Group Policy not being applied to Win2k Pro machines

  • Thread starter Thread starter Stu
  • Start date Start date
S

Stu

Using Windows 2003 and the Group Policy Management Console. I created a
policy enabled it, ran the modeling wizard successfully. When logged in
with a test account, on a windows 2k and XP workstation, the machines logged
on without errors, but the policy did not apply. Any ideas?

thanks!

Stuart
 
Stuart,

You did not provide even close to enough information ;-)

Did you link the policy to the computer configuration side or to the user
configuration side?

If linked to the computer configuration side, is the computer account object
that you are 'testing' directly located in the OU ( or whatever ) to which
you linked the GPO?

If linked to the user configuration side, is the user account object that
you are 'testing' directly located in the OU ( or whatever ) to which you
linked the GPO?

Now, let's back up a second.

Let's assume that you are trying to install software via GPO. Might not
apply. But you did not specify what you are trying to do, so I am guessing
right now....Does the computer account object or the user account object
have at least READ permissions to the shared folder? Is the computer
account object or the user account object located in an OU where 'BLOCKED
INHERITANCE' is affecting the GPO that you are testing? Did you disable the
computer configuration side ( and applied this GPO to the computer
configuration side ) or the user configuration side ( and applied the GPO to
the computer configuration side )? Does the computer have the correct DNS
information ( meaning, only your internal DNS information and NOT your
ISP's )?

I think that you are getting the picture now. There are about 20 things
that we would need to ask without more information from you.

Have you run any of the appropriate Troubleshooting tools? Doesn't the GPMC
have such a tool built-in? Have you run GPOTOOL on the WIN2000 client?

What have you done in the way of Troubleshooting?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
ssheinman said:
Using Windows 2003 and the Group Policy Management Console. I
created a
policy enabled it, ran the modeling wizard successfully. When
logged in
with a test account, on a windows 2k and XP workstation, the
machines logged
on without errors, but the policy did not apply. Any ideas?

thanks!

Stuart
Click to expand...

Hi,

Group Policy requires DNS to be setup correctly. Check here to make
sure your DNS is properly setup.
http://www.sd61.bc.ca/windows2000/dns.htm

Cheers,

Lara
 
Stu said:
Using Windows 2003 and the Group Policy Management Console. I created a
policy enabled it, ran the modeling wizard successfully. When logged in
with a test account, on a windows 2k and XP workstation, the machines logged
on without errors, but the policy did not apply. Any ideas?
Click to expand...

How do you know? Does it have obvious User or
Computer settings, both?

Most problems with skipping group policy are due
to DNS and/or Authentication with the domain (by
the computer). Authentication with the domain is
mostly a DNS issue too. (See below)

The policy must be LINKED (assigned) to a container
that contains the User or the Computer (whichever you
are trying to affect with the policy.)

To which Domain, OU, or Site container did you link
the policy? Is the User or is the Computer a member of
that container?

Permissions much allow READ and Apply Policy but
those are set by default unless you mess with them.
Authentication may be a (separate) problem if the
Computer has no account, or if that account needs to
be RESET (right-click AD User/Computers).

There are also a variety of settings for overiding,
disabling (either User/Computer or entire policy)
the policy where it is linked to a container but if you
linked it these are unlikely to be wrong unless you
changed (messed with) them.

Mostly authentication problems are a failure to find
the DC in AD, or the DC being missing from DNS.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /server:DC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
Back
Top