Local group policy implementation erratic-why?

[Guest]

Created domain Group Policy with Computer Config for workstations however it is not being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User but not another. The only difference being that on the workstation, the policy is successful

On the workstation I have a

- desktop workstatio
- user has local admin right

On the other units on which the policy is unsuccessful

-lapto
-standard user right

I've checked rights for Authenticated Users and it has Read and Apply Policy. No Deny rights imposed anywhere

 

[Philip Nunn]

What gpo settings are you trying to change?

Phil

Created domain Group Policy with Computer Config for workstations however

it is not being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User

but not another. The only difference being that on the workstation, the
policy is successful:

On the workstation I have a;

- desktop workstation
- user has local admin rights

On the other units on which the policy is unsuccessful;

-laptop
-standard user rights

I've checked rights for Authenticated Users and it has Read and Apply

Policy. No Deny rights imposed anywhere.

 

[Derek Melber [MVP]]

This could be a myriad of problems. Most of the time, it is a DNS issue.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

Created domain Group Policy with Computer Config for workstations however

it is not being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User

but not another. The only difference being that on the workstation, the
policy is successful:

On the workstation I have a;

- desktop workstation
- user has local admin rights

On the other units on which the policy is unsuccessful;

-laptop
-standard user rights

I've checked rights for Authenticated Users and it has Read and Apply

Policy. No Deny rights imposed anywhere.

 

[Steven L Umbach]

I am a bit confused as your post states "Local Group Policy" which would be
configured on the local machine via gpedit.msc yet you discuss read and apply policy
which would indicate a domain membership policy??

Computer configuration applies to computers - not users so the read/apply for
authenticated users would only have bearing on the fact that computers are members of
the authenticated users group.

If you are using domain/OU policy then the computers themselves must be within the
scope of influence of the policy such as if this is an OU GPO, the computers must
reside in that OU structure.

Computers must be configured properly in regards to dns and having a machine account
in good standing in the domain if this is a domain issue. Most problems are due to a
domain computer not having only AD domain controllers as their preferred dns server
in tcp/ip properties. Laptops will initially need to connect to a domain controller
to have their Group Policy configured and it the user logs on later with cached
credentials the last policy configuration will remain. You can use netdiag and
gpresult to troubleshoot Group Policy problems. Run netdiag first to make sure there
are not any pertinent failed tests/fatal errors in regards to dns, domain membership,
or dclist. If netdiag looks good then try gpresult. If laptops have software firewall
enabled, be sure it is disabled when connected to the lan or configured to not block
traffic to the domain controllers. --- Steve

Created domain Group Policy with Computer Config for workstations however it is not

being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User but not

another. The only difference being that on the workstation, the policy is successful:

 

[Guest]

I'm trying to(have changed) Security settings in Computer configuration. I can see the changes in the workstation local policy but they do not appear to be applied, i.e. message text on login does not appear.

 

[Guest]

DNS appears to be fine. Ran netsh diag and ipconfig locally and the client laptop has a host record in DNS.

 

[Aimme Lirette MSFT]

How many domain controllers are in your environment.
Make sure replication is occuring between them as it should and DNS is
configured on the DC's correctly.

Aimme
--
This posting is provided "AS IS" with no warranties, and confers no rights.

I'm trying to(have changed) Security settings in Computer configuration. I

can see the changes in the workstation local policy but they do not appear
to be applied, i.e. message text on login does not appear.

 

[Guest]

Two controllers replicating fine. DNS is fine

What I don't understand is that the Group Policy Security config is being applied to the workstation on some items but not others. I can see the policy at the workstation and I can change a setting in the Local/Security Config through the Domain policy and it will be applied to the workstation. Yet it does not apply the Message text setting on any system but mine so far and running gpresult on any workstation but mine indicates that the GPO is denied - Local Policy(empty) where mine is applied.

We're all in the same domain and the computers are all in the same container. The domain policy covers the entire domain

What could be different about my computer that allows the policy to be applied on it and not others and why only partially applied on others? Makes no sense whatsoever.

 

[Aimme Lirette MSFT]

Can you post the gpresult from your workstation and from another?

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Two controllers replicating fine. DNS is fine.

What I don't understand is that the Group Policy Security config is being

applied to the workstation on some items but not others. I can see the
policy at the workstation and I can change a setting in the Local/Security
Config through the Domain policy and it will be applied to the workstation.
Yet it does not apply the Message text setting on any system but mine so far
and running gpresult on any workstation but mine indicates that the GPO is
denied - Local Policy(empty) where mine is applied.

We're all in the same domain and the computers are all in the same

container. The domain policy covers the entire domain.

What could be different about my computer that allows the policy to be

applied on it and not others and why only partially applied on others? Makes
no sense whatsoever.

 

[Steven Umbach]

Did you run netdiag and if so did it pass all tests? Also try pasting a copy of
your gpresult from that machine in a reply. -- Steve

I worded that badly - you are correct. I'm new to W2K and the manner in which

MS implemented Group Policy. Both machines are in the Computers container. I
have no special delegation permissions set for groups other than the defaults
and Authenticated users.

My domain policy security config is being applied to the Local Security policy

at the workstation(I can see it) but with different results, i.e., message text
will appear on one workstation but not another and gpresults indicates GPO
Denied - Local Policy (empty) on the latter while it appears as an Applied Group
Policy Object on the former.

Other than the two machines being different there is fundamentally no

difference that I can see in AD between them.

I'm stumped!
DNS is fine, ran netsh diag, ipconfig and reviewed DNS - the workstation is

updated in DNS correctly.

 

[Guest]

The first(bbergman) gpresult output is obviously on the system where the policy is fully applied. The second(jyoung) is does not appear to be receiving the policy.

Single domain. All computers in same container and all on the same net. DNS appears to be configured correctly

RSOP results for HQ\bbergman on BBERGMAN-DT : Logging Mod
--------------------------------------------------------------

OS Type: Microsoft Windows XP Professiona
OS Configuration: Member Workstatio
OS Version: 5.1.260
Domain Name: H
Domain Type: Windows 200
Site Name: Default-First-Site-Nam
Roaming Profile:
Local Profile: C:\Documents and Settings\bbergman.00
Connected over a slow link?: N

COMPUTER SETTING
-----------------
CN=BBERGMAN-DT,CN=Computers,DC=hq,DC=mycompany,DC=co
Last time Group Policy was applied: 5/26/2004 at 8:19:12 A
Group Policy was applied from: wulfgar.hq.mycompany.co
Group Policy slow link threshold: 500 kbp

Applied Group Policy Object
----------------------------
Default Domain Polic
Local Group Polic

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrator
Everyon
BUILTIN\User
BBERGMAN-DT
Domain Computer
NT AUTHORITY\NETWOR
NT AUTHORITY\Authenticated User


USER SETTING
-------------
CN=Bill Bergman,OU=Information Systems,DC=hq,DC=mycompany,DC=co
Last time Group Policy was applied: 5/26/2004 at 8:12:31 A
Group Policy was applied from: wulfgar.hq.mycompany.co
Group Policy slow link threshold: 500 kbp

Applied Group Policy Object
----------------------------
Default Domain Polic

The following GPOs were not applied because they were filtered ou
------------------------------------------------------------------
Local Group Polic
Filtering: Not Applied (Empty

The user is a part of the following security groups
---------------------------------------------------
Domain User
Everyon
BUILTIN\Administrator
BUILTIN\User
I
LOCA
NT AUTHORITY\INTERACTIV
NT AUTHORITY\Authenticated User

-------------------------------------------------------------------------------------------------------------------

RSOP results for HQ\jyoung on JYOUNG-LT : Logging Mod
------------------------------------------------------

OS Type: Microsoft Windows XP Professiona
OS Configuration: Member Workstatio
OS Version: 5.1.260
Domain Name: H
Domain Type: Windows 200
Site Name: Default-First-Site-Nam
Roaming Profile:
Local Profile: C:\Documents and Settings\jyoun
Connected over a slow link?: N

COMPUTER SETTING
-----------------
CN=JYOUNG-LT,CN=Computers,DC=hq,DC=bader-rutter,DC=co
Last time Group Policy was applied: 5/26/2004 at 9:18:26 A
Group Policy was applied from: wulfgar.hq.bader-rutter.co
Group Policy slow link threshold: 500 kbp

Applied Group Policy Object
----------------------------
Default Domain Polic

The following GPOs were not applied because they were filtered ou
------------------------------------------------------------------
Local Group Polic
Filtering: Not Applied (Empty

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrator
Everyon
BUILTIN\User
JYOUNG-LT
Domain Computer
NT AUTHORITY\NETWOR
NT AUTHORITY\Authenticated User


USER SETTING
-------------
CN=Jane Young,OU=Account Services,DC=hq,DC=bader-rutter,DC=co
Last time Group Policy was applied: 5/26/2004 at 9:22:41 A
Group Policy was applied from: grendel.hq.bader-rutter.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
AcctSvcs
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

 

[Guest]

Ran netdiag and noticed that on the system I tested it did fail the DCList test

 

[Steven L Umbach]

Failure of dclist may mean the machine password has expired due to not being
connected to the domain for more than thirty days or other problems communicating
with the domain controllers/computer account. As far as message title, I remember
reading somewhere that it is required in order to use text message. --- Steve

Did have a DcList fail on the test system. The I set the message title as you

suggested and now it work on all systems!!!

 

[Guest]

ARe the users on these two systeme on the same acess (security) levels? I have seem policies fit cooly on systems with high rights and never applied on systems with users with only user rights.

 

[Guest]

Shouldn't matter. It's the Computer Configuration\Security settings that don't appear to be applied at the workstation according to gpresult output. In fact they do apply, so why does gpresult tell me my Local Policy is applied on one and not the other?

 

[Steven L Umbach]

I am not sure why you consistently get the dclist failure if your dns is
configured correctly and you have network communications to the domain
controller. As long as you do not get a fatal error in the trust
relationship test, you still should have a computer account in good standing
in the domain. I have never seen the GPO denied for Local Group Policy
before, particulary for computer configuration which is configured by
default. So at this point I am at a loss also but will keep thinking about
it. --- Steve

The machine I was getting the dclist failure on has been up and connected

nearly every day. Other than the DClist failure there is no hint that the
laptop has any trouble.

As for the message test problem - it was popping up just fine on my system

without the title bar. Another MS mystery?

I am still getting in the Computer Config gpresult the GPO Denied on the

Local Policy (empty) on the laptop but it comes up applied on my
workstation. Although it seems to be applied on both. I'm at a loss.