulse

Just seen your other post - move DNS problem up to top of list !!!!

Cheers

 

[SoulSe]

Thanks for your help, I think I'm on my way to solving the problem and I guess I still have a lot to learn. I saw that I still had an old forward lookup zone specified, so I deleted it, perhaps that was one of the problems.

I'm not sure how to run replmon and gpresult (doesn't work from start>run.

 

[welshguy]

No Problem - GP problems are nearly always related to DNS. Everything can look fine (Login etc) but without DNS no policies will be applied.

Gpresult is in the 2000 resource kit - it's not perfect but will list which policies are being applied to the client - you must have at least this tool to troubleshoot Group policies. Life will be very hard if you don't have these tools - believe me

Replmon is pretty easy to use also - it's in the support tools I think - mind you don't think this is your problem in this case.

Another neat tools is netdiag (I think also in the resource kit) this will check just about everything regarding connectivity on your client and give you loads of clues when things don't work.

Cheers

 

[cisdht]

You don't say if your users are in the same OU. If I remember correctly GP inheritance doesn't apply to groups - the users have to be in the OU the GP is applied to - it isn't enough for them only to be members of a group in the OU.

HTH

 

[welshguy]

Not strictly true but I know what you're getting at

A GPO is an object in the AD,(ie the GPC - group policy container) - all these objects have their own ACL. Therefore you can explicity deny or allow access to GPOs using these ACLs. It is even possible to apply a policy to an individual computer/user using these access lists - it is irrelevant which container either object is in.

I think you are referring to the fact that the default inheritance behaviour is that users/computers in the same container will be affected by any GPO linked to that container.

To summarise if you are using ACLs to apply GPOs via Groups like Soulse it doesn't matter which container they are in.
(there clear as mud :-( )

Cheers

 

[SoulSe]

Thanks for all the help. I took a look at my DNS & DHCP setups before leaving work today and I reckon I'll get it right (eventually).

What is really stumping me was that the Policy was being applied to my account (administrator) and even when logging into clients, obviously this is very irritating and shouldn't happen. *sigh* ...and they say Linux is difficult. Pfff, at least it works around some form of logic.

Thanks again to Welshguy, two well earned stars!

 

[dankelt]

I agree that it doesn't matter where the Group or GPO is located. But If the GPO is not located in the same OU as the Users/Computers, then you must link the GPO to that OU. If I am understanding everything here, this is SoulSe's problem. He is applying the GPO to the OU with the Group, when he should be applying it to the OU with the Users.

 

[welshguy]

Yeah Dankelt you're right - if the policy is not in the same container - you must link it to the OU. Sorry blatently missed that point :-(

I must admit I was presuming the groups and users were in the same OU probably because it is a design nightmare if they're not !

Perhaps Soulse can confirm this - you may have solved his problem if they're not.

 

[SoulSe]

Of course they were in the same OU, I don't think this discussion would have gone on for so long if they weren't!

Welshguy was right, my problem must be DNS. I am quite new to the world of W2K server admin and I am currently trying to find out how my DNS should look. When I installed server, everything worked, of course with default settings from "configure your server" (a very dangerous wizard, I might add). I then changed the scope for my network because my router required that the IP addys of my clients fall within a certain range for Internet access and after I did this, I suspect my problems started. How should I be assigning my server an IP in relation to the scope provided to my clients?

I think this thread has turned into a valuable resource, thank you to everyone for your input!

 

[itsfisko]

Welsh guy knows his stuff DNS DNS DNS its the one thing that rules all and must be right. <Scope> I have a scope that goes from ***.***.***.010 to 254 so the server is set as ***.***.***.10 and the scope for the client machines runs from ***.***.***.11 to 254 If you have a router for internet access then in DNS set forwardind to the router IP.