group policy "User Settings" ignored

  • Thread starter Thread starter Doesitmatter !
  • Start date Start date
D

Doesitmatter !

I have a problem with my W2K workstations not processing group policy
past the "Default Domain Policy". I have set up organizational units as
follows.

ourdomain.local --> Contains the "Default Domain Policy"
Accounts
- Accounting
- Admins
- General Purpose
- Managers
- Production
- Purchasing
- Sales --> Contains "Sales Group Policy" (Let
salespersons be local admins to their W2k workstations using restricted
groups)
Builtin
Computers
Domain Controllers --> Contains "Default Domain Controllers Policy"
ForeignSecurityPrinciples
Resources
- Admin Consoles
- Exempt
- Printers
- Servers
- Workstations --> Contains the "Workstation Group
Policy" (Under Computer Configuration, set DNS server via VBS script, Use
internal Software Updates server) (Under User Configuration, disable access
to a: & b: Drives.)
Users


The problem I'm having is only the "Default Domain Policy" settings are
applied (both Computer Settings and User Settings). The "Workstation Group
Policy" processes only the "Computer settings" section of the group policy.
Why is the "User Settings" Section of the "Workstation Group Policy" not
being applied? How could I troubleshoot this issue.

Thank you in advance,

Mike...
 
That's behavior by design. The computer half of a policy will apply only to
the computer, and the user half only to the user, unless you turn on
Loopback processing. The way I set mine up is that I have a few policies
for the users, where I configure only in the user half of the gpo, and do
the same for the computer half.

One way I do see that you could get it to work without turning on loopback
processing is to put all of your OU's under one OU where the policy(ies) are
linked. But to me, that's a messy way of managing gpo.

Also, remember that the computer objects must be in the OU that the policy
is applied to--security groups don't work for that.

HTH

Ken
 
It was my understanding that the lowest organizational unit group policy
takes precedence over the site, domain policies. Is this incorrect?
 
It will process in the order Local, Site, Domain, OU in that order. Any
conflicting policies should win "later" in the order, unless a "No Override"
or "Enforced" checkbox is checked.

You do have the computer objects themselves in the Workstations OU, correct?

Ken
 
Yes, In the workstations OU I have about 20 W2K Pro clients. I have
successfully configured this policy to configure workstation updates via the
Computer Settings section of the policy. I don't understand why the "User
Settings" of this policy (Specifically - remove the connection tab from
Internet Explorer, we use a proxy that I don't want disabled). I'm going to
activate the loopback processing mode on the "workstation group policy" and
set it to merge to see if this helps.
 
Back
Top