Local group policy filtering problem

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't quite understand what's hapenning with Local Group Policy.

I have a domain GPO linked at the top of the domain. I have a number of OU's beneath it. If I go into Computer Configuration/Windows Settings/Local Policies/Security Options under the domain GPO and change a setting it is not reflected at the workstation. Why and where is it filtered out?

Gpresults are:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 5/19/2004 at 1:27:45 PM


RSOP results for HQ\testuser on TESTUSER-LT : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: HQ
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\testuser
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=TESTUSER-LT,OU=Account Services,DC=hq,DC=MY-COMPANY,DC=com
Last time Group Policy was applied: 5/19/2004 at 12:42:07 PM
Group Policy was applied from: wulfgar.hq.mycompany.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
TESTUSER-LT$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
N/A

Audit Policy
------------
N/A

User Rights
-----------
N/A

Security Options
----------------
N/A

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A
5 answers Last reply
More about local group policy filtering problem
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Very possible the ACL of the GPO is not applying this to the computer. Was
    the ACL changed?

    --
    Derek Melber
    BrainCore.Net
    derekm@braincore.net
    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:58CAB7FB-0D2B-400D-9300-2F2098206A1F@microsoft.com...
    > I don't quite understand what's hapenning with Local Group Policy.
    >
    > I have a domain GPO linked at the top of the domain. I have a number of
    OU's beneath it. If I go into Computer Configuration/Windows Settings/Local
    Policies/Security Options under the domain GPO and change a setting it is
    not reflected at the workstation. Why and where is it filtered out?
    >
    > Gpresults are:
    >
    > Microsoft (R) Windows (R) XP Operating System Group Policy Result tool
    v2.0
    > Copyright (C) Microsoft Corp. 1981-2001
    >
    > Created On 5/19/2004 at 1:27:45 PM
    >
    >
    >
    > RSOP results for HQ\testuser on TESTUSER-LT : Logging Mode
    > -------------------------------------------------------------
    >
    > OS Type: Microsoft Windows XP Professional
    > OS Configuration: Member Workstation
    > OS Version: 5.1.2600
    > Domain Name: HQ
    > Domain Type: Windows 2000
    > Site Name: Default-First-Site-Name
    > Roaming Profile:
    > Local Profile: C:\Documents and Settings\testuser
    > Connected over a slow link?: No
    >
    >
    > COMPUTER SETTINGS
    > ------------------
    > CN=TESTUSER-LT,OU=Account Services,DC=hq,DC=MY-COMPANY,DC=com
    > Last time Group Policy was applied: 5/19/2004 at 12:42:07 PM
    > Group Policy was applied from: wulfgar.hq.mycompany.com
    > Group Policy slow link threshold: 500 kbps
    >
    > Applied Group Policy Objects
    > -----------------------------
    > N/A
    >
    > The following GPOs were not applied because they were filtered out
    > -------------------------------------------------------------------
    > Local Group Policy
    > Filtering: Not Applied (Empty)
    >
    > The computer is a part of the following security groups:
    > --------------------------------------------------------
    > BUILTIN\Administrators
    > Everyone
    > BUILTIN\Users
    > TESTUSER-LT$
    > Domain Computers
    > NT AUTHORITY\NETWORK
    > NT AUTHORITY\Authenticated Users
    >
    > Resultant Set Of Policies for Computer:
    > ----------------------------------------
    >
    > Software Installations
    > ----------------------
    > N/A
    >
    > Startup Scripts
    > ---------------
    > N/A
    >
    > Shutdown Scripts
    > ----------------
    > N/A
    >
    > Account Policies
    > ----------------
    > N/A
    >
    > Audit Policy
    > ------------
    > N/A
    >
    > User Rights
    > -----------
    > N/A
    >
    > Security Options
    > ----------------
    > N/A
    >
    > Event Log Settings
    > ------------------
    > N/A
    >
    > Restricted Groups
    > -----------------
    > N/A
    >
    > System Services
    > ---------------
    > N/A
    >
    > Registry Settings
    > -----------------
    > N/A
    >
    > File System Settings
    > --------------------
    > N/A
    >
    > Public Key Policies
    > -------------------
    > N/A
    >
    > Administrative Templates
    > ------------------------
    > N/A
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Nope, at least not on purpose. What would be a good test to see if it has been changed? I've looked at properties for the GPO and can't really determine what might be wrong.

    Any suggestions?
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Here's a little more data on the same user/workstation.

    Denied GPOs
    Name Link Location Reason Denied
    Local Group Policy Local Empty
    {31B2F340-016D-11D2-945F-00C04FB984F9} hq.mycompany.com Inaccessible
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I am 99% sure your ACL is wrong.

    Make sure that the Authenticated Users group has both Read and Apply Group
    Policy permission allowed. There should be NO denied entries on the GPO ACL.

    --
    Derek Melber
    BrainCore.Net
    derekm@braincore.net
    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:6E2D9023-18A9-4DBA-B5BD-DB011F3B95FB@microsoft.com...
    > Here's a little more data on the same user/workstation.
    >
    > Denied GPOs
    > Name Link
    Location Reason Denied
    > Local Group Policy Local
    Empty
    > {31B2F340-016D-11D2-945F-00C04FB984F9} hq.mycompany.com
    Inaccessible
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    That appears to have been it - although I can't remember ever removing those privileges from the Auth User account.

    Thanks.
Ask a new question

Read More

Policy Domain Microsoft Windows