Group Policy Problem
Hi all,
Having some troubles getting a GPO to take effect (Windows 2000 sp4).
Have a GPO at the domain level that is working fine. I have created a new OU under that for our users with laptops. After moving the appropriate computers into that group, the new policy seettings are not being applied. The domain level GPO does not have the no override setting enabled. Other OU's (citrix ou, etc) have their own GPO's that are working, just the new one i created is not working. Permissions look fine, and I'm not seeing any errors in the event viewer on the domain controllers. Any ideas on what I'm doing wrong? Caffeine hasn't helped today.
Thanks,
-Shawn
Software/Hardware used:
Software/Hardware used:
ASKED:
November 29, 2005 10:17 AM
UPDATED:
December 16, 2005 8:30 AM
Answer Wiki:
Is the security filtering set to apply to this new OU?
To see all answers submitted to the Answer Wiki: View Answer History.
Are all of the laptops XP? Have you tried looking at the RSOP on the laptops to see which policies they are getting? You might also take a look at implementing a WMI filter if all the laptops are the same.
Remember that the computers need “apply group policy” and “Read” permissions on the GPO. Track down what is happening with GPResult command(I think it’s in the Reskit for Win2k). Also be aware that slow network detection might be an issue. I don’t really remember, but I think that below 512 k speed is considered slow default and then the clients won’t process parts of GPO.
Thanks for the replies. gpresult reports that the laptop policy IS being applied to the computer settings, but not to the user settings:
COMPUTER SETTINGS
——————
CN=WISEGUY,OU=Laptop OU,DC=dkl,DC=com
Last time Group Policy was applied: 11/30/2005 at 9:53:00 AM
Group Policy was applied from: gandalf.dkl.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
—————————–
Laptop Users Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
——————————————————————-
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
——————————————————–
BUILTINAdministrators
Everyone
Debugger Users
BUILTINUsers
WISEGUY$
Domain Computers
NT AUTHORITYNETWORK
NT AUTHORITYAuthenticated Users
USER SETTINGS
————–
CN=Shawn Beairsto,CN=Users,DC=dkl,DC=com
Last time Group Policy was applied: 11/30/2005 at 9:53:00 AM
Group Policy was applied from: gandalf.dkl.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
—————————–
Default Domain Policy
The following GPOs were not applied because they were filtered out
——————————————————————-
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
—————————————————-
Domain Users
Everyone
mqm
BUILTINAdministrators
BUILTINUsers
NT AUTHORITYINTERACTIVE
NT AUTHORITYAuthenticated Users
LOCAL
domain mqm
DnsAdmins
DKLStaff
Any reason why it would apply to the computer settings, but not the user settings?
Has that portion of the GPO been disabled?
No, both settings are enabled in the policy.
Thanks.
Hi,
If your OU only contains the laptop computers, and not the users who are logging on to them, then only the computer settings will apply by default – the user isn’t in that OU, so it doesn’t get the policy.
You can get round it by using loopback policy processing (under computer configurationadministrative templatesystemgroup policy). Set it to “merge” and it should add the user settings. Don’t use “replace” unless you want to blast away all other user settings.