Group policy NOT working

[str8edg]

First let me apologize if this is the stupidest question of all time.

Next let me introduce myself, my name is Craig and I teach in a school in Resolute Bay, Nunavut, Canada... 600 miles above the Arctic Circle. There are no techs up here to help me with my problem! I have the task of setting up our new server running windows 2003. I have NEVER setup nor worked on a server before! I have to learn everything as I go.

That being said my problem may be something that I don't see, maybe I created my users, groups or OU wrong. But the problem that I am having now is group policies.

I have installed the Group Policy Management Console snap-on (or is that snap-in). And here is what I have done.

I created an OU called school this was created right under my domain. Then I created another OU called students and another on grade 9-12.

domain
- school
- students
- grade 9-12

Then in the "active directory users and computers" I created a user in the grade 9-12 OU called test_t. This user use a profile set to \\server\profiles$\%USERNAME% this roaming profile work fine.

SO, I want to create a group policy that controls my users, so I can set proxy, home pages... you know group policy stuff!

So in the GPMC I right click "Group Policy Objects" and go to "new". Give my new policy a name "test".

Next I right click my OU students and "Link an existing GPO", and select "test" from the list.

Then I right click the GPO "test" and edit. From there I go -user -windows -internet -connection -proxy settings and enable proxy settings.

So just to summarize. I have a user created in a OU. That OU have a GPO linked to it. The GPO has a proxy setting set in it... sooooo I would think that when my user test_t logs in is I were to go to -internet options -connections -lan settings I should see the proxy server that I set.... right?

Well that does not happen. nothing happens. This all started from me wanting to setup folder redirection (which is a group policy thing) so my students can stop moaning about login times!!

Please, please help a guy from the arctic!!

 

[Roadki11]

First thing i want to know is are you really teaching kids or has the cold perhaps affected your mental state and those "kids" are really Santa's elves? Anyway, when you logon as that test user, open a command prompt, enter the command gpresult. What you want to look for is your GP being applied, look under User Settings and Applied Group Policy Objects. If you dont see it the try the command gpupdate /force and then gpresult again. See if that does anything for you.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[ADB100]

You hanve to enable 'Internet Explorer Maintenance policy processing' in the (or another?) GPO:

Computer Configuration
-Administrative Templates
--System
---Group Policy
----Explorer Maintenance policy processing

I spent ages looking into this and only came across this by accident.

As Roadki11 says use the CLI tool 'gpresult' to see what is being processed, or use the GUI... Start, Run, RSOP.MSC

HTH

Andy

 

[str8edg]

I thank both of you for your responces and help BUT this is still not working!

I mean to say nothing is working, not IE Maintenance (proxies, home page), folder redirection, password requirements... nothing!

Is it possible that something has gone wrong with the whole server?? I am thinking about a clean install (I hate the thoughts of this) the server is not doing what we need it to do like this. Or do you think that just removing the Domain controller and adding it back could work??

A little more help please

 

[TheLad]

Did GPRESULT indicate the policy was being applied or not?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[str8edg]

Sorry I forgot to mention that. I ran gpresult on a computer logged in with test_t and it said:

info: the policy object does not exist

So this means to me that either the GPO is not linking to the OU OR the user(s) are not created right OR the user(s) are not being put in the OU right

 

[Roadki11]

Did you setup dns correctly on the server, on the xp client? What errors are you getting on the server in the event log? do you have the admin tools installed on the server and if so can you run from a command line on the server dcdiag and netdiag and report any errors back.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[str8edg]

I do believe that we have found one of my MAIN problems... I do not know if I setup the DNS correctly on the server... and I know I did not setup anything on the client! (would I beable to login and see the server if DNS was not setup right?

As far as errors in my event log... to be honest I do not know where to look nor what to look for.

So now I am sure there will be a few people at a crossroads with me. I guess I need LOTS of help!!

So if you guys can suggest some places to read about event logs I would like that very much.

What are your thoughts on a clean install.... does this sound like a software problem or a mistake on my part!!

 

[Roadki11]

Well if you dont have the server configured correctly a clean install isnt going to fix that, if you know what i mean. Click on start and run then enter this command compmgmt.msc, this will open the computer management mmc. On the left edge you will see Event Viewer, expand it and start going through all the logs and let us know what errors you are getting and what log it came out of. If you have dns installed you will see a log for that as well.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[str8edg]

I have 2 warnings in applications

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1156
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

1 warning in File Replication Service

File Replication Service is scanning the data in the system volume. Computer NUNA cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the scanning process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.

DNS Server has some errors, but none from today... I am still trying to read up on everything... I feel like I bitten off more than I can chew!!!

The DNS server was unable to complete directory service enumeration of zone qarmartalik.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

The DNS server was unable to complete directory service enumeration of zone _msdcs.qarmartalik.com. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I am still reading thru the errors and looking for clues as to what the heck I am doing wrong.

Thank you VERY much for you help so far!

 

[str8edg]

OK so I removed the DNS and the Active Directory roles.

I am adding the Active Directory now and may have found a problem... the domain name that I am using is qarmartalik.com (which is our website) We are not hosting it, nor will we ever our internet is WAY too slow!!

So during the adding of the Active Directory I get an error

Diagnostic Failed
Warning: Domain Controller functions like joining a domain, logging onto a domain, and Active Directory replication will not be available until the DNS infrastructure for Active Directory is correctly configured.
The wizard encountered an error while trying to determine if the DNS server with which this domain controller will register supports dynamic updates.

Before I have selected Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server

Is this the right thing to do??

 

[str8edg]

OK so I found one problem. I removed both DNS and Active Directory roles again. And this time added DNS first and setup "DNS forwarding" (I think that is what it was called)

Anyway now I have NO errors in DNS... and still my GPO is not working... AGHHHHHHH

I am going home.

I am in need of some serious help, RoadKi11 you got anymore ideas... anyone else??

 

[str8edg]

OK so some updates. I have learned quite alot since starting down this road!

I had installed the DNS wrong, I am also getting help from another forum (well in fact I have gotten NO help from here yet... I am sure that will change ) So when I checked my event viewer I had errors everywhere! My DNS was messed up. So I removed the AD and DNS, reinstalled the serveces, fixed my issue (I forgot to forward the DNS) and now after two days I have no errors!! I do have some warnings in the system, I will try to figure them out now.

SO where we stand is this. I have created a test user that does not have a roaming profile. This user is in a OU named "test"

-domain
--school
---students
----test

I have created a GPO named "gpo test" in the GPMC and linked it to the OU "test"

The only thing I have enabled in this GPO is

-user
--admin templates
---start enu and taskbar
I have removed the user name from the start menu

SOOO

I log onto the computer using my test account. I can still see my user name on my start menu! I run gpresult and the result is

info: the policy object does not exist

When I look at my event viewer for security I see what may be a problem!

At the time that I logon instead of seeing "tester test" logon I see an "Anonymous logon"

Could this have something to do with it??

I am still in GREAT need of help here. I am not looking for someone to do it for me... just some guidance

 

[str8edg]

PLEASE forgive my last post!!!

As you can read from it I am trying to get help on many different forums so the comment

well in fact I have gotten NO help from here yet... I am sure that will change

Was not meant for this thread at all... I humbly apologize. I just wanted to update people on my progress and did the copy/paste thing and forgot about that line... I have had 0 responses on other forums... but so far I have had help from you guys/girls... I am sorry

 

[Roadki11]

DNS is critical to a w2k3 domain, lets make sure your DNS is setup and working correctly. Read through the following links and see if thats how you configured your DNS server. Also note its important for that server to look at itself for DNS first and not your ISP DNS servers, they should be put in for forwarders. your clients should look to your DNS server only, not the ISP DNS server. All the links basically say the same thing.

http://www.petri.co.il/install_and_configure_windows_2003_dns_server.htm

http://support.microsoft.com/kb/814591

http://www.simongibson.com/intranet/dns2003/

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen