Not all GPO settings not applied to client

From: Michael Feld (mfeld_at_t-online.de)
Date: 11/27/04 

Date: Sat, 27 Nov 2004 16:42:57 +0100

Hello everyone,

I have a problem with Group policies. I'm running a Win2K3 server in a test
environment with an XP client. I have set up a policy on the server that
should disable the "To log on, press CTRL+ALT+DEL" dialog on the client, but
it doesn't work (the dialog is still displayed). I have searched through the
internet and read several KB articles, but wasn't able to find the cause of
this problem.

I have not created any OUs yet and modified the Default Domain Policy
directly. It appears that the settings under "Windows Settings\Security
settings\Account policies" are successfully applied, while those under
"Windows Settings\Security settings\Local settings" are not.

Using "GPResult.exe" on the client gave me something like this (I had to
translate it):

Applied GPOs:
- Default Domain Policy

The following group policies were not applied because they have been
filtered out:
- Policies for local group
     Filtering: Not applied (empty)

Using the MMC Resultset viewer snap-in on the client, I have verified that
the setting is "enabled". In the local security policy for the client, the
setting is "not defined". I think that's how it should be.

I have found one event log error entry on the client from "SceCli", stating
the the group policy could not be applied due to an "extended error".
Following a KB article I enabled logging, but I really didn't get any clues
from what it says in "$sysroot%\SECURITY\LOGS\winlogon.log":

Processing group policy template gpt00000.dom.
-------------------------------------------
<Date>
 Use with administrator privileges has logged on.
 Parsing template C:\WINDOWS\security\templates\policies\gpt00000.dom.
Error 1208: An extended error has occured.
  Error creating database.
----Config module has been initialized with one or more errors.----
----Config module is being deinitialized...

Another KB article mentioned possible conflicts with admin accounts names,
so I have renamed all local admin accounts to something that certainly isn't
in use in the domain, but still no success.

And for completeness: DNS is also correctly configured.

Does anyone have an idea what else might be the problem here?

Thanks in advance!

Michael

Relevant Pages

  • Re: Machine policy when user logged onto local machine
    ... you log into the domain or local machine. ... then it sounds like domain policy has never propagated to the ... > Interesting point about effective settings. ... > had just been rebooting the client to force it to take the new policy. ...
    (microsoft.public.win2000.security)
  • Re: GPO causing client security logs to fill?
    ... Possibly delete the Default Domoan Controller Policy (As it did not ... settings as applied by the wizard cannot be trusted or that is why ... with client logon failures. ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
  • Re: A small Gp issue
    ... The settings that are not undoing themselves when they move out ... of scope of the GPO are probably preferences that are applied by your ADM. ... A policy will be applied in the registry under ... These are 'proper' group policies and the settings ...
    (microsoft.public.win2000.group_policy)
  • Re: Can a GPO apply after a cached login?
    ... The group policies which are missing/not applying are user policies. ... notable is the omission of the Folder redirection / proxy settings and our ... They are all part of our 'standard user policy'. ... I have tried the ICMP test and the client passed without any issues. ...
    (microsoft.public.windows.group_policy)
  • Re: NTP question
    ... If you have configured some policy settings, set them to "Not defined" and check on the client with gpresult /v that it is removed correctly. ... For PEERS choose an external time server, either with the name or ip ...
    (microsoft.public.windows.server.general)