Group Policy not applied to users.

[Ian White]

Greetings,

I work at a school and have a problem with users. At first they
appeared to be random, but group policy is not being applied to some
users, but not others.

I put this in the startup folder on all the lab machines:
log.bat
--
gpresult >> \\lab-pc07\a\log.txt
---

it was mildly affective at giving me results, but it clearly showed
there was a difference between some users.



The user with this gpresult has all policys applied.

##############################################################

User Group Policy results for:

CN=user name,OU=Grade
9,OU=Students,DC=starsea,DC=tas,DC=catholic,DC=edu,DC=au

Domain Name: STARSEA
Domain Type: Windows 2000
Site Name: Default-First-Site



the user with this gpresult data does not have any policys applied.


###############################################################

User Group Policy results for:



Domain Name: STARSEA
Domain Type: Windows 2000
Site Name: Default-First-Site



the "CN=a, OU=b, OU=c, DC=e, DC=f, DC=g, DC=h, DC=i" section is
missing from some users results. These are the users that do not have
policys applied to them. What i would like to know is why these users
dont have this data, what if anything have i done wrong, and how do i
fix it?

Thankyou,

Ian White
Star of the Sea College
Friend St George Town
Tasmania 7253

 

[Steven L Umbach]

Do all the users in a particular OU not get policy applied to them, or is it variable
among an OU? I don't know if a startup script for gpresult would be too dependable
because start up scripts run before a user logs on. I am kind of surprised it works
at all. A logon script may work however. Another thing to consider that could be more
accurate is to use the Group Policy Management Console that can be run on a XP Pro
SP1 domain computer in a W2K domain - WELL worth the investment if you do not have
one already. It is very easy to use GPMC for RSOP [Resultant Set of Policy] to see
what policies should be applied to a particular user based on current Group Policy
configuration. Details for the free GPMC are in the link below.

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx


If you do find that users are not getting the expected policy applied to them there
are a couple things to check.

-- Make sure their user account resides in the container structure where the Group
Policy is applied.

-- Verify that they have read and apply rights to the Group Policy itself.

-- Verify that the GPO is linked to the proper containers, that another policy does
not have defined settings with no override, that their container does not have block
inheritance applied to it unless it is supposed to, and that user policy is enabled
on the GPO's.

-- See if replication is working well between domain controllers. The Replmon utility
from the support tools [on install disk in the support/tools folder - run setup] is
great for that and for a quick check use gpotool.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

-- Check computer configuration to be sure the preferred dns servers are only domain
controllers. Check the Event Viewer on problem computers for errors and run netdiag
on them looking for any pertinent failed tests/errors/fatal warnings particularly in
regard to dns, domain membership, and secure channel.

-- Make sure users are not logging on with local user accounts or cached credentials.
You can disable cached credential logon in appropriate security policy under security
settings/local policies/security options - number of previous logons to cache. Set it
to zero to disable.

-- If loopback processing is enabled on any computer [not a default setting] , a user
could get the user configuration for the GPO that the computer resides in instead of
their normal user policy in either a merge or replace mode.

That should give you a start. --- Steve