Re: GPO not picking up computer settings

Permissions on sysvol could have been a problem but I am not sure if you
mean changes took effect before or after you implemented the new GPO linked
to the domain container with the password/account settings you want. You
should run rsop for logging for both domain controllers to see what it shows
for password/account settings and from what GPO. I don't see any reason why
the lockout time setting is not being applied and would make sure that both
the default domain GPO and new GPO have it configured the way you want. You
should also try running the support tools netdiag and dcdiag on both domain
controllers to see if anything is found that could indicate a problem for
the health of either.Of course DNS must be configured correctly for the
domain or strange things will happen. The PDC fsmo should point to itself by
it's static IP address as it's preferred DNS server and the other dc should
point to the PDC fsmo and then itself. In the future make it a habit to
backup the System State of at least the PDC fsmo before you reconfigure any
changes so that you can always resort to an authoritative restore of AD if
things go bad that can not seem to be resolved otherwise.

While the MCSE training stuff is a good start you will find better
information by searching Microsoft for Group Policy or Active Directory or
buying any of the highly rated AD or Group Policy books you see at Amazon or
Bookpool. Also train your users to think "pass phrases" instead of passwords
and they can leave a space in the phrase. "I forget my password" or " A
spoonful of sugar" would be considered a complex password. I hope they can
deal with that! --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
DNS FAQ
http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
--- Windows 2003 Server Deployment Kit
http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
-- Active Directory
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
--- Group Policy

"Jarryd" <j@xxx> wrote in message
news:edayUxUXGHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve and Roger,

I have opened up the Default Domain Policy this morning to find that the
settings that I had made in the test GPO were now configured for the
Default Domain Policy (literally happened over-night). So there could be
some kind of replication issue. I wonder if it is the SYSVOL? I don't
see anything in Event Viewer, but when I opened GP Management it did say
something about permissions on the SYSVOL, and that if I clicked OK it
would correct them. I clicked OK and the message didn't pop up again and
so I figured that it was all sorted. Also none of the tests I have done
with the cmd-utils you guys have suggested have made any nasty noises. I
used the gpotool today and it reports that there are two DCs and two
policies, Default Domain Policy and Default Domain Controller Policy, and
both DCs and GPOs are OK. I have done what you said and created a new GPO
(called it Primary Domain Policy), linked it to the domain container and
set it to 1st in the list. Then I configured it with all the settings that
I wanted. I configured the new GPO I created with the same settings. I
then did a gpupdate on both DCs followed by net accounts. I still have
the 30 minute lockout setting, but I don't suppose that is going to cause
any problems as they can enter the username/password incorrectly as many
times as they like (well I think that is what "0 invalid logon attempts
means").

I reckon that what I should do now is read the 150 pages on GPOs I have in
my W2K3 MCSE course material and try this out again on a test network so I
don't cause this kind of havoc. That is normally what I do, but it always
goes smoothly on the test run so this time I figured that I would have the
same luck and just went for it on the production server first time. Also,
at a glance the policies seemed to be quite straight forward. Silly boy.
I have changed all the passwords back to what they were so users are now
happy cos it is quite beyond them to remember anything more cryptic than
their first names (sorry, I mustn't winge as they have all been quite
patient with this little hicough).

Thank you both for your help.

Best regards,

Jarryd

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eGR5bkSXGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Roger.

He said a few posts back that he has two DCs. Ruling out replication
problems and GPO mismatches is always a good idea. Gpotool could help him
there of course. It will be interesting to see what he finds for GPO
permissions. My understanding is such is stored in Active Directory while
most of the GP settings are stored in sysvol? --- Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OYwX1SSXGHA.4988@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve

I do not recall Jarryd mentioning how many DCs there are, so
could this be a gummed up replication issue ?

Roger
"Steven Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:OsjWeLLXGHA.3864@xxxxxxxxxxxxxxxxxxxxxxx
Double check the permissions for the default domain GPO. Look in it's
properties/security and you should see both read and apply for
authenticated
users and no groups by default should have any deny permissions. If for
some
reason that does not help try creating a new GPO and link it to the
domain
container, move it to the top of the list, define the password/account
policy
settings to be what you want, run Gpupdate again, and then check the
results
with net accounts. Also make sure that block inheritance is NOT enabled
on the
domain controller container. --- Steve



"Jarryd" <j@xxx> wrote in message
news:eC6xs%23JXGHA.1476@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steve and Roger,

I don't know what on earth is going on here. Now I am being told that
the
Default Domain Policy is being denied because of Security Filetering.
but I
haven't done anything to the security settings. I was going to but
was
waiting for a reply on this forum before I started fiddling. This
really is
getting silly. I have run GPUpdate on both DCs. If I check the
settings of
the Default Domain Policy everything is set the way that it should be.
I
haven't changed the permissions. So why is it still picking up these
stupid
settings. It doesn't make much sense.

Please help.

TIA,

Jarryd

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ON1MaIlWGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Those users are domain accounts or machine local accounts ??

"Jarryd" <j@xxx> wrote in message
news:eM248rYWGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
OK, I have managed to get the GP Management tool to pick up the
settings
and it says that it is applying them in the way that I want them to
on
the machine and user against which I ran the test. I went in to
the
Local Policy and it has picked up the settings. But when I try to
change
there password it lets me do it with less characters that required,
it is
not picking up the history of old passwords, and it isn't
enforcing
complexity. I really don't understand this.

Please help!!

Jarryd

"Jarryd" <j@xxx> wrote in message
news:e8T1EbYWGHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have created a Group Policy for remote users. The only settings
I
have configured are the ones that pertain to passwords and account
lockout. I have moved those users to an OU that is linked to the
new
GP, but the settings weren't taking affect. So I generated a
report and
it came back saying the policy was empty. But that's just wrong.
If I
go in and configure user settings those are picked up, but the
computer
settings aren't. Why?

TIA,

Jarryd

















.

Relevant Pages

  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)
  • Re: IE Maintenance Group Policy Settings Issue
    ... If you configure a GPO to set the proxy to blank, ... be identified as a change to the policy and it will be re-applied to the ... This would be a GPO change and the settings ...
    (microsoft.public.win2000.group_policy)
  • Re: Backing out Complex passwords enabled in Domain Group policy.
    ... Of course if there is more than one GPO for the domain, ... also which may not be obvious if someone is just trying Domain Security ... Policy in administative tools. ... >> instead of basic passwords. ...
    (microsoft.public.win2000.security)