GPO doesn't apply to workstations, please help

[Lei Hu]

Dear Experts,

I'm new to AD, and maybe this is a silly question. Anyway, I need to fix
this problem.

Here is my simple scenario: I have a small domain with one Win2k3 server
running AD, and a couple of workstations running Win2k and WinXP. I created
an OU, under which I created some user accounts. Then, I created a GPO
associated to the OU, hoping that the GPO can control the user's desktop
when they log on. For example, I want to hide the control panel completely
from the users in the OU.

This works fine (as I wanted) when a user logon to the 2k3 server (through a
terminal server client). However, the GPO doesn't take effect when a user
logon in a workstation (to domain, not to the local machine). It seems that
the workstation still uses its local policy instead of the group policy I
designed on the server. Is there any important step I missed, or my thinking
is completely wrong? Please help.

Thanks in advance!!

Lei

 

[Sergio Fonseca [MVP]]

Hi,



If you run GPResult on these workstations are you able to see the policy you
have applied?



Gpresult.exe: Group Policy Results

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp



Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org

 

[Lei Hu]

Hi Sergio,

Thanks for your reply. Below is the result of the gpresult tool obtained in
a win2k workstation. The user name I used to logon is rec1. It looks like
that it still uses local group policy instead of the policy from the server.
What problem could it be? Thanks!!

C:\Program Files\Resource Kit>gpresult
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Monday, October 11, 2004 at 3:15:12 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 2
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:



Domain Name: STVETDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: (None)
Local profile: C:\Documents and Settings\rec1

The user is a member of the following security groups:



###############################################################

Last time Group Policy was applied: Monday, October 11, 2004 at 3:14:21 PM



###############################################################

Computer Group Policy results for:



Domain Name: STVETDOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Monday, October 11, 2004 at 3:14:10 PM


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy

C:\Program Files\Resource Kit>

 

[Sergio Fonseca [MVP]]

Hi,

Have you moved the workstations to the OU where the GPO is linked?

Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org

 

[Lei Hu]

Hi Sergio,

Thanks once again. Yes, I have. Originally, I put the workstations in a
separate folder and linked the same GPO to the folder. It didn't work, and
then I moved the computers to the same OU as the user accounts are located.
Still, no luck. Any other suggestions?

Cheers,

Lei

 

[Sergio Fonseca [MVP]]

Hi,



Have you tried to apply other settings or just the one to hide control
panel?



Here a simple article about how to hide control panel:

How To How to Hide Selected Control Panel Tools in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;261241&sd=tech



Here an article about particular problems related:

"Hide Specified Control Panel Applets" Policy Does Not Work in Windows 2000

http://support.microsoft.com/default.aspx?kbid=322820



Here a good article to troubleshoot GPO´s:

Troubleshooting Group Policy Application Problems

http://support.microsoft.com/default.aspx?scid=kb;EN-US;250842


Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org

 

[Lei Hu]

Yes, I have tried some others, but all failed. I'm reading the internet
regarding this problem, and found some people mention loopback processing of
gp. Maybe this is the solution, and I'll give a try.

 

[Sergio Fonseca [MVP]]

Hi,



Lookback was meant to apply policies regardless the user that is logging in.

Let us know if it worked.


Qualquer sugestão deve ser testada antes de aplicada - www.gupade.org

 

[Lei Hu]

Hi there,

No, loopback doesn't work for me either

Thinking that I must have done something wrong, or missed some important
steps. I did it over again from scratch, hoping you guys can point out what
was wrong. Before doing, I deleted all the AD related stuff, only keep
terminal server. This is what I did step by step:

Below is how I configured Active Directory:

1. Run "Configure Your Server Wizard" in Control Panel.

2. In the "Server Role" list, select "Domain Controller (Active Directory)",
click Next, and Next...

3. In the "Active Directory Installation Wizard", select the "Domain
controller for a new domain" radio button. Click Next.

4. Select "Domain in a new forest", and next.

5. In "Full DNS name for new domain", type: testdomain.local, click Next.

6. In "Domain NetBIOS name", accept the default, which is TESTDOMAIN, click
Next.

7. In "Database and Log Folders", accept default, next.

8. In "Shared System Volume", accept the default, next.

9. In "DNS Registration Diagnostics", select "Install and configure the DNS
server on this computer, and set this computer to use this DNS server as its
preferred DNS server." Click Next.

Here, I don't know if DNS is necessary or not. Another option is: "I will
correct the problem later by configuring DNS manually. (Advanced)"

10. In "Permissions", select "Permissions compatible only with Windows 2000
or Windows Server 2003 operating systems", next.

11. In "Directory Services Restore Mode Administrator Password", enter
xxxxxx, next.

12. Following is the summary given by the wizard:

Configure this server as the first domain controller in a new forest of
domain trees.

The new domain name is testdomain.local. This is also the name of the new
forest.

The NetBIOS name of the domain is TESTDOMAIN

Database folder: C:\WINDOWS\NTDS
Log file folder: C:\WINDOWS\NTDS
SYSVOL folder: C:\WINDOWS\SYSVOL

The DNS service will be installed and configured on this computer. This
computer will be configured to use this DNS server as its preferred DNS
server.

The password of the new domain administrator will be the same as the
password of the administrator of this computer.

13. Click Next, and Finish, and "Restart Now" to restart the server.

Below is what I did for creating OU, group, account, etc.. using "Active
Directory Users and Computers":

1. Create an OU named MyOU under testdomain.local.

2. Under MyOU, create a group named MyGroup (select "Domain local" and
"Security").

3. Under MyOU, create a user named john, and add it into MyGroup.

4. Create a GPO named MyGPO in Group Policy Management Console, and link it
to MyOU.

5. Now, edit MyGPO, and enable the following:
. Prohibit access to the Control Panel;
. Remove My Documents icon on the desktop;
. User Group Policy loopback processing mode (replace mode).

6. On a Win2k workstation, join the TESTDOMAIN domain.

7. On the server, move the workstation from the Computer container to MyOU.

8. Reboot the workstation.

9. Now, on the workstation, logon as john to the TESTDOMAIN domain, hoping
that Control Panel and My Document are hiden from John. But unfortunately,
they are still there. Ooooooooops!

The above steps are exactly what I did. Hope you guys could find something
wrong and fix my problem.

Thanks for your time!!

Lei