Machine Policy not being applied

[John Price]

Hey all,

Well I am finally going insane. I have built a custom ADM file for testing
and it appears to work well for the USER settings but I could not get it to
work with the Machine settings.

I created a new policy off the Domain and applied it to my user account.
GPResults shows it being blocked - security

I created a new OU and moved my user account into the OU. Created a GPO and
applied it to Authenticated users. Same results as above.

I added the template to the Default Domain Policy - IT WORKED FINE. Anyone
have any ideas of what to do now.

Thanks in Advance.

John Price
(e-mail address removed)

 

[Mark Renoden [MSFT]]

Hi John

I'm not totally clear on what you're doing but for the machine settings to
apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John Price]

Mark,
Thanks for the help. Here is (hopefully) a better explanation.

I open the properties oat the root of the domain - Right under Active
Directory Users and Computers. In our case Firm.BEC.com. Under Group Policy
I added a new policy object. In the new policy I install my addin which
makes changes to both [USER] and [MACHINE] registry settings - these changes
are preferences. I then apply the GPO security to only the group that uses
the software that we are trying to configure rgistry settings for. Under
this scenario the [USER] settings are applied but the [MACHINE] settings are
blocked by security. If u edit the Default Domain Policy and add the new ADM
template here both [USER] and [MACHINE] settings work fine.

We can do this but would prefer to have the settings only apply to users
of the software not all users in the domain.

Thanks again.

John

Hi John

I'm not totally clear on what you're doing but for the machine settings to
apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hey all,

Well I am finally going insane. I have built a custom ADM file for testing
and it appears to work well for the USER settings but I could not get it
to
work with the Machine settings.

I created a new policy off the Domain and applied it to my user account.
GPResults shows it being blocked - security

I created a new OU and moved my user account into the OU. Created a GPO
and
applied it to Authenticated users. Same results as above.

I added the template to the Default Domain Policy - IT WORKED FINE. Anyone
have any ideas of what to do now.

Thanks in Advance.

John Price
(e-mail address removed)

 

[Gary Mudgett [MSFT]]

The bottom line is that the computer account does not have permissions to
read/apply the policy like they do with the Default Domain Policy. If there
are a group of machines that use this software you could create a group and
add the machine accounts to that group with read and apply permissions to
the policy as well as the users that use the policy (or add the machines to
the same group with the users). Or you can put those machines in an OU and
apply the machine portion of the policy to that OU.

Beyond those 2 ways there isn't a great answer.

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Mark,
Thanks for the help. Here is (hopefully) a better explanation.

I open the properties oat the root of the domain - Right under Active
Directory Users and Computers. In our case Firm.BEC.com. Under Group Policy
I added a new policy object. In the new policy I install my addin which
makes changes to both [USER] and [MACHINE] registry settings - these changes
are preferences. I then apply the GPO security to only the group that uses
the software that we are trying to configure rgistry settings for. Under
this scenario the [USER] settings are applied but the [MACHINE] settings are
blocked by security. If u edit the Default Domain Policy and add the new ADM
template here both [USER] and [MACHINE] settings work fine.

We can do this but would prefer to have the settings only apply to users
of the software not all users in the domain.

Thanks again.

John

Hi John

I'm not totally clear on what you're doing but for the machine settings to
apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hey all,

Well I am finally going insane. I have built a custom ADM file for testing
and it appears to work well for the USER settings but I could not get it
to
work with the Machine settings.

I created a new policy off the Domain and applied it to my user account.
GPResults shows it being blocked - security

I created a new OU and moved my user account into the OU. Created a GPO
and
applied it to Authenticated users. Same results as above.

I added the template to the Default Domain Policy - IT WORKED FINE. Anyone
have any ideas of what to do now.

Thanks in Advance.

John Price
(e-mail address removed)

 

[John Price]

Gary,
Well at least I know why it does not work. It is not the end of the world
to apply the settings to everyone. It just violates my sense of aesthetics.

Thanks

John Price

The bottom line is that the computer account does not have permissions to
read/apply the policy like they do with the Default Domain Policy. If there
are a group of machines that use this software you could create a group and
add the machine accounts to that group with read and apply permissions to
the policy as well as the users that use the policy (or add the machines to
the same group with the users). Or you can put those machines in an OU and
apply the machine portion of the policy to that OU.

Beyond those 2 ways there isn't a great answer.

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Mark,
Thanks for the help. Here is (hopefully) a better explanation.

I open the properties oat the root of the domain - Right under Active
Directory Users and Computers. In our case Firm.BEC.com. Under Group Policy
I added a new policy object. In the new policy I install my addin which
makes changes to both [USER] and [MACHINE] registry settings - these changes
are preferences. I then apply the GPO security to only the group that uses
the software that we are trying to configure rgistry settings for. Under
this scenario the [USER] settings are applied but the [MACHINE] settings

are
blocked by security. If u edit the Default Domain Policy and add the new ADM
template here both [USER] and [MACHINE] settings work fine.

We can do this but would prefer to have the settings only apply to users
of the software not all users in the domain.

Thanks again.

John

Hi John

I'm not totally clear on what you're doing but for the machine

settings

to

apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hey all,

Well I am finally going insane. I have built a custom ADM file for testing
and it appears to work well for the USER settings but I could not

get

it

 

[Mark Renoden [MSFT]]

Hi John

Is this software installed everywhere or just on a few machines? As Gary
said, you could restrict the application of the policy to those machines
which are used for this purpose by putting them in a common OU or applying
security specific to the computer accounts.

If it's a case where users move from machine to machine and the software is
applied everywhere, perhaps you could create two GPO's, one for the user
settings (and have that apply only to the users) and one for the computer
settings that applies everywhere.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Gary,
Well at least I know why it does not work. It is not the end of the
world
to apply the settings to everyone. It just violates my sense of
aesthetics.

Thanks

John Price

The bottom line is that the computer account does not have permissions to
read/apply the policy like they do with the Default Domain Policy. If there
are a group of machines that use this software you could create a group and
add the machine accounts to that group with read and apply permissions to
the policy as well as the users that use the policy (or add the machines to
the same group with the users). Or you can put those machines in an OU and
apply the machine portion of the policy to that OU.

Beyond those 2 ways there isn't a great answer.

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Mark,
Thanks for the help. Here is (hopefully) a better explanation.

I open the properties oat the root of the domain - Right under
Active
Directory Users and Computers. In our case Firm.BEC.com. Under Group Policy
I added a new policy object. In the new policy I install my addin which
makes changes to both [USER] and [MACHINE] registry settings - these changes
are preferences. I then apply the GPO security to only the group that uses
the software that we are trying to configure rgistry settings for.
Under
this scenario the [USER] settings are applied but the [MACHINE]
settings

are
blocked by security. If u edit the Default Domain Policy and add the
new ADM
template here both [USER] and [MACHINE] settings work fine.

We can do this but would prefer to have the settings only apply to users
of the software not all users in the domain.

Thanks again.

John

Hi John

I'm not totally clear on what you're doing but for the machine

settings

to
apply, the computer account must be in the OU to which the policy is
applying, the computer configuration settings must not be disabled
and the
computer account must have read and apply group policy permissions
(authenticated users takes care of this).

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Hey all,

Well I am finally going insane. I have built a custom ADM file for
testing
and it appears to work well for the USER settings but I could not

get

it
to
work with the Machine settings.

I created a new policy off the Domain and applied it to my user account.
GPResults shows it being blocked - security

I created a new OU and moved my user account into the OU. Created a GPO
and
applied it to Authenticated users. Same results as above.

I added the template to the Default Domain Policy - IT WORKED FINE.
Anyone
have any ideas of what to do now.

Thanks in Advance.

John Price
(e-mail address removed)