Problems with Group Policies being applied

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

I am having problems with a Group Policy being applied. My domain is Active
Directory 2000 and I have 2 Windows 2003 Terminal Servers online. I created
an OU and placed my terminal servers in it. I created a GPO on the OU to
restrict users on the terminal server to basically lock it down. The user
accounts are located in different OU's. The GPO did not appear to be
applying to the computer. I ran "gpresult" on the terminal server and found
that the GPO does not even show up. I also noticed one of my domain
policies called "NoXPSP2Update" is not applying either. It looks like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
NoXPSP2Update
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------

I ran "netdiag" on the computer thinking perhaps I could have a problem with
DNS. Everything on it seems fine with the exception of the "Kerberos test".
I think I can disregard this.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/SERVERNAME.YOURDOMAIN.LOCAL.

Does anyone have any idea what might be going on?

Harrison Midkiff
 
Thanks for your reply:

I have that setting applied but it is like it is not even seeing the GPO.
When I run gpresult I should at least see the GPO. I have tried sync'ing
the domain and logging into the server under a domain admin account and
running "gpupdate /force". This should make sure the GPO makes it onto the
computer. At this point I am puzzled. The only thing I can think of is
there is some kind of a problem with AD 2000 apply its GPO to a Win2003 TS
server.

Any suggestions you have would be greatly appreciated.

Harrison Midkiff



jjhols said:
If these are user settings you are trying to apply you will need to add
the
user to the OU also, unless you look into a feature called loopback
processing which means no matter where or who the user is they will always
get the GPO assigned to that OU.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
Hope this helps!

Harrison Midkiff said:
Hello:

I am having problems with a Group Policy being applied. My domain is
Active
Directory 2000 and I have 2 Windows 2003 Terminal Servers online. I
created
an OU and placed my terminal servers in it. I created a GPO on the OU to
restrict users on the terminal server to basically lock it down. The
user
accounts are located in different OU's. The GPO did not appear to be
applying to the computer. I ran "gpresult" on the terminal server and
found
that the GPO does not even show up. I also noticed one of my domain
policies called "NoXPSP2Update" is not applying either. It looks like
this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
NoXPSP2Update
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------

I ran "netdiag" on the computer thinking perhaps I could have a problem
with
DNS. Everything on it seems fine with the exception of the "Kerberos
test".
I think I can disregard this.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/SERVERNAME.YOURDOMAIN.LOCAL.

Does anyone have any idea what might be going on?

Harrison Midkiff
Click to expand...
Click to expand...
 
Are GPO's being applied to other OU's or is this your only one? From
Terminal Servers are you able to browse to \\domainname\sysvol? If this
fails it might be something with DNS? Check the security on the GPO make
sure the correct permissions are setup and make sure the group assigned has
the read permission.

This sounds like a strange one and sorry I can't be more help.

Harrison Midkiff said:
Thanks for your reply:

I have that setting applied but it is like it is not even seeing the GPO.
When I run gpresult I should at least see the GPO. I have tried sync'ing
the domain and logging into the server under a domain admin account and
running "gpupdate /force". This should make sure the GPO makes it onto the
computer. At this point I am puzzled. The only thing I can think of is
there is some kind of a problem with AD 2000 apply its GPO to a Win2003 TS
server.

Any suggestions you have would be greatly appreciated.

Harrison Midkiff



jjhols said:
If these are user settings you are trying to apply you will need to add
the
user to the OU also, unless you look into a feature called loopback
processing which means no matter where or who the user is they will always
get the GPO assigned to that OU.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
Hope this helps!

Harrison Midkiff said:
Hello:

I am having problems with a Group Policy being applied. My domain is
Active
Directory 2000 and I have 2 Windows 2003 Terminal Servers online. I
created
an OU and placed my terminal servers in it. I created a GPO on the OU to
restrict users on the terminal server to basically lock it down. The
user
accounts are located in different OU's. The GPO did not appear to be
applying to the computer. I ran "gpresult" on the terminal server and
found
that the GPO does not even show up. I also noticed one of my domain
policies called "NoXPSP2Update" is not applying either. It looks like
this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
NoXPSP2Update
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------

I ran "netdiag" on the computer thinking perhaps I could have a problem
with
DNS. Everything on it seems fine with the exception of the "Kerberos
test".
I think I can disregard this.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/SERVERNAME.YOURDOMAIN.LOCAL.

Does anyone have any idea what might be going on?

Harrison Midkiff
Click to expand...
Click to expand...
Click to expand...
 
I suggest you run GPOTOOL to get a picture or the current replicated state
of all GPOs.
If this looks good, and it is only these two terminal servers that don't
apply policy, then investigate the userenv errors these servers return.
There should be something there. 1000, 1030, 1054, 1093. You should see one
of these.
Also, turn up userenv debug logging to log everything the GPO processing is
doing under the hood.
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833

If the terminal servers simply don't see the policies to apply them, then it
is a permissions prob on the policy.
Remember....authenticated users needs read and apply parms for computers to
apply GPO.
If you removed this, then you must compansate by creating a security group
for the computers adding them to the group, and granting the group
appropriate parms on the GPO.

Also, the netdiag error you mentioned is a bug in NETDIAG. Ignore it.
see.........
http://support.microsoft.com/default.aspx?scid=kb;en-us;870692


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


jjhols said:
Are GPO's being applied to other OU's or is this your only one? From
Terminal Servers are you able to browse to \\domainname\sysvol? If this
fails it might be something with DNS? Check the security on the GPO make
sure the correct permissions are setup and make sure the group assigned has
the read permission.

This sounds like a strange one and sorry I can't be more help.

Harrison Midkiff said:
Thanks for your reply:

I have that setting applied but it is like it is not even seeing the GPO.
When I run gpresult I should at least see the GPO. I have tried sync'ing
the domain and logging into the server under a domain admin account and
running "gpupdate /force". This should make sure the GPO makes it onto the
computer. At this point I am puzzled. The only thing I can think of is
there is some kind of a problem with AD 2000 apply its GPO to a Win2003 TS
server.

Any suggestions you have would be greatly appreciated.

Harrison Midkiff



jjhols said:
If these are user settings you are trying to apply you will need to add
the
user to the OU also, unless you look into a feature called loopback
processing which means no matter where or who the user is they will always
get the GPO assigned to that OU.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
Hope this helps!

:

Hello:

I am having problems with a Group Policy being applied. My domain is
Active
Directory 2000 and I have 2 Windows 2003 Terminal Servers online. I
created
an OU and placed my terminal servers in it. I created a GPO on the OU to
restrict users on the terminal server to basically lock it down. The
user
accounts are located in different OU's. The GPO did not appear to be
applying to the computer. I ran "gpresult" on the terminal server and
found
that the GPO does not even show up. I also noticed one of my domain
policies called "NoXPSP2Update" is not applying either. It looks like
this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
NoXPSP2Update
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------

I ran "netdiag" on the computer thinking perhaps I could have a problem
with
DNS. Everything on it seems fine with the exception of the "Kerberos
test".
I think I can disregard this.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/SERVERNAME.YOURDOMAIN.LOCAL.

Does anyone have any idea what might be going on?

Harrison Midkiff
Click to expand...
Click to expand...
Click to expand...
 
Back
Top