Need help with group policy

[dking3d]

Hey guys,
I configured a domain controller and i created a OU, a group policy, a computer, and a user. I modify the OU group policy to denied access to the control panel and other things for the user. I joined my windows XP pro to the domain and login with the user account and I still get the control panel and several things I removed. I run the gpupdate and it refresh the policy, but i keep getting the same thing. does anybody has any idea of whats going on?
-----------------------------------------------------------
my OU is the following.
*Home(OU)
computer
security group (is set to global, security)
user (this user is under member of my security group)
-----------------------------------------------------------

thanks guys
Dan

 

[larsjuhl]

I suppose the user is a member of the HOME ou ? and that you have made the changes in USER CONFIGURATION ? have you checked the time on your workstation ? also check the file userenv.log should give you error message regarding GP.
I have not tried it with XP only 2000 Pro.

Lars

 

[dking3d]

yes the user is a member of the home OU and have made all the changes in USER CONFIGURATION. when i checked the time of my workstation, the time was set wrong and i couldn't change it. would not allow me to make changes to the clock(user privileges). where can i find the userenv.log file?

have anyone tried it in XP?

 

[koquito]

Are the workstations using the DNS address of the Server? A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[utah007]

I agree with koquito. I pulled my hair out before I finally discovered that the workstations must point to the DC handing down the group policy for their primary DNS.

 

[larsjuhl]

do a search for userenv.log probably under c:\windows\debug somewhere.
DNS is impotant I assume the dns is working ? but the time difference between Workstation and Server must not be too big, so make sure the time is ok, and check userenv.log
it will work XP og Win2000 for sure!!

Lars

 

[dking3d]

DNS address? i'm confuse now. this is what the userenv.log display.
------------------------------------------------------------USERENV(dc.224) 19:44:23:718 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 19:49:28:343 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 19:54:32:890 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 19:59:38:468 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:04:43:000 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:09:47:437 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:14:52:312 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:19:57:531 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:25:02:062 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:30:06:593 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 20:35:11:031 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 21:15:23:781 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x428.
USERENV(dc.224) 21:20:28:937 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x4b8.
USERENV(dc.56c) 23:53:38:093 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x3.
------------------------------------------------------------
any idea of whats going on. how do i make sure the workstation are using the DNS address?

thanks guy

 

[larsjuhl]

1. make sure the time on workstation and server is the same, logon as administrator and change it if not.
2. do a ipconfig /all in command prompt to check what dns server its using.
3.do a nslookup in prompt and get a successfull answer from the dns server.(it answers with your default server and the name and IP addresse and leaves in > prompt)

if DNS ok.
Try make a test OU and make a simple policy change and see if it works before you start making more changes.

You can search on

http://support.microsoft.com

for the error messages you find in userenv.log just search the last characters you have e.g. 0x428

also check the eventlog for errors and search for them.

 

[utah007]

On the Domain Controller you are running Active Directory from, you will also be running DNS from.
The users that authenticate to you must use your Active Directory server as their Primary DNS entry.

Look at this technet article and do a search for "Group Policy".

http://www.microsoft.com/technet/tr...indows2000serv/reskit/tcpip/part2/tcpch06.asp

 

[dking3d]

I check my ipconfig /all and my workstation was pointing to the DLS router default IP/DNS setting 192.168.0.1. I changed it to the DNS server IP:192.168.5. I'll get back with you guys and let you know if it works.


I changed the primary DNS to:192.168.05(domain controller)
and the altenate DNS to:192.168.0.1(DLS router)
and automatically get IP address under Local Area Connection.

Note: The fact the i'm using a DLS router(4 port switch) wouldn't be a problem? right?

thanks guys

 

[dking3d]

by the way that ip address was 192.168.0.5 not 192.168.05

 

[dking3d]

Hey guys I got it to work. thanks everyone for the help.

thanks
dan