Group Policy not being applied to Win2k Pro machines

S

Stu

Using Windows 2003 and the Group Policy Management Console. I created a
policy enabled it, ran the modeling wizard successfully. When logged in
with a test account, on a windows 2k and XP workstation, the machines logged
on without errors, but the policy did not apply. Any ideas?

thanks!

Stuart
 
C

Cary Shultz [A.D. MVP]

Stuart,

You did not provide even close to enough information ;-)

Did you link the policy to the computer configuration side or to the user
configuration side?

If linked to the computer configuration side, is the computer account object
that you are 'testing' directly located in the OU ( or whatever ) to which
you linked the GPO?

If linked to the user configuration side, is the user account object that
you are 'testing' directly located in the OU ( or whatever ) to which you
linked the GPO?

Now, let's back up a second.

Let's assume that you are trying to install software via GPO. Might not
apply. But you did not specify what you are trying to do, so I am guessing
right now....Does the computer account object or the user account object
have at least READ permissions to the shared folder? Is the computer
account object or the user account object located in an OU where 'BLOCKED
INHERITANCE' is affecting the GPO that you are testing? Did you disable the
computer configuration side ( and applied this GPO to the computer
configuration side ) or the user configuration side ( and applied the GPO to
the computer configuration side )? Does the computer have the correct DNS
information ( meaning, only your internal DNS information and NOT your
ISP's )?

I think that you are getting the picture now. There are about 20 things
that we would need to ask without more information from you.

Have you run any of the appropriate Troubleshooting tools? Doesn't the GPMC
have such a tool built-in? Have you run GPOTOOL on the WIN2000 client?

What have you done in the way of Troubleshooting?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
L

lforbes

ssheinman said:
Using Windows 2003 and the Group Policy Management Console. I
created a
policy enabled it, ran the modeling wizard successfully. When
logged in
with a test account, on a windows 2k and XP workstation, the
machines logged
on without errors, but the policy did not apply. Any ideas?

thanks!

Stuart
Click to expand...

Hi,

Group Policy requires DNS to be setup correctly. Check here to make
sure your DNS is properly setup.
http://www.sd61.bc.ca/windows2000/dns.htm

Cheers,

Lara
 
H

Herb Martin

Stu said:
Using Windows 2003 and the Group Policy Management Console. I created a
policy enabled it, ran the modeling wizard successfully. When logged in
with a test account, on a windows 2k and XP workstation, the machines logged
on without errors, but the policy did not apply. Any ideas?
Click to expand...

How do you know? Does it have obvious User or
Computer settings, both?

Most problems with skipping group policy are due
to DNS and/or Authentication with the domain (by
the computer). Authentication with the domain is
mostly a DNS issue too. (See below)

The policy must be LINKED (assigned) to a container
that contains the User or the Computer (whichever you
are trying to affect with the policy.)

To which Domain, OU, or Site container did you link
the policy? Is the User or is the Computer a member of
that container?

Permissions much allow READ and Apply Policy but
those are set by default unless you mess with them.
Authentication may be a (separate) problem if the
Computer has no account, or if that account needs to
be RESET (right-click AD User/Computers).

There are also a variety of settings for overiding,
disabling (either User/Computer or entire policy)
the policy where it is linked to a container but if you
linked it these are unlikely to be wrong unless you
changed (messed with) them.

Mostly authentication problems are a failure to find
the DC in AD, or the DC being missing from DNS.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /server:DC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy Not Being Applied 1
Group Policy Not Being Applied 3
Group Policy Not Being Applied?? 11
User Group Policy does not apply to some machines 3
Event ID 1202 and 1085 on Windows XP Client 0
Windows Time Service Policy not being applied -- going crazy!!! 1
Use Group Policy to disable services... 3
Group Security Policy not being applied 1

Top