Exchange OWA 2003 Trusted Root Certificate

[Guest]

So for this example, create 2 Global Groups, perhaps one called Mail_Users
and the other Mail_Workstations. Then assign the users and computers to each
respective group, and use those two groups in the GPO Security settings to
Apply and then what - Assign the GPO to the Domain?. Am I following you
correctly?

Thanks

 

[Steven L Umbach]

That should work fine with the GPO at the domain level. --- Steve

 

[Paul Adare]

microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the empty
section of the GPO should be disabled for performance reasons. No point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Actually that was not the only thing I was trying to accomplish. There are
specific user configurations that I will be performing as well. But my whole
issue was that When I removed Authenticated Users from the default setting
for the Apply of the GPO, the computer configuration was not applied, when I
used this GPO at the domain level, since Domain Computers are a member of
Authenticated Users, other GPO's that I made computer config changes to,
worked just fine. Once I modified a group to include the specific computers
that would get this particular config, and applied it to the GPO (filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice there
are options for the GPO to Disable User or Computer Configuration Settings.
When I have a policy (not this one), that has Authenticated Users as the
default, and I have left this setting as is, but made no comptuer changes -
is it safe to assume that the computer configuration is skipped - or in a
domain of less than 50 users, do I care? Is performance really a concern?

microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the empty
section of the GPO should be disabled for performance reasons. No point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Steven L Umbach]

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep in
mind that it is disabled because we tend to forget such as time goes on and
someday if you do define a computer configuration setting it obviously will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish. There
are
specific user configurations that I will be performing as well. But my
whole
issue was that When I removed Authenticated Users from the default setting
for the Apply of the GPO, the computer configuration was not applied, when
I
used this GPO at the domain level, since Domain Computers are a member of
Authenticated Users, other GPO's that I made computer config changes to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO (filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or in a
domain of less than 50 users, do I care? Is performance really a concern?

microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I following
you
correctly?

If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the empty
section of the GPO should be disabled for performance reasons. No point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Thanks Steve, I actually install and start playing around with the GPMC SP1
yesterday. I posted an issue with the tool on another board, but in short I
can run the tool by browsing to it in Admin tools, but if I attempt to add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I attempt to
add the Exchange 2003 snap-in for System Manager, the console crashes and I
can't add it. However, once again if I browse to it and run it, works fine.
Ever heard of that behaviour?

Thanks again.

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep in
mind that it is disabled because we tend to forget such as time goes on and
someday if you do define a computer configuration setting it obviously will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish. There
are
specific user configurations that I will be performing as well. But my
whole
issue was that When I removed Authenticated Users from the default setting
for the Apply of the GPO, the computer configuration was not applied, when
I
used this GPO at the domain level, since Domain Computers are a member of
Authenticated Users, other GPO's that I made computer config changes to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO (filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or in a
domain of less than 50 users, do I care? Is performance really a concern?

microsoft.public.win2000.security news group, Steven L Umbach <n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the empty
section of the GPO should be disabled for performance reasons. No point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Steven L Umbach]

Hmm. I can't help with that as I have never experienced it. I don't use it
as a mmc snapin, I just run it from Administrative Tools. --- Steve

Thanks Steve, I actually install and start playing around with the GPMC
SP1
yesterday. I posted an issue with the tool on another board, but in short
I
can run the tool by browsing to it in Admin tools, but if I attempt to
add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I attempt
to
add the Exchange 2003 snap-in for System Manager, the console crashes and
I
can't add it. However, once again if I browse to it and run it, works
fine.
Ever heard of that behaviour?

Thanks again.

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep
in
mind that it is disabled because we tend to forget such as time goes on
and
someday if you do define a computer configuration setting it obviously
will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish. There
are
specific user configurations that I will be performing as well. But my
whole
issue was that When I removed Authenticated Users from the default
setting
for the Apply of the GPO, the computer configuration was not applied,
when
I
used this GPO at the domain level, since Domain Computers are a member
of
Authenticated Users, other GPO's that I made computer config changes
to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO
(filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice
there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as
the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or in
a
domain of less than 50 users, do I care? Is performance really a
concern?

:

microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and
computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I
following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be
processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the
empty
section of the GPO should be disabled for performance reasons. No
point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Thanks Steve, I posted the behavior in the Exchange.Misc board, I think right
next to "fat chance of anyone having the same issue"...thanks a ton for all
of your help on this one here. I posted a Group Policy post related to the
fact that not all of my machines in the Group are taking the policy, about
half of them, and several of them only after I reboot...the whole 90-120
minute thing for computers poling and getting a new machine policy is not
working...if you had any thoughts on that the post is over there in
Win2000.Group Policy...

Thanks
J

Hmm. I can't help with that as I have never experienced it. I don't use it
as a mmc snapin, I just run it from Administrative Tools. --- Steve

Thanks Steve, I actually install and start playing around with the GPMC
SP1
yesterday. I posted an issue with the tool on another board, but in short
I
can run the tool by browsing to it in Admin tools, but if I attempt to
add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I attempt
to
add the Exchange 2003 snap-in for System Manager, the console crashes and
I
can't add it. However, once again if I browse to it and run it, works
fine.
Ever heard of that behaviour?

Thanks again.

If you have a Group Policy where no computer configuration is defined it
makes sense to disable the computer part of the Group Policy. Just keep
in
mind that it is disabled because we tend to forget such as time goes on
and
someday if you do define a computer configuration setting it obviously
will
not work until you enable the computer configuration portion of the Group
Policy. If you are using Group Policy Management console [via an XP Pro
domain computer for W2K domain] it will be easier to see such. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish. There
are
specific user configurations that I will be performing as well. But my
whole
issue was that When I removed Authenticated Users from the default
setting
for the Apply of the GPO, the computer configuration was not applied,
when
I
used this GPO at the domain level, since Domain Computers are a member
of
Authenticated Users, other GPO's that I made computer config changes
to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO
(filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice
there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as
the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or in
a
domain of less than 50 users, do I care? Is performance really a
concern?

:

microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. --- Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and
computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I
following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be
processed
by user. Giving them permissions on a GPO that they will never process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the
empty
section of the GPO should be disabled for performance reasons. No
point
processing a GPO that doesn't contain settings that will be applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Steven L Umbach]

OK. Well for that I would start with gpresult and GPMC to make sure that the
computers are showing as existing in the right OU. Gpresult will also show
what computer configuration GPO's are being applied to a computer and the
last time they were applied. RSOP in logging and planning mode can help you
track down what is going on. RSOP allows you to run scenarios based on the
OU that the computer is in, group membership, and slow link detection. If
RSOP planning mode differs from what you are experiencing then their may be
a network connectivity, dns name resolution, or domain computer account
problem and the support tool netdiag can be run on any domain computer
including domain controllers to check for such. See the link below to first
make sure your dns is 100 percent correct for the domain as improper dns
configuration is the root of most Active Directory problems. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --- AD
dns FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and ho to install support tools.
http://support.microsoft.com/default.aspx?scid=kb;en-us;250842 ---
troubleshooting Group Policy

Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
right
next to "fat chance of anyone having the same issue"...thanks a ton for
all
of your help on this one here. I posted a Group Policy post related to
the
fact that not all of my machines in the Group are taking the policy, about
half of them, and several of them only after I reboot...the whole 90-120
minute thing for computers poling and getting a new machine policy is not
working...if you had any thoughts on that the post is over there in
Win2000.Group Policy...

Thanks
J

Hmm. I can't help with that as I have never experienced it. I don't use
it
as a mmc snapin, I just run it from Administrative Tools. --- Steve

Thanks Steve, I actually install and start playing around with the GPMC
SP1
yesterday. I posted an issue with the tool on another board, but in
short
I
can run the tool by browsing to it in Admin tools, but if I attempt to
add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I
attempt
to
add the Exchange 2003 snap-in for System Manager, the console crashes
and
I
can't add it. However, once again if I browse to it and run it, works
fine.
Ever heard of that behaviour?

Thanks again.


:

If you have a Group Policy where no computer configuration is defined
it
makes sense to disable the computer part of the Group Policy. Just
keep
in
mind that it is disabled because we tend to forget such as time goes
on
and
someday if you do define a computer configuration setting it obviously
will
not work until you enable the computer configuration portion of the
Group
Policy. If you are using Group Policy Management console [via an XP
Pro
domain computer for W2K domain] it will be easier to see such. ---
Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish.
There
are
specific user configurations that I will be performing as well. But
my
whole
issue was that When I removed Authenticated Users from the default
setting
for the Apply of the GPO, the computer configuration was not
applied,
when
I
used this GPO at the domain level, since Domain Computers are a
member
of
Authenticated Users, other GPO's that I made computer config changes
to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO
(filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice
there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as
the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or
in
a
domain of less than 50 users, do I care? Is performance really a
concern?

:

microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. ---
Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and
computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I
following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group
at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be
processed
by user. Giving them permissions on a GPO that they will never
process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the
empty
section of the GPO should be disabled for performance reasons. No
point
processing a GPO that doesn't contain settings that will be
applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly
apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

DNS looks to be fine. And if these machines reboot, they take the policies
and I can see this in the Group Policy Results Wizard in GPMC. When I
compare 2 XP machines (since I can't use the GPMC RSoP with Windows 2000, or
so it tells me), I notice that on this Mail Policy, I have the filter to
apply to specific computers that are part of a group. THe one major thing I
am noticing, is that even though all of the computers are assigned to the
Filter group, not all reflect that their Membership has updated. Does a
computer's group membership only update after a reboot?

One thing I noticed in the DNS article is that the DNS on the network
machine could be missing, or wrong...which I think I would have had more
issues then, but I am going to double check this as well.

GPResult for 2000 machines woudl need to be run at the machine in question,
correct? Thanks again.

J

OK. Well for that I would start with gpresult and GPMC to make sure that the
computers are showing as existing in the right OU. Gpresult will also show
what computer configuration GPO's are being applied to a computer and the
last time they were applied. RSOP in logging and planning mode can help you
track down what is going on. RSOP allows you to run scenarios based on the
OU that the computer is in, group membership, and slow link detection. If
RSOP planning mode differs from what you are experiencing then their may be
a network connectivity, dns name resolution, or domain computer account
problem and the support tool netdiag can be run on any domain computer
including domain controllers to check for such. See the link below to first
make sure your dns is 100 percent correct for the domain as improper dns
configuration is the root of most Active Directory problems. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --- AD
dns FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and ho to install support tools.
http://support.microsoft.com/default.aspx?scid=kb;en-us;250842 ---
troubleshooting Group Policy

Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
right
next to "fat chance of anyone having the same issue"...thanks a ton for
all
of your help on this one here. I posted a Group Policy post related to
the
fact that not all of my machines in the Group are taking the policy, about
half of them, and several of them only after I reboot...the whole 90-120
minute thing for computers poling and getting a new machine policy is not
working...if you had any thoughts on that the post is over there in
Win2000.Group Policy...

Thanks
J

Hmm. I can't help with that as I have never experienced it. I don't use
it
as a mmc snapin, I just run it from Administrative Tools. --- Steve


Thanks Steve, I actually install and start playing around with the GPMC
SP1
yesterday. I posted an issue with the tool on another board, but in
short
I
can run the tool by browsing to it in Admin tools, but if I attempt to
add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I
attempt
to
add the Exchange 2003 snap-in for System Manager, the console crashes
and
I
can't add it. However, once again if I browse to it and run it, works
fine.
Ever heard of that behaviour?

Thanks again.


:

If you have a Group Policy where no computer configuration is defined
it
makes sense to disable the computer part of the Group Policy. Just
keep
in
mind that it is disabled because we tend to forget such as time goes
on
and
someday if you do define a computer configuration setting it obviously
will
not work until you enable the computer configuration portion of the
Group
Policy. If you are using Group Policy Management console [via an XP
Pro
domain computer for W2K domain] it will be easier to see such. ---
Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish.
There
are
specific user configurations that I will be performing as well. But
my
whole
issue was that When I removed Authenticated Users from the default
setting
for the Apply of the GPO, the computer configuration was not
applied,
when
I
used this GPO at the domain level, since Domain Computers are a
member
of
Authenticated Users, other GPO's that I made computer config changes
to,
worked just fine. Once I modified a group to include the specific
computers
that would get this particular config, and applied it to the GPO
(filter)
everything worked like a charm.

I do have another question, raised by your comment below. I notice
there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users as
the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped - or
in
a
domain of less than 50 users, do I care? Is performance really a
concern?

:

microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. ---
Steve

So for this example, create 2 Global Groups, perhaps one called
Mail_Users
and the other Mail_Workstations. Then assign the users and
computers
to
each
respective group, and use those two groups in the GPO Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I
following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users group
at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be
processed
by user. Giving them permissions on a GPO that they will never
process
doesn't accomplish anything. In fact, as a best practice, if a GPO
contains _only_ user or _only_ computer settings processing of the
empty
section of the GPO should be disabled for performance reasons. No
point
processing a GPO that doesn't contain settings that will be
applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly
apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=

Does a
computer's group membership only update after a reboot?

Not exactly, but close enough. The new group membership won't show up on
the access token granted to the computer until a reboot, just like with
a user account which needs a log off and log on.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

Let me ask you, is there a way to force this to take place, without a reboot,
say from a script or command line, making it transparrent to the users. I
know that I could run a Shutdown command in a script to force the machines to
reboot, but is there an easier way.

Thanks for the reply, this does help explain why some have taken the policy
and why some have not. I am posting a similar thread in the group policy
board, but basically the GP Results show that a domain level policy for
authenticated users, is denied for several of my users. It shows that the
Group is denied because of an Access Filter, yet, the Authenticated Users is
set to Read and Apply for the user logon script. Would this mean that the
user was not Authenticated at the time of logon, and is using a cached logon?
Any ideas...? I will post this on the other board and give more detail.

THanks
J

microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=

Does a
computer's group membership only update after a reboot?

Not exactly, but close enough. The new group membership won't show up on
the access token granted to the computer until a reboot, just like with
a user account which needs a log off and log on.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=

Let me ask you, is there a way to force this to take place, without a reboot,
say from a script or command line, making it transparrent to the users

No.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Steven L Umbach]

DNS on the local network has to be correct or all kinds of unpredictable
results will happen. The biggest problem is the inclusion of ISP dns servers
in the list of preferred dns servers. You should be able to include Windows
2000 computers in RSOP planning mode which will show if the policy will work
the way you want it to assuming all else is correct in the domain such as
name resolution, computer account integrity, and network connectivity.
Gpresult will work great on W2K and you can also use the /v switch for more
details, though you will not get the level of detail as from RSOP logging.
Gpresult will show the current group membership of a computer. You will need
to reboot to have the access token updated. --- Steve

DNS looks to be fine. And if these machines reboot, they take the
policies
and I can see this in the Group Policy Results Wizard in GPMC. When I
compare 2 XP machines (since I can't use the GPMC RSoP with Windows 2000,
or
so it tells me), I notice that on this Mail Policy, I have the filter to
apply to specific computers that are part of a group. THe one major thing
I
am noticing, is that even though all of the computers are assigned to the
Filter group, not all reflect that their Membership has updated. Does a
computer's group membership only update after a reboot?

One thing I noticed in the DNS article is that the DNS on the network
machine could be missing, or wrong...which I think I would have had more
issues then, but I am going to double check this as well.

GPResult for 2000 machines woudl need to be run at the machine in
question,
correct? Thanks again.

J

OK. Well for that I would start with gpresult and GPMC to make sure that
the
computers are showing as existing in the right OU. Gpresult will also
show
what computer configuration GPO's are being applied to a computer and the
last time they were applied. RSOP in logging and planning mode can help
you
track down what is going on. RSOP allows you to run scenarios based on
the
OU that the computer is in, group membership, and slow link detection. If
RSOP planning mode differs from what you are experiencing then their may
be
a network connectivity, dns name resolution, or domain computer account
problem and the support tool netdiag can be run on any domain computer
including domain controllers to check for such. See the link below to
first
make sure your dns is 100 percent correct for the domain as improper dns
configuration is the root of most Active Directory problems. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 ---
AD
dns FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
netdiag
and ho to install support tools.
http://support.microsoft.com/default.aspx?scid=kb;en-us;250842 ---
troubleshooting Group Policy

Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
right
next to "fat chance of anyone having the same issue"...thanks a ton for
all
of your help on this one here. I posted a Group Policy post related to
the
fact that not all of my machines in the Group are taking the policy,
about
half of them, and several of them only after I reboot...the whole
90-120
minute thing for computers poling and getting a new machine policy is
not
working...if you had any thoughts on that the post is over there in
Win2000.Group Policy...

Thanks
J

:

Hmm. I can't help with that as I have never experienced it. I don't
use
it
as a mmc snapin, I just run it from Administrative Tools. --- Steve


Thanks Steve, I actually install and start playing around with the
GPMC
SP1
yesterday. I posted an issue with the tool on another board, but in
short
I
can run the tool by browsing to it in Admin tools, but if I attempt
to
add
the tool as a snap-in to my custom mmc console, a Microsoft error is
generated, and the console crashes. I get the same results when I
attempt
to
add the Exchange 2003 snap-in for System Manager, the console
crashes
and
I
can't add it. However, once again if I browse to it and run it,
works
fine.
Ever heard of that behaviour?

Thanks again.


:

If you have a Group Policy where no computer configuration is
defined
it
makes sense to disable the computer part of the Group Policy. Just
keep
in
mind that it is disabled because we tend to forget such as time
goes
on
and
someday if you do define a computer configuration setting it
obviously
will
not work until you enable the computer configuration portion of the
Group
Policy. If you are using Group Policy Management console [via an XP
Pro
domain computer for W2K domain] it will be easier to see such. ---
Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Actually that was not the only thing I was trying to accomplish.
There
are
specific user configurations that I will be performing as well.
But
my
whole
issue was that When I removed Authenticated Users from the
default
setting
for the Apply of the GPO, the computer configuration was not
applied,
when
I
used this GPO at the domain level, since Domain Computers are a
member
of
Authenticated Users, other GPO's that I made computer config
changes
to,
worked just fine. Once I modified a group to include the
specific
computers
that would get this particular config, and applied it to the GPO
(filter)
everything worked like a charm.

I do have another question, raised by your comment below. I
notice
there
are options for the GPO to Disable User or Computer Configuration
Settings.
When I have a policy (not this one), that has Authenticated Users
as
the
default, and I have left this setting as is, but made no comptuer
changes -
is it safe to assume that the computer configuration is skipped -
or
in
a
domain of less than 50 users, do I care? Is performance really a
concern?

:

microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@n0-
spam-for-me-comcast.net> says...

That should work fine with the GPO at the domain level. ---
Steve

message
So for this example, create 2 Global Groups, perhaps one
called
Mail_Users
and the other Mail_Workstations. Then assign the users and
computers
to
each
respective group, and use those two groups in the GPO
Security
settings to
Apply and then what - Assign the GPO to the Domain?. Am I
following
you
correctly?


If all the OP is trying to do here is to push the required root
certificate out however, there is no need for the Mail_Users
group
at
all. Since the Public Key policy settings are in the Computer
Configuration section of the GPO, that section will _never_ be
processed
by user. Giving them permissions on a GPO that they will never
process
doesn't accomplish anything. In fact, as a best practice, if a
GPO
contains _only_ user or _only_ computer settings processing of
the
empty
section of the GPO should be disabled for performance reasons.
No
point
processing a GPO that doesn't contain settings that will be
applied.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly
apprehend
the kind of confusion of ideas that could provoke such a
question."
-- Charles Babbage (1791-1871)