GPO Propogation problem

[Sean Aitken]

Hi All! I originally posted this in a Win2K group, but I think this
might be a better audience.
--

We're having a problem with our Terminal Server / Active Directory
configuration that is preventing a GPO from being applied to the
Terminal Server box. Following lots of docs and getting assitance from
the AD admin, we have confidently created an OU, placed the server in
that OU, created a GP and applied it to the OU.. on the Terminal
Server, however, the following error is showing up when we turn on logging:

USERENV(dc.270) 18:11:16:125 ProcessGPO: ==============================
USERENV(dc.270) 18:11:16:125 ProcessGPO: ==============================
USERENV(dc.270) 18:11:16:125 ProcessGPO: Searching
CN={EA9F4588-ECB1-4E39-9CC1-6DAAFD91F27F},CN=Policies,CN=System,DC=tekelec,DC=com>
USERENV(dc.270) 18:11:16:125 ProcessGPO: Machine has access to this GPO.
USERENV(dc.270) 18:11:16:125 ProcessGPO: Found functionality version of: 2
USERENV(dc.270) 18:11:16:140 ProcessGPO: Found file system path of:
<\\tekelec.com\SysVol\tekelec.com\Policies\{EA9F4588-ECB1-4E39-9CC1-6DAAFD91F27F}>
USERENV(dc.270) 18:11:16:140 ProcessGPO: Found common name of:
<{EA9F4588-ECB1-4E39-9CC1-6DAAFD91F27F}>
USERENV(dc.270) 18:11:16:140 ProcessGPO: Found display name of: <Secure
TS Policy>
USERENV(dc.270) 18:11:16:156 ProcessGPO: Found machine version of: GPC
is 0, GPT is 0
USERENV(dc.270) 18:11:16:156 ProcessGPO: Found flags of: 0
USERENV(dc.270) 18:11:16:156 ProcessGPO: No client-side extensions for
this object.
USERENV(dc.270) 18:11:16:156 ProcessGPO: GPO Secure TS Policy doesn't
contain any data since the version number is 0. It will be skipped.
USERENV(dc.270) 18:11:16:156 ProcessGPO: ==============================
USERENV(dc.270) 18:11:16:171 GetGPOInfo: Leaving with 1
USERENV(dc.270) 18:11:16:171 GetGPOInfo: ********************************

I found one posting where a person reported a similar problem, but it
was against a local GP. Does anyone have any idea why our "Secure TS
Policy" isn't propogating???

TIA!!
-Sean

 

[Simon Geary]

Have you defined any settings in this GPO yet? The gpt.ini file should
increment every time you change a setting so if there are settings in there
(anything will do) then your version number should be >0.

If you have already defined some settings, try running gpotool against the
domain to see if there are any version mismatches between sysvol and AD.

 

[Guest]

My guess would be that no computer configuration settings have been made,
only user settings.
You have to keep in mind that computer settings apply to computers in the OU
and user settings will apply to the users in the OU, not users that logon to
that machine.
If you want that to occur check out info on the loopback policy.

 

[Sean Aitken]

My guess would be that no computer configuration settings have been made,
only user settings.
You have to keep in mind that computer settings apply to computers in the OU
and user settings will apply to the users in the OU, not users that logon to
that machine.
If you want that to occur check out info on the loopback policy.

Hmm... has me thinking.
The policy was created at the level in the DIT at the OU where the
computer resides. This GPO had 'Computer' policies modified. (ie. Hide
control panel, active desktop, etc.) We then set the permissions on the
policy to apply to only a particular User Group in AD. We want to have
this policy to apply to only certain users, so we thought that the
permission change would prevent it from 'applying' to administrators and
then take effect only for users in that group.
Based on the log it seems that the machine sees the GPO.. but doesn't
contain any 'data'..
I think you're on to something.. but I don't have enough experience with
GPO's to get it..

Thanks for the tip!
-Sean

 

[Cary Shultz [A.D. MVP]]

Sean,

Not sure what you mean by 'The policy was created at the level in the DIT at
the OU where the computer resides.". I assume that you mean the GPO was
created and linked to the OU that contains the computer account objects?
Not sure what the DIT has to do with this. Yes, I understand that there
are two parts, the GPC and the GPT, to each GPO. Just wondering what you
mean by this. Please do not misunderstand my question. I am only trying to
help you to get this. It can be very difficult and confusing.

And I see part of the problem. If you created this GPO and linked it to an
OU that contains *ONLY* the computer account objects and removed the
'Authenticated Users' security group on the Security tab on the GPO and
replaced it with a Security Group of your creation that is populated with
user account objects then the GPO is going to fail!

However, I would like to commend you for taking the initiative to use Group
Filtering. This is an often misunderstood part of Group Policy. In fact,
Group Policy is often misunderstood. And our good friend Herb would tell
you that it is terribly misnamed ( the 'Group' in Group Policy is a bit
misleading ).

Let's try this: keep everything as is -BUT- populate that security group
that you created with computer account object ( I would recommend that you
remove the user account objects ).

However, this is not really going to succeed as far as what you want to
accomplish. It will apply the GPO to the computer account objects that are
a member of that security group but it sounds like you want this GPO to
apply to specific user account objects.

Also, when I look at the couple of things that you mentioned as the settings
you want they appear to be settings that you would set on the user
configuration side. Display Tab is a user configuration side setting, not a
computer configuration side setting.

So, and please do not be offended by this, this is all messed up. However,
this should be easily resolved. And, again, hats off to you for diving into
the deep end of this wonderfully awesome and confusing and frustrating and
wonderful area of Group Policy. You have hit just about everything that
there is to do.

If you have any questions please please please ask.

Cary