Group Policy in Domain - 1 DC HELP

[CrusherG]

All right - I am sure I am missing something simple. I have 3 GPs one linked to the Domain and it is disable. Another linked to a OU called Domain controllers with the server in that container and a third to an OU called test. In test is a user test1. That GP has only 2 settings: 1. to disable editing of wallpaper and to eliminate the advanced tab in IE. If test1 logs into the server all works, if test1 logs into any other computer which is part of the domain it is as if the GP does not exist. I also ran secedit to push the changes - no help. What am I missing?

 

[Dyadmin]

check to see if the test computer has your dc as your main dns server.

 

[markdmac]

Run gpresult ot see if the policy is even being recognized at the other machines. If you have more than one DC then you should verify that replication is taking place and that the GPO has replicated.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[CrusherG]

Dyadmin-
Is it required that the DC also be running DNS for the GP to work?

Markdmac-
We only have one server/dc. Where do I run the gpresult from? the DC or the station where it is not replicating to?

Thanks

 

[CrusherG]

Markdmac-

I ran gpresult on the DC and it came back that it ran for the admin account but not the test user I created in the OU called TEST. There is a GP attached to that OU and the user is able to log in but the GP is not applied. There are not any blocking or overiding forced and the security does not block out the user from the GP. I am lost here.

Dyadmin-

I added the DNS service to the server and changed the worksation to look to the server for DNS as primary - still no luck.

Seth

 

[markdmac]

Hi Seth,

AD is dependant on DNS, but it does not have to be running on the DC, in fact you can even have AD use a Unix box for its DNS.

It sounds like you ran the GPRESULT while logged on as Admin. You need to run that as the user accoun you are trying to troubleshoot.

You can have it dump the results to a text file by execuing it from a command line like this:

GPRESULT >Results.Txt

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[CrusherG]

Mark,

Thanks for the reply. At the DC it shows that the user received the GP and tests agree. At the user's work station XP, it says that it cannot find any GP when I run the GPresult and the restrictions are not present.

What could it be? Quite confused here

Aaron

 

[markdmac]

At the workstation have you done a policy refresh?

at a command prompt type

gpupdate /force /boot

Reboot the machine and see if the policy is applied.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[CrusherG]

No Luck

After doing gpupdate I tried the gpresult and came back that it cannot find the object. The resrictions did not work.

 

[markdmac]

cannot find what object?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[CrusherG]

That PC does not receive the GP object and therefore the restrictions are not applying. The only place the restrictions work is at the DC. It is not replicating anywhere.

Aaron

 

[CrusherG]

For all those who might be interested..

SOLUTION:

It was a DNS issue. The server was never setup properly. In TCPIP properties on the card in the server the DNS server was defined as the DSL DNS servers instead of itself. As soon as we made the change GP started working properly.

Aaron

Thanks to all who responded