Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group policy won't apply. What's the deal?

Status
Not open for further replies.
wardog25

wardog25

Technical User
Oct 24, 2003
129
US
All I want to do is allow a certain department to be able to change their date/time on their machine.

We have a single domain on a single subnet and no OUs. Nothing fancy cause we are small.

I created a domain local group and added the users who are affected. I then created a new GPO and gave those users rights to read and apply group policy.

I then went to computer config/windows settings/security settings/local policies/user rights assignment. And added the new group in the setting "Change system time". (i assume that is what i am supposed to do. It doesn't give enable/disable options like the user config does)

So do i need to do anything else? what's the deal? they still are not allowed to change their time/date.
 
Sort by date Sort by votes
There are three obvious things that can override. First, keep in mind the order in which policies are applied: local, site, domain, ou, sub ou.

1. A previously applied policy has the no override setting checked.
2. A subsequent policy that applies after the policy you specify allowing the time change specifically specifies new settings for the time change policy.
3. The users that this policy apply to do not have read and apply policy permissions for this policy.

It appears you are most likely applying this policy at the domain level. It could be you need to change the order of the policies applied at this level. Which domain policy is applied first?
 
Upvote 0 Downvote
right now the new GPO is at the top of the GPO list. the default domain policy is right below that. Those are the only 2 GPOs on the list and the default domain policy has never had any changes done to it, so it is just like it would be right after installation.

The correct users have Read permissions as well as apply group policy permissions to the new GPO.

One question, though. Since this is a setting in computer configuration, should the group contain user objects or computer objects? I assume computer, but I put in both, just to be sure and it still didn't work.

anyway, i'm still at a complete loss. i have no idea why it isn't applying.
 
Upvote 0 Downvote
finally got it to work by going into the settings on the GPO and adding people individually instead of adding the group I made. What's up with that? Why won't the group work?

Oh, and by the way, even now it only works on Win2k machines. Anyone know if there is any chance that it will ever work on Windows NT machines?
 
Upvote 0 Downvote
A G DL P
accounts go into global groups, global groups are tied to domain local groups, domain local groups are tied to permissions.
sounds like you didnt have the groups set properly. allso check for any denied groups under the ou permissions.
as for NT, you need a policy file for that that. you set that up on the PDC emulator. usually the first DC in the domain. just check your operation master for that {FSMO}
good luck
AJ
 
Upvote 0 Downvote
ahh yes, i forgot that about the groups. thanks.

How do I create this policy file that i need? I know which DC the PDC emulator is, so that's not a problem.
 
Upvote 0 Downvote
Giving users the right to change the clock is a very bad idea. Time is critical for Kerberos authentication on Active Directory, and if the time gets off by more than +-5, users wont be able to log on, use resources, etc.
 
Upvote 0 Downvote
I have two related questions. We are migrating from nt4 to active directory. Still in mixed mode. After the upgrade I have a container called users. From testing it seems the default domain policy is applied to the upgraded users. As well we have mostly nt 4 workstations and are using policy editor to lock down those workstations. I would like to put the existing domain admins global group in a new OU with a policy with no restrictions. This would keep the admins from being locked down. It works for individual names as above, but not for the domain admin global group. I have tried different scenarios as suggested above. I would like to edit the default domain policy to lock down my new xp machines as they come on the network. That leads to my second question. When we need to make a change to a user's locked down nt 4 machine, we connect to it using policy editor to release it to make the changes. How do you release a locked down user, when a group policy is applied? I could create an OU with no defined policy and move the user temporarily to the OU to make the changes and then move the user back when done. Is there an easier way?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
373
gbaughma
gbaughma
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
162
DeepuM
DeepuM
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
385
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
197
mangentle
mangentle
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
144
technome
technome

Part and Inventory Search

Sponsor

Back
Top