Trouble Applying GP

  • Thread starter Thread starter Frank Reichenbacher
  • Start date Start date
F

Frank Reichenbacher

We just switched our small office network from netware 3.12 to W2K, 14
workstations all converted to WXP. All users were created in AD and nothing
was done to alter default GP implementation. In my small network I want two
OUs, one running a more restrictive GP than the other. So I created to new
OUs, GPA (less restriction/policy) and GPB (more restriction/policy). Pretty
much all the options in the GPA GP are left "not configured". I moved the
four users I want into this new OU. Then I edited the GP in the GPB to
enable or disable some of the user options as I wanted to. Then I created a
test user and moved it into the GPB OU just to test the effects of this new
GP. I blocked inheritance on the GPs of both of the new OUs.

This is all correct, right?

Not! The test user who should not be able to open Control Panel, or use the
Run dialog, or configure the Desktop is unaffected. Nothing I seem to do to
either of the new GPs has any effect on any user. Obviously I missed
something.

Frank
 
Hi Frank-

Are these OUs at the domain level, or is one a child OU of the other? For a
defitive answer on what is processing and why (based on links), run a
GPRESULT /V at the command prompt of a user that does/doesn't get the
settings you want.

Let us know what results you see so we can help if needed.
 
Tim Springston (MSFT) said:
Hi Frank-

Are these OUs at the domain level, or is one a child OU of the other? For a
defitive answer on what is processing and why (based on links), run a
GPRESULT /V at the command prompt of a user that does/doesn't get the
settings you want.

Let us know what results you see so we can help if needed.
Click to expand...


Thanks for responding. I'm new to the terminology, so bear with me. I
believe they are domain-level. As I said, beyond creating my 14 users, plus
a test user, I had done nothing in AD. Now the left pane lists all the
default stuff that AD starts with plus my two OUs, GrpA and GrpB.

Anyhow, I just learned about gpresult.exe from one of the other messages and
will try that when I go back down to the office in a couple hours.

Frank
 
Hi Frank,

To ensure that user-specific group policies apply immediately after
configuration, make sure you log the user off and back on, or run the
"gpupdate /target:user /force" command. Also, keep in mind that due to the
network optimization feature in XP, some policies will require up to two
logins for policies to apply. However, removing the run line should not.
Also, setting block inheritance on OUs is not necessary unless you have
nested OUs or you don't want the Default Domain policy or site policies to
apply.

Running rsop.msc from the run-line will give you some graphical diagnostic
ouput of what policies are applying, and if not, will list an error message.
The gpresult.exe utility gives good output as well.

--
Eric Burke [MSFT]
Microsoft Directory Services
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
I ran gpresult from one of the XP workstations and the results is that there
is no GPO, at least not one that is visible to workstations on the domain.
Needless to say, I do not understand this at all. I wish I could print the
output here, but gpresult doesn't seem to be able to save output to a file
and I had to leave today before I could get more into it.

If anyone has any ideas, let me know. Perhaps it is worth re-emphasizing how
simple and small this network is.

Frank
 
View an RSoP report in HTML

1.. Click Start, and then click Help and Support.
2.. Under Pick a task, click Use tools to view your computer information
and diagnose problems.
3.. Under Tools, click Advanced System Information.
4.. Under Advanced System Information, click View Group Policy settings
applied.
5.. At the bottom, click Save this report to an .htm file
Then just attach the file to your next post. You can also pipe utility
output to a file using the following example.

gpresult /v >c:\<myfilename>.txt

Also, please follow article 221833 and attach the userenv.log as well.

--
Eric Burke [MSFT]
Microsoft Directory Services
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Back
Top