Windows 2000 group policy doesn't work!!!!

[TKoch]

I cannot get windows 2000 group policy to work:

·I set up DNS, DHCP, and Active Directory.
·I created an OU in active directory.
·I went to the group policy tab in the properties of the OU
and created a new policy.
·I created a global security group in the OU and put all
users and computers in the OU into that group.
·I gave that group the read and apply group policy
permissions.
·I made sure that the default domain policy was the only
ther policy, and that it did not have the settings set
that I was using the other policy for.
·But when I log on from one of the workstations, the group
policy is not applyed!!
·Even when I made changes to the default policy after I
tried other things, it did not apply the settings.

Please Help, I am so frustrated!!!

 

[SoulSe]

You cannot apply a GP to security groups in containers, only to users.

Instead of creating groups for your users, create OUs and place your users directly in there, that should do the trick! Also check your blocks and overides as you are than applying the default and your own policy on them.

 

[welshguy]

Probably a DNS problem.
Check DNS setup on server and that clients have valid DNS server address.

It's nearly always DNS to blame in these situations.

Hope this helps

Cheers

 

[welshguy]

Soulse

Sorry might have misunderstood you....
but you can apply group policies via security groups.

Our set up here is based entirely on GPOs being applied to users via security groups - in fact it would be completely unmanageable just using OUs.

Agree should check blocks and overrides though

Cheers

 

[TKoch]

How would I set up my DNS differently...It appears to work fine

 

[welshguy]

TKoch,

If DNS setup properly that's fine - it's just this is often the initial cause of GPOs not being applied initially.
If you can do an nslookup dcname on your clients - chances are it's fine.

The next step I would say is to do some diagnosis - the best tool for checking connectivity issues is the netdiag tool which I think is in the resource kit (although it might be in the support tools on the server CD). This will check all connectivity between clients and DC. This will give you some clues.

Other tools are gpresult and enabling userenv logging
- see here
thread616-104650

This will almost certainly give you some clues. Also if you have multiple DCs - the two portions of the GPO (GPC/GPT) need to be synchronised otherwise policies won't be applied. Use the replmon tool (resource kit or support tools) to check these (it's simple to use just focus on a DC and check Group policies). This will check if they are synchronised - (x means they are not) - if they are not synchronised try restarting the FRS service and check event viewer on DC for errors.

Hope this gives you a start !!
Post back with any clues.

Cheers

 

[TKoch]

Thank you for your help everyone, especially welshguy!

I found the problem...
It was DNS with DHCP that was the problem: The client computers would recieve an IP from DHCP but were not assigned a DN. So I had to configure the DHCP server to give out that name by selecting the "Domain Name Service" checkbox in the DHCP server config.

now it works...yes!!!