Re: GPO not picking up computer settings

Hi Steve and Roger,

I have opened up the Default Domain Policy this morning to find that the
settings that I had made in the test GPO were now configured for the Default
Domain Policy (literally happened over-night). So there could be some kind
of replication issue. I wonder if it is the SYSVOL? I don't see anything
in Event Viewer, but when I opened GP Management it did say something about
permissions on the SYSVOL, and that if I clicked OK it would correct them.
I clicked OK and the message didn't pop up again and so I figured that it
was all sorted. Also none of the tests I have done with the cmd-utils you
guys have suggested have made any nasty noises. I used the gpotool today
and it reports that there are two DCs and two policies, Default Domain
Policy and Default Domain Controller Policy, and both DCs and GPOs are OK.
I have done what you said and created a new GPO (called it Primary Domain
Policy), linked it to the domain container and set it to 1st in the list.
Then I configured it with all the settings that I wanted. I configured the
new GPO I created with the same settings. I then did a gpupdate on both DCs
followed by net accounts. I still have the 30 minute lockout setting, but I
don't suppose that is going to cause any problems as they can enter the
username/password incorrectly as many times as they like (well I think that
is what "0 invalid logon attempts means").

I reckon that what I should do now is read the 150 pages on GPOs I have in
my W2K3 MCSE course material and try this out again on a test network so I
don't cause this kind of havoc. That is normally what I do, but it always
goes smoothly on the test run so this time I figured that I would have the
same luck and just went for it on the production server first time. Also,
at a glance the policies seemed to be quite straight forward. Silly boy. I
have changed all the passwords back to what they were so users are now happy
cos it is quite beyond them to remember anything more cryptic than their
first names (sorry, I mustn't winge as they have all been quite patient with
this little hicough).

Thank you both for your help.

Best regards,

Jarryd

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eGR5bkSXGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Roger.

He said a few posts back that he has two DCs. Ruling out replication
problems and GPO mismatches is always a good idea. Gpotool could help him
there of course. It will be interesting to see what he finds for GPO
permissions. My understanding is such is stored in Active Directory while
most of the GP settings are stored in sysvol? --- Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OYwX1SSXGHA.4988@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve

I do not recall Jarryd mentioning how many DCs there are, so
could this be a gummed up replication issue ?

Roger
"Steven Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:OsjWeLLXGHA.3864@xxxxxxxxxxxxxxxxxxxxxxx
Double check the permissions for the default domain GPO. Look in it's
properties/security and you should see both read and apply for
authenticated
users and no groups by default should have any deny permissions. If for
some
reason that does not help try creating a new GPO and link it to the
domain
container, move it to the top of the list, define the password/account
policy
settings to be what you want, run Gpupdate again, and then check the
results
with net accounts. Also make sure that block inheritance is NOT enabled
on the
domain controller container. --- Steve



"Jarryd" <j@xxx> wrote in message
news:eC6xs%23JXGHA.1476@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve and Roger,

I don't know what on earth is going on here. Now I am being told that
the
Default Domain Policy is being denied because of Security Filetering.
but I
haven't done anything to the security settings. I was going to but was
waiting for a reply on this forum before I started fiddling. This
really is
getting silly. I have run GPUpdate on both DCs. If I check the
settings of
the Default Domain Policy everything is set the way that it should be.
I
haven't changed the permissions. So why is it still picking up these
stupid
settings. It doesn't make much sense.

Please help.

TIA,

Jarryd

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ON1MaIlWGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Those users are domain accounts or machine local accounts ??

"Jarryd" <j@xxx> wrote in message
news:eM248rYWGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
OK, I have managed to get the GP Management tool to pick up the
settings
and it says that it is applying them in the way that I want them to
on
the machine and user against which I ran the test. I went in to the
Local Policy and it has picked up the settings. But when I try to
change
there password it lets me do it with less characters that required,
it is
not picking up the history of old passwords, and it isn't enforcing
complexity. I really don't understand this.

Please help!!

Jarryd

"Jarryd" <j@xxx> wrote in message
news:e8T1EbYWGHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have created a Group Policy for remote users. The only settings
I
have configured are the ones that pertain to passwords and account
lockout. I have moved those users to an OU that is linked to the
new
GP, but the settings weren't taking affect. So I generated a
report and
it came back saying the policy was empty. But that's just wrong.
If I
go in and configure user settings those are picked up, but the
computer
settings aren't. Why?

TIA,

Jarryd















.

Relevant Pages

  • Re: GPO not picking up computer settings
    ... to the domain container with the password/account settings you want. ... for password/account settings and from what GPO. ... buying any of the highly rated AD or Group Policy books you see at Amazon or ... I have changed all the passwords back to what they were so users are now ...
    (microsoft.public.windows.server.security)
  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)
  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)