Computer-based group policies do not work

[itreman]

Does anyone know why a group policy created in the computer
configuration at the domain level will not work on any client, but
policies created in the user configuration at any level within AD work
just fine? When running gpresult on my XP workstation after applying
the GPO and running gpupdate /force, this is what I get:

Applied Group Policy Objects
-----------------------------
Custom IE Header
Synchronize and hide the script
Custom IE Header
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable Fast Optimization
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

The most important policy is listed in the "were not applied" section.
But the message gives me nothing to go on (filtered out -
huh???!!!???$#@#$%#^%$^).

Any ideas???

 

[Ace Fekay [MVP]]

In

Does anyone know why a group policy created in the computer
configuration at the domain level will not work on any client, but
policies created in the user configuration at any level within AD work
just fine? When running gpresult on my XP workstation after applying
the GPO and running gpupdate /force, this is what I get:

Applied Group Policy Objects
-----------------------------
Custom IE Header
Synchronize and hide the script
Custom IE Header
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Disable Fast Optimization
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

The most important policy is listed in the "were not applied" section.
But the message gives me nothing to go on (filtered out -
huh???!!!???$#@#$%#^%$^).

Any ideas???

I've found that any computer based policies with using XP clients, is to
make sure the XP machines are in the same OU as the user account or even a
child OU, of where the GPO is linked to. Not sure why. I've research it and
haven't found out why, but have found this will work. This wasn't the case
with Win2000, where we can have the Win2000 machines in a different OU and
the user account in another.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Brandon McCombs]

In

It says the GPO is disabled. Do you have the Computer configuration section of
the policy disabled? Is the link enabled to the OU?

I've found that any computer based policies with using XP clients, is to
make sure the XP machines are in the same OU as the user account or even a

I've not found that to be true. I have users in one OU and machines in another.
It is easier to manage that way and the group policies work fine.

 

[Ace Fekay [MVP]]

In

It says the GPO is disabled. Do you have the Computer configuration
section of the policy disabled? Is the link enabled to the OU?

Good eye, Brandon. I missed that.

I've not found that to be true. I have users in one OU and machines
in another. It is easier to manage that way and the group policies
work fine.

I don't know why this was the case with one of my clients. His Win2000
machines that existed in a different OU than the user accounts, worked fine
and the policy applied, but not the XP machines. RSOP came up as a 'denied
access' for some reason. I just did a little test by moving the XP m achine
to the OU where the user account existed and then it worked. First time I
saw that. I still don't know why.

Ace

 

[itreman]

what's even more interesting now is that gpresult.exe and rsop.msc give
me entirely different results. gpresult says the policy wasn't applied
because it was filtered out, while rsop shows the policy was applied to
my machine. any idea on which one those to believe and why they report
different things?

 

[Ace Fekay [MVP]]

In

what's even more interesting now is that gpresult.exe and rsop.msc
give me entirely different results. gpresult says the policy wasn't
applied because it was filtered out, while rsop shows the policy was
applied to my machine. any idea on which one those to believe and why
they report different things?

Good question. Brandon asked if there is any filtering or if you had
disabled the policy or part of it?

As I've previously mentioned, I now put my XP machines in the same OU I want
a policy to apply. Other than that, maybe Brandon's suggestions and
questions were helpful?

Ace

 

[itreman]

No, there is no filtering that I know of (nothing I set up anyway) and
no part of the policy is disabled. I think the policy might be working
even though gpresult tells me it's not. I'm not sure why.

 

[Ace Fekay [MVP]]

In

No, there is no filtering that I know of (nothing I set up anyway) and
no part of the policy is disabled. I think the policy might be working
even though gpresult tells me it's not. I'm not sure why.

You could always try loopback.

Ace

 

[itreman]

what's that?

 

[Ace Fekay [MVP]]

what's that?

Basically enabling loopback is telling it to re-run the computer portion of
the policy, whether it is in the same OU or a different OU.

Loopback Processing of Group Policy - explains what GPO loopback processing
is, why you might want to use it and how to enable it
http://support.microsoft.com/?kbid=231287



In the Active Directory, how do I activate GPO Loopback Processing?:
https://lspservices.iupui.edu/docs/win2k/loopback1.asp

In Active Directory, what is GPO loopback processing?
http://kb.iu.edu/data/ajgl.html

Ace