GPO will not work on OU

[Brian Heilmann]

Hi,

I have a W2K environment. My problem is that when I apply a GPO to an OU it
does not take effect. But when I apply a GPO to the domain it is working. I
have checked permissions and the following:

I have run GPRESULT /v on the client - the Group Policy is NOT received by
the user.

I have run netdiag and dcdiag - the show no problems.
I have checked security policy on the OU - its the same as in the domain.
I have run repadmin /showreps - no replication issues.
I have run GPOTOOL to veriry policies synchronization - no problems

I don't know what to do next - can anyone help me??

Regards

Brian Heilmann / Sysadmin

 

[Robert Cohen]

do you have the security settings set to apply the setting to the users in
questions?

 

[Brian Heilmann]

Yes, the security settings is set to read and apply for all authenticated
users.

-Brian

 

[Steven Umbach]

The users or computers that you want the GPO to apply to must reside in that OU
or possible a sub OU - in other words within the scope of influence of that GPO.
Also keep in mind that domain account policies such as password policy for
domain users can only be configured at the domain level and will be ignored at
other levels except that they can apply to "local" user accounts. --- Steve

 

[Brian Heilmann]

It is a top-level OU in which all my users resides. And it is a simple
screensaver GPO I am trying to apply!

-Brian

 

[Steven Umbach]

Hi Brian.

Try applying another couple settings to see if they work ruling out a
misconfiguration of a particular setting. The other things I would check are
that the GPO is linked to the OU, that the user configuration part of it is
enabled, and that a higher GPO with that setting defined does not have "do not
override" selected, and that they are not logging onto a computer where loopback
processing policy [not a default setting] is being applied which may override a
users policy to be what is configured in the container where the computer
resides. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q250842&

 

[Brian Heilmann]

I have now tried to move my test machine to Computers OU (in that way no
policies is applied to it). I have then created a new top-level OU in which
I have put my users in. I have then checked that there is no policies on the
domain level and added a policy to the new top-level OU where my users
reside. When I then run secedit.... /enforce - the policy is NOT applied :-(

-Brian

Hi Brian.

Try applying another couple settings to see if they work ruling out a
misconfiguration of a particular setting. The other things I would check are
that the GPO is linked to the OU, that the user configuration part of it is
enabled, and that a higher GPO with that setting defined does not have "do not
override" selected, and that they are not logging onto a computer where loopback
processing policy [not a default setting] is being applied which may override a
users policy to be what is configured in the container where the computer
resides. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q250842&

It is a top-level OU in which all my users resides. And it is a simple
screensaver GPO I am trying to apply!

 

[Steven Umbach]

Hmm. Sounds like you are doing everything right. You posted earlier that netdiag
and dcdiag looked good. Just be sure that there are never any ISP dns servers
ever configured as a preferred dns server for a domain computer, even down the
list. The only other thing I can think of is that the policies have not
propagated yet. I assume you refreshed for user policy also. I would also try
rebooting your test computer and make sure you are logging onto it with a domain
user account and not a local account to which domain user policy will not apply
and verify that it has proper network connectivity. Also check the Event Viewer
on your domain controller looking for anything that may indicate a problem with
policy propagating --- Steve

I have now tried to move my test machine to Computers OU (in that way no
policies is applied to it). I have then created a new top-level OU in which
I have put my users in. I have then checked that there is no policies on the
domain level and added a policy to the new top-level OU where my users
reside. When I then run secedit.... /enforce - the policy is NOT applied :-(

-Brian

Hi Brian.

Try applying another couple settings to see if they work ruling out a
misconfiguration of a particular setting. The other things I would check are
that the GPO is linked to the OU, that the user configuration part of it is
enabled, and that a higher GPO with that setting defined does not have "do not
override" selected, and that they are not logging onto a computer where loopback
processing policy [not a default setting] is being applied which may override a
users policy to be what is configured in the container where the computer
resides. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q250842&

It is a top-level OU in which all my users resides. And it is a simple
screensaver GPO I am trying to apply!

 

[Brian Heilmann]

I have solved the problem now. It was because of a loopback policy applied
to the computers. When I disabled this all the GPOs applied to the users
started to work again. I thought that I already tjecked this, but this
policy must have slipped my sight :-(

But now it is working.

Thank you all.

Regards

Brian