GPO does not work fully

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a gpo setup on my windows 2000 AD server. I have 3 groups,
Instructors, Students, and Administrators. I have different policies for each
group. On my local XP Pro Machine, the policies only work for administrators,
What am I doing wrong?

Thanks in advance for your help
 
I think I found the problem, but I don't know how to fix it.....
when i log on to the local computer using a user name in the administrator
group, gpresult works. When I log on using an instructor or student name,
gpresult gives me the following:

INFO: The policy object does not exist.


how do i fix this?

Thanks
 
Nick,

Think about what you are doing for a moment!

GPOs are typically a domain thing. Granted, they apply to four levels:
local, Site, Domain, OU. And, they apply only to the objects that directly
reside in the level to which the GPO is linked. The key words are 'directly
reside'. It seems that you are doing something with groups! Not gonna
happen.

Please explain to us your AD environment ( do the computer account objects
reside in an OU or do they reside in the default COMPUTERS container , at
what level is the GPO linked, are the computer account objects members of
the domain or of a workgroup, etc. etc. etc. ).

We need a lot more information from you....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Nick88 said:
I think I found the problem, but I don't know how to fix
it.....
when i log on to the local computer using a user name in the
administrator
group, gpresult works. When I log on using an instructor or
student name,
gpresult gives me the following:

INFO: The policy object does not exist.


how do i fix this?

Thanks
Click to expand...

Hi,

DNS is usually the culprit when GP’s aren’t applying. Check my site to
see if you have the XP dns setup correctly for the workstations
http://www.sd61.bc.ca/windows2000/dns.htm .

Cheers,

Lara
 
sorry about that....

all of the users are located in OUs which are inside another OU called
SBJATC Users (sbjatc is our domain)..... here is the basic set up
sbjatc.local
OU
OU
OU
Sbjatc Users
Instructors
Groupname
Username
Students
Groupname
1st year
Username
2nd year
Username
3rd year
Username
Administrators
Groupname
Username

I have the GPOs for the Instructor OU, the Student OU and the administrators
OU.

The GPO works for the Administrators OU (could this work because these are
also administrators for the local computers?)

anyways.... the instructors, and students when I logon with one of the
usernames gives me "INFO: The policy object does not exist." when i run
gpresult

when i run it on one of the administrators accounts it works fine.

The only thing that doesn't seem to work is the folder redirection on the
administrators GPO. I have that redirected to
\\server\administrator\documents\%username% but it doesn't work...
all of the scripts work, but not the redirection...

Thanks for your help so far.
 
Nick88 said:
sorry about that....

all of the users are located in OUs which are inside another
OU called
SBJATC Users (sbjatc is our domain)..... here is the basic set
up
sbjatc.local
OU
OU
OU
Sbjatc Users
Instructors
Groupname
Username
Students
Groupname
1st year
Username
2nd year
Username
3rd year
Username
Administrators
Groupname
Username

I have the GPOs for the Instructor OU, the Student OU and the
administrators
OU.

The GPO works for the Administrators OU (could this work
because these are
also administrators for the local computers?)

anyways.... the instructors, and students when I logon with
one of the
usernames gives me "INFO: The policy object does not exist."
when i run
gpresult

when i run it on one of the administrators accounts it works
fine.

The only thing that doesn't seem to work is the folder
redirection on the
administrators GPO. I have that redirected to
\serveradministratordocuments%username% but it doesn't
work...
all of the scripts work, but not the redirection...

Thanks for your help so far.

 > >I have a gpo setup on my windows 2000 AD server. I
have 3 groups,
 > > Instructors, Students, and Administrators. I have
different policies for
 > > each
 > > group. On my local XP Pro Machine, the policies only
work for
 > > administrators,
 > > What am I doing wrong?
 > >
 > > Thanks in advance for your help
Click to expand...

Hi,

1. Have you checked that your DNS is setup correctly? Do your XP
Clients point ONLY to the DC as their DNS (not your ISP) and if you
look in DNS do you see the xp client names with the Correct IP?

2. Did you set permissions or change permissions on your Group Policy
Objects? Eg. If you set any type of permissions they could be messing
with things. Users need the ’read’ on the policy to apply it. I just
don’t change the default settings ever unless it is a specific GPO
that I need access to.

As websites don’t do spacing, it is difficult to see your structure.
Your Group Policy IS on the OU that the Users reside in? Forget the
groups. The Groups can be anywhere and have no affect on GP unless you
are using them to change permissions on the Group Policy itself.

3. Personally I will make a note of the settings, delete all the group
policies EXCEPT the Domain Policy and the Default Domain Controllers
policy (which HAVE to be the default ones created by Install or the
Domain won’t run correctly) and start again.

Cheers,

Lara
 
lforbes said:
Hi,

1. Have you checked that your DNS is setup correctly? Do your
XP Clients point ONLY to the DC as their DNS (not your ISP)
and if you look in DNS do you see the xp client names with the
Correct IP?

2. Did you set permissions or change permissions on your Group
Policy Objects? Eg. If you set any type of permissions they
could be messing with things. Users need the 'read' on the
policy to apply it. I just don't change the default settings
ever unless it is a specific GPO that I need access to.

As websites don't do spacing, it is difficult to see your
structure. Your Group Policy IS on the OU that the Users
reside in? Forget the groups. The Groups can be anywhere and
have no affect on GP unless you are using them to change
permissions on the Group Policy itself.

3. Personally I will make a note of the settings, delete all
the group policies EXCEPT the Domain Policy and the Default
Domain Controllers policy (which HAVE to be the default ones
created by Install or the Domain won't run correctly) and
start again.

Cheers,

Lara
Click to expand...

i posted it from microsoft’s support group site........ the spacing
works fine there......

sbjatc users
instructors (group policy for instructors)
Students (group policy for students)
Administrators (group policy for administrators)
Click to expand...

1. DNS doesn’t seem to be a problem....all of the dns is set up
through the windows 2000 server

2.In the GPOs I did set it so the Instrouctor group (instructors) read
and execute as well as the Student (students) and administrators
(administrators)

3. I have done that

Thanks for the help!
 
Nick,

So long as the user account objects reside directly in the OUs to which the
GPOs are linked ( or in an OU that is under - not at the same level - as the
OU to which the GPO is linked ) then there should be no problems. UNLESS
you have somewhere ticked the Block Inheritance checkbox. It is important
that the user account objects reside directly in the OU to which the GPO is
linked. Hmmm....I have stated this several times. It could be important!
;-)

So, my first question to you is: the GPO that is to affect the
Administrators - to what OU have you linked it? To the Administrators OU or
to the "username" OU? And is the "username" OU the OU in which the user
account objects directly reside? If you linked it to the "Groupname" OU
then things are not going to work! Er, unless the user account objects that
are to fall under the Scope of Management of this GPO directly reside in
that OU - which I am assuming is not the case! It would seem that you have
answered this question already in your previous post. What happens if you
link it to the "username" OU? In fact, since this one is working I might
just leave it alone!

My second question to you is: the GPO that is to affect the Instructors - to
what OU have you linked it? To the Instructors OU or to the "username" OU?
And is the "username" OU the OU in which the user account objects directly
reside? Again, if you linked it to the "Groupname" OU then things are not
going to work. Again, making the same assumption as in my first question.
It would seem that you have answered this question already in your previous
post. What happens if you link it to the "username" OU?

My third question to you is: the GPO that is to affect the Students - to
what OU have you linked it? To the Students OU or to the "username" OU for
each year? And is the "username" OU the OU in which the user account
objects directly reside? Again, if you linked it to the "Groupname" OU then
things are not going to work. Again, making the same assumption as in my
first question. And, for this GPO - do you have the same GPO for all years
or a different GPO for each year? It would seem that you have answered this
question already in your previous post. What happens if you link it to the
"username" OU?

My fourth question for you is: are you making use of Group Filtering? This
is where you go to the security tab of each GPO and remove the Authenticated
Users security group ( which has both READ and APPLY GROUP POLICY rights )
and replace it with a security group of your choosing! So, if you are doing
this......are you using the correct security group? And in the case of the
Students are you using all of the security groups ( 1st year, 2nd year, 3rd
year, etc. )

My fifth question for you is: the GPOs that you have created are *naturally*
affecting the user configuration side of things. Please correct me if I am
wrong. Are you sure that you have not somehow disabled the user
configuration side of these GPOs? There is a place where you can disable
either one half or the GPO ( either the user configuration or the computer
configuration ) or both!

My sixth question for you is: have you used any of the troubleshooting tools
available to you? GPOTOOL is one such tool that is available to you. So is
GPResult.

My final question to you is: is everything fine and dandy with DNS? I know
that you have answered this already a couple of times but with Active
Directory a lot of things go back to DNS.......

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top