Sign in with
Sign up | Sign in
Your question

Local group policy filtering problem

Last response: in Windows 2000/NT
Share
May 19, 2004 3:51:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't quite understand what's hapenning with Local Group Policy.

I have a domain GPO linked at the top of the domain. I have a number of OU's beneath it. If I go into Computer Configuration/Windows Settings/Local Policies/Security Options under the domain GPO and change a setting it is not reflected at the workstation. Why and where is it filtered out?

Gpresults are:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 5/19/2004 at 1:27:45 PM



RSOP results for HQ\testuser on TESTUSER-LT : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\testuser
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=TESTUSER-LT,OU=Account Services,DC=hq,DC=MY-COMPANY,DC=com
Last time Group Policy was applied: 5/19/2004 at 12:42:07 PM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
TESTUSER-LT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
N/A

Audit Policy
------------
N/A

User Rights
-----------
N/A

Security Options
----------------
N/A

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A
Anonymous
May 19, 2004 5:37:42 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Very possible the ACL of the GPO is not applying this to the computer. Was
the ACL changed?

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:58CAB7FB-0D2B-400D-9300-2F2098206A1F@microsoft.com...
> I don't quite understand what's hapenning with Local Group Policy.
>
> I have a domain GPO linked at the top of the domain. I have a number of
OU's beneath it. If I go into Computer Configuration/Windows Settings/Local
Policies/Security Options under the domain GPO and change a setting it is
not reflected at the workstation. Why and where is it filtered out?
>
> Gpresults are:
>
> Microsoft (R) Windows (R) XP Operating System Group Policy Result tool
v2.0
> Copyright (C) Microsoft Corp. 1981-2001
>
> Created On 5/19/2004 at 1:27:45 PM
>
>
>
> RSOP results for HQ\testuser on TESTUSER-LT : Logging Mode
> -------------------------------------------------------------
>
> OS Type: Microsoft Windows XP Professional
> OS Configuration: Member Workstation
> OS Version: 5.1.2600
> Domain Name: HQ
> Domain Type: Windows 2000
> Site Name: Default-First-Site-Name
> Roaming Profile:
> Local Profile: C:\Documents and Settings\testuser
> Connected over a slow link?: No
>
>
> COMPUTER SETTINGS
> ------------------
> CN=TESTUSER-LT,OU=Account Services,DC=hq,DC=MY-COMPANY,DC=com
> Last time Group Policy was applied: 5/19/2004 at 12:42:07 PM
> Group Policy was applied from: wulfgar.hq.mycompany.com
> Group Policy slow link threshold: 500 kbps
>
> Applied Group Policy Objects
> -----------------------------
> N/A
>
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
>
> The computer is a part of the following security groups:
> --------------------------------------------------------
> BUILTIN\Administrators
> Everyone
> BUILTIN\Users
> TESTUSER-LT$
> Domain Computers
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
>
> Resultant Set Of Policies for Computer:
> ----------------------------------------
>
> Software Installations
> ----------------------
> N/A
>
> Startup Scripts
> ---------------
> N/A
>
> Shutdown Scripts
> ----------------
> N/A
>
> Account Policies
> ----------------
> N/A
>
> Audit Policy
> ------------
> N/A
>
> User Rights
> -----------
> N/A
>
> Security Options
> ----------------
> N/A
>
> Event Log Settings
> ------------------
> N/A
>
> Restricted Groups
> -----------------
> N/A
>
> System Services
> ---------------
> N/A
>
> Registry Settings
> -----------------
> N/A
>
> File System Settings
> --------------------
> N/A
>
> Public Key Policies
> -------------------
> N/A
>
> Administrative Templates
> ------------------------
> N/A
>
>
>
May 19, 2004 6:06:10 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Nope, at least not on purpose. What would be a good test to see if it has been changed? I've looked at properties for the GPO and can't really determine what might be wrong.

Any suggestions?
Related resources
May 19, 2004 6:16:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Here's a little more data on the same user/workstation.

Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
{31B2F340-016D-11D2-945F-00C04FB984F9} hq.mycompany.com Inaccessible
Anonymous
May 19, 2004 6:39:25 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am 99% sure your ACL is wrong.

Make sure that the Authenticated Users group has both Read and Apply Group
Policy permission allowed. There should be NO denied entries on the GPO ACL.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Bill" <anonymous@discussions.microsoft.com> wrote in message
news:6E2D9023-18A9-4DBA-B5BD-DB011F3B95FB@microsoft.com...
> Here's a little more data on the same user/workstation.
>
> Denied GPOs
> Name Link
Location Reason Denied
> Local Group Policy Local
Empty
> {31B2F340-016D-11D2-945F-00C04FB984F9} hq.mycompany.com
Inaccessible
>
May 20, 2004 11:06:08 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That appears to have been it - although I can't remember ever removing those privileges from the Auth User account.

Thanks.
!