New GPO are failing

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I am running W2K servers sp4, I created a new GPO for a machine OU on a XP
pro box in user configuration. The new GPO shows up in AD under the right OU
but I receive the below message, what could be causing the Lockdown GPO
Filtering: Not Applied (Empty)??

Any insight would be great!
Ted

COMPUTER SETTINGS
------------------
CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu
Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM
Group Policy was applied from: mastertn.Testnet.edu
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Lockdown GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
OCC38034$
Domain Computers


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=Testnet,DC=edu
Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM
Group Policy was applied from: mastertn.Testnet.edu
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Group Policy Creator Owners
Exchange Domain Servers
Domain Admins
Schema Admins
Enterprise Admins
Exchange Enterprise Servers
 
Actually I don't quite understand about "created a new GPO for a machine OU
on a XP pro box in user configuration".

If you mean you set the GPO settings in the User Configuration and you apply
the GPO to an OU containing the machine account only, then this is the where
the problem is. You need to place the user account into the OU which you
apply the GPO.

BR,
Denis
 
To add to what Dennis said, the results in COMPUTER SETTINGS tell you that
the GPO called LockDown GPO applies to the computer account, but that there
are no settings in the Computer Configuration part of the GPO, so there was
nothing to apply.

Further down under "USER SETTINGS", the LockDown GPO is not listed, so that
GPO has not been linked to the OU containing the user's account.
 
I'm having the same problem. I have basically the same settings. Th
only weird thing is that on the GPO, I have a password policy and th
SUS ADM file configuration. I get the same as stated before. The onl
thing is that the SUS configuration doesn't work, but the passwor
policy works.

I only have one OU with one policy.




*Hello,

I am running W2K servers sp4, I created a new GPO for a machine OU o
a XP
pro box in user configuration. The new GPO shows up in AD under th
right OU
but I receive the below message, what could be causing the Lockdow
GPO
Filtering: Not Applied (Empty)??

Any insight would be great!
Ted

COMPUTER SETTINGS
------------------
CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu
Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM
Group Policy was applied from: mastertn.Testnet.edu
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Lockdown GPO
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
OCC38034$
Domain Computers


USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=Testnet,DC=edu
Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM
Group Policy was applied from: mastertn.Testnet.edu
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Group Policy Creator Owners
Exchange Domain Servers
Domain Admins
Schema Admins
Enterprise Admins
Exchange Enterprise Servers
Click to expand...


-
jesus
 
Settings in the User Configuration part of a GPO are ONLY applied to USER
ACCOUNTS that are present in the OU to which the GPO is linked. If that OU
only has COMPUTER ACCOUNTS, the User Configuration part of the GPO will be
ignored.

If a GPO that ONLY has User Configuration settings is applied to an OU that
has Computer Accounts, RSOP will report that GPO as Empty in the Computer
Configuration part of its report.

That's what the report you posted is saying.

a. The GPO called "Lockdown GPO" is linked to the OU called "Nursing Test
GP" that has the Computer Account for the computer called "OCC38034", but
there are no settings in the Computer Configuration part of that GPO (thus
the GPO is Empty in that sense).

b. The User Account called "Administrator" is in the OU called "Users" and
the only GPO that applies to that OU is the Default Domain Policy (which
does have some User Configuration settings).

So, to get the settings in the Lockdown GPO applied, link it to the OU
containing the Administrator user account (e.g. Users).

However, exercise caution. If you apply this GPO to the Users GPO and all
of your accounts, including Administrator are in there, you could end up
"locking down" the Administrator account so that it is useless! This is
called "shooting yourself in the foot via GPO".

Better to try out the GPO on an OU that has a less important user account in
it first!

The settings in the User Configuration part of a GPO are applied to the User
whose User Account is in an OU to which the GPO is linked (or inherited)
when that user logs on at any computer.

The settings in the Computer Configuration part of a GPO are applied to the
computer whose Computer Account is in an OU to which the GPO is linked (or
inherited) when that computer starts and periodically thereafter.

(Note that you can use the gpupdate command to get changes to Group Policies
applied immediately (use the command gpupdate /? to see the options
available)).

This is a fundamental, but not necessarily obvious, concept with Group
Policies. For this reason, to keep my life simple, I have established for
myself, these simple rules:

1. do not mix user accounts and computer accounts in the same OU.
2. do not mix User Configuration settings and Computer Configuration
settings in the same GPO
3. link GPOs with User Configuration settings only to OUs with User Accounts
and link GPOs with Computer Configuration Settings only to OUs with Computer
Accounts

Link all simple rules, there are some situations where setting them aside
makes sense, but there must be a good, rational reason for doing so. One
such reason is when "loopback processing" is used, but that's a story for
another day.

End of Lecture!

Hope this helps!
 
Back
Top