Howdy!
First of all, what exactly is not working? What settings did you configure?
Did you reboot the computers? Did you give it time ( the GPO ) to replicate
should you have multiple Domain Controllers and / or multiple Sites?
Here is how things are supposed to work. I will use 'normal GPO language'
with some 'newbie translations'.
First of all, you need to know that there are two sides to each Group Policy
Object. There is the Group Policy Template ( GPT ) and there is the Group
Policy Container ( GPC ). The GPT resides in the shared SYSVOL directory
structure and the GPC lives within Active Directory in the Domain NC (
partition ). So, what does this all mean? It means that a section of the
settings are stored in one place and the other settings are stored in
another place. Make sense so far? Through the various replication
structures [ the GPC is subject to Active Directory replication while the
GPT is subject to File Replication Services ( FRS ) replication ].
There are also two parts: the User Configuration and the Computer
Configuration. You configure the User Configuration side of things to
affect user account objects and you configure the Computer Configuration
side of things to affect computer account objects. Although this seems
clear, it is important to know.
Now, a GPO can be linked to four levels: the Local-level, the Site-level,
the Domain-level and the OU-level. This is also the 'pecking order'. So,
if you have a setting within a GPO that is linked at the Domain-level and it
is conflicted with a setting within a GPO that is linked to the OU-level
then the setting at the OU-level wins. It is usually the last setting that
wins. Now, you can also have multiple GPOs linked at the same level ( at
the OU-level, for example ). Again, it is the last setting that wins. So,
whatever appears at the bottom of the list is processed first. Whatever is
listed above that is processed second. Whatever is listed at the top is
processed last.
Now, when do these GPOs come into affect? Well, first the settings
configured in the Computer Configuration side of things are processed when
the computer is rebooted. Well, just any computer? No. In order for a
computer account object to fall under the Scope of Management ( SOM ) of a
GPO the computer account object must directly reside in the OU to which the
GPO is linked. Granted, there are other levels ( the Domain- and the
Site-levels: I am going to only talk about the OU-level here ). Let's just
talk about the OU-level for now. If the computer account object does not
directly reside in the OU to which the GPO is linked then it does not fall
under the SOM of that GPO. Still making sense? There are a couple of ways
to massage this. But we will keep it simple for the moment. So, the
settings that are configured in the Computer Configuration side of things
for this GPO are processed by the computer. You are then asked to log on by
providing your user name and password. At this point the User Configuration
side of things settings are processed based on which GPOs are linked to the
OU in which the user account object directly resides. The same pecking
order applies ( local, Site, Domain, OU ).
So, in a nutshell, the computer configuration settings of the GPOs that are
linked to the OU in which the computer account object directly resides are
processed at the time that the computer reboots and then the user
configuration settings of the GPOs that are linked to the OU in which the
user account object directly resides are processed at the time that the user
logs on.
Was this basic enough or too informative?
If it is too informative then consider this:
The computer stuff is processed when the computer boots up and the user
stuff is processed when the user logs on. The computer needs to be in the
OU where the GPO is created ( when you create the GPO you are really doing
three things - even it is blank at that time ) and the user needs to be in
the OU where the GPO is created.
Now, for troubleshooting. Let's start with the most basic of all: DNS. The
client workstation gets its IP Address from DHCP I assume. I further assume
that DHCP provides additional information to its clients, such as Default
Gateway and DNS/WINS Server information. Do your clients have the correct
DNS Server information? Meaning, do they point to your internal DNS
Server(s) and not to your ISP's DNS Server information?
HTH,
Cary
stopnowgo said:
I am a newbie to gp. I have created an ou containing 13 computers and created
a gpo with gpmc. I have linked the gpo to my ou. It does not seem to be being
applied. Does any one have a link to a site that can explain to me in basic
newbie speak. Microsofts site is much to informative at this time for me. Any
help is appreciated. Thanks
