GPO doesn't apply to workstations.

  • Thread starter Thread starter Lei Hu
  • Start date Start date
L

Lei Hu

Hi there,

I've just found this group, and think it's better for my question, which was
initially posted in the active_directory group. Here's my question I copied
from my initial post.

I'm new to AD, and maybe this is a silly question. Anyway, I need to fix
this problem.
Here is my simple scenario: I have a small domain with one Win2k3 server
running AD, and a couple of workstations running Win2k and WinXP. I created
an OU, under which I created some user accounts. Then, I created a GPO
linked to the OU, hoping that the GPO can control the user's desktop when
they log on. For example, I want to hide the control panel completely from
the users in the OU. This works fine (as I wanted) when a user logon to the
2k3 server (through a terminal server client). However, the GPO doesn't take
effect when a user logon in a workstation (to domain, not to the local
machine). Running GPResult on the workstation shows that the local group
policy is used, not the GPO I designed on the server. Is there any important
step I missed, or my thinking is completely wrong? Could anyone please help?

Having read some documents and Q&As of the similar problem, I found someone
mentions loopback processing of group policy, and I tried, but no luck.
After trying everything I could think of, I list here exactly the steps I
followed to setup the AD. Before doing, I deleted all the AD related stuff
from the server, only keep terminal server. This is what I did step by step:

Below is how I configured Active Directory:

1. Run "Configure Your Server Wizard" in Control Panel.

2. In the "Server Role" list, select "Domain Controller (Active Directory)",
click Next, and Next...

3. In the "Active Directory Installation Wizard", select the "Domain
controller for a new domain" radio button. Click Next.

4. Select "Domain in a new forest", and next.

5. In "Full DNS name for new domain", type: testdomain.local, click Next.

6. In "Domain NetBIOS name", accept the default, which is TESTDOMAIN, click
Next.

7. In "Database and Log Folders", accept default, next.

8. In "Shared System Volume", accept the default, next.

9. In "DNS Registration Diagnostics", select "Install and configure the DNS
server on this computer, and set this computer to use this DNS server as its
preferred DNS server." Click Next.

Here, I don't know if DNS is necessary or not. Another option is: "I will
correct the problem later by configuring DNS manually. (Advanced)"

10. In "Permissions", select "Permissions compatible only with Windows 2000
or Windows Server 2003 operating systems", next.

11. In "Directory Services Restore Mode Administrator Password", enter
xxxxxx, next.

12. Following is the summary given by the wizard:

Configure this server as the first domain controller in a new forest of
domain trees.

The new domain name is testdomain.local. This is also the name of the new
forest.

The NetBIOS name of the domain is TESTDOMAIN

Database folder: C:\WINDOWS\NTDS
Log file folder: C:\WINDOWS\NTDS
SYSVOL folder: C:\WINDOWS\SYSVOL

The DNS service will be installed and configured on this computer. This
computer will be configured to use this DNS server as its preferred DNS
server.

The password of the new domain administrator will be the same as the
password of the administrator of this computer.

13. Click Next, and Finish, and "Restart Now" to restart the server.

And below is what I did for creating OU, group, account, etc.. using "Active
Directory Users and Computers":

1. Create an OU named MyOU under testdomain.local.

2. Under MyOU, create a group named MyGroup (select "Domain local" and
"Security").

3. Under MyOU, create a user named john, and add it into MyGroup.

4. Create a GPO named MyGPO in Group Policy Management Console, and link it
to MyOU.

5. Now, edit MyGPO, and enable the following:
. Prohibit access to the Control Panel;
. Remove My Documents icon on the desktop;
. User Group Policy loopback processing mode (replace mode).

6. On a Win2k workstation, join the TESTDOMAIN domain.

7. On the server, move the workstation from the Computer container to MyOU.

8. Reboot the workstation.

9. Now, on the workstation, logon as john to the TESTDOMAIN domain, hoping
that Control Panel and My Document are hiden from John. But unfortunately,
they are still there.

The above steps are exactly what I did. Hope you guys could find something
wrong and fix my problem. It's a bit urgent.

Thanks in advance for your time and help!!

Lei
 
Try to remove your User Group Policy loopback processing mode setting. The
other 2 settings are user settings. So make sure your users are in the OU,
and have at least read and apply permission to the GPO. You can move away
your computer objects from the OU as they are not affected by the user
settings.

HTH.

BR,
Denis
 
I didn't have loopback processing initially. Because my settings didn't work
as I expected, I read the Internet, and found the loopback stuff, and added
it. I'm pretty sure it wouldn't work even I remove it. I don't know the
permission issue, I'll try it tonight, and get back to you. But a question
is that why it's working through a terminal client?

Thanks!!

Lei
 
No, it doesn't work. Can anyone help?

Denis Wong @ Hong Kong said:
Try to remove your User Group Policy loopback processing mode setting. The
other 2 settings are user settings. So make sure your users are in the OU,
and have at least read and apply permission to the GPO. You can move away
your computer objects from the OU as they are not affected by the user
settings.

HTH.

BR,
Denis
 
Back
Top