Local group policy implementation erratic-why?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Created domain Group Policy with Computer Config for workstations however it is not being applied across all workstations.

For some unknown reason it applies the policy to one Authenticated User but not another. The only difference being that on the workstation, the policy is successful:

On the workstation I have a;

- desktop workstation
- user has local admin rights

On the other units on which the policy is unsuccessful;

-laptop
-standard user rights

I've checked rights for Authenticated Users and it has Read and Apply Policy. No Deny rights imposed anywhere.
20 answers Last reply
More about local group policy implementation erratic
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    What gpo settings are you trying to change?

    Phil

    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
    > Created domain Group Policy with Computer Config for workstations however
    it is not being applied across all workstations.
    >
    > For some unknown reason it applies the policy to one Authenticated User
    but not another. The only difference being that on the workstation, the
    policy is successful:
    >
    > On the workstation I have a;
    >
    > - desktop workstation
    > - user has local admin rights
    >
    > On the other units on which the policy is unsuccessful;
    >
    > -laptop
    > -standard user rights
    >
    > I've checked rights for Authenticated Users and it has Read and Apply
    Policy. No Deny rights imposed anywhere.
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    This could be a myriad of problems. Most of the time, it is a DNS issue.

    --
    Derek Melber
    BrainCore.Net
    derekm@braincore.net
    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
    > Created domain Group Policy with Computer Config for workstations however
    it is not being applied across all workstations.
    >
    > For some unknown reason it applies the policy to one Authenticated User
    but not another. The only difference being that on the workstation, the
    policy is successful:
    >
    > On the workstation I have a;
    >
    > - desktop workstation
    > - user has local admin rights
    >
    > On the other units on which the policy is unsuccessful;
    >
    > -laptop
    > -standard user rights
    >
    > I've checked rights for Authenticated Users and it has Read and Apply
    Policy. No Deny rights imposed anywhere.
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I am a bit confused as your post states "Local Group Policy" which would be
    configured on the local machine via gpedit.msc yet you discuss read and apply policy
    which would indicate a domain membership policy??

    Computer configuration applies to computers - not users so the read/apply for
    authenticated users would only have bearing on the fact that computers are members of
    the authenticated users group.

    If you are using domain/OU policy then the computers themselves must be within the
    scope of influence of the policy such as if this is an OU GPO, the computers must
    reside in that OU structure.

    Computers must be configured properly in regards to dns and having a machine account
    in good standing in the domain if this is a domain issue. Most problems are due to a
    domain computer not having only AD domain controllers as their preferred dns server
    in tcp/ip properties. Laptops will initially need to connect to a domain controller
    to have their Group Policy configured and it the user logs on later with cached
    credentials the last policy configuration will remain. You can use netdiag and
    gpresult to troubleshoot Group Policy problems. Run netdiag first to make sure there
    are not any pertinent failed tests/fatal errors in regards to dns, domain membership,
    or dclist. If netdiag looks good then try gpresult. If laptops have software firewall
    enabled, be sure it is disabled when connected to the lan or configured to not block
    traffic to the domain controllers. --- Steve


    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:B93200A3-98AE-4D90-B00A-A6ED7C602A50@microsoft.com...
    > Created domain Group Policy with Computer Config for workstations however it is not
    being applied across all workstations.
    >
    > For some unknown reason it applies the policy to one Authenticated User but not
    another. The only difference being that on the workstation, the policy is successful:
    >
    > On the workstation I have a;
    >
    > - desktop workstation
    > - user has local admin rights
    >
    > On the other units on which the policy is unsuccessful;
    >
    > -laptop
    > -standard user rights
    >
    > I've checked rights for Authenticated Users and it has Read and Apply Policy. No
    Deny rights imposed anywhere.
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I'm trying to(have changed) Security settings in Computer configuration. I can see the changes in the workstation local policy but they do not appear to be applied, i.e. message text on login does not appear.
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    DNS appears to be fine. Ran netsh diag and ipconfig locally and the client laptop has a host record in DNS.
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I worded that badly - you are correct. I'm new to W2K and the manner in which MS implemented Group Policy. Both machines are in the Computers container. I have no special delegation permissions set for groups other than the defaults and Authenticated users.

    My domain policy security config is being applied to the Local Security policy at the workstation(I can see it) but with different results, i.e., message text will appear on one workstation but not another and gpresults indicates GPO Denied - Local Policy (empty) on the latter while it appears as an Applied Group Policy Object on the former.

    Other than the two machines being different there is fundamentally no difference that I can see in AD between them.

    I'm stumped!
    DNS is fine, ran netsh diag, ipconfig and reviewed DNS - the workstation is updated in DNS correctly.
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    How many domain controllers are in your environment.
    Make sure replication is occuring between them as it should and DNS is
    configured on the DC's correctly.

    Aimme
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:6C873F03-CECC-4BE5-B864-780CA0817451@microsoft.com...
    > I'm trying to(have changed) Security settings in Computer configuration. I
    can see the changes in the workstation local policy but they do not appear
    to be applied, i.e. message text on login does not appear.
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Two controllers replicating fine. DNS is fine.

    What I don't understand is that the Group Policy Security config is being applied to the workstation on some items but not others. I can see the policy at the workstation and I can change a setting in the Local/Security Config through the Domain policy and it will be applied to the workstation. Yet it does not apply the Message text setting on any system but mine so far and running gpresult on any workstation but mine indicates that the GPO is denied - Local Policy(empty) where mine is applied.

    We're all in the same domain and the computers are all in the same container. The domain policy covers the entire domain.

    What could be different about my computer that allows the policy to be applied on it and not others and why only partially applied on others? Makes no sense whatsoever.
  9. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Can you post the gpresult from your workstation and from another?

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:B95AC42F-6A87-4FE8-B4F0-1B3E4DA54E2F@microsoft.com...
    > Two controllers replicating fine. DNS is fine.
    >
    > What I don't understand is that the Group Policy Security config is being
    applied to the workstation on some items but not others. I can see the
    policy at the workstation and I can change a setting in the Local/Security
    Config through the Domain policy and it will be applied to the workstation.
    Yet it does not apply the Message text setting on any system but mine so far
    and running gpresult on any workstation but mine indicates that the GPO is
    denied - Local Policy(empty) where mine is applied.
    >
    > We're all in the same domain and the computers are all in the same
    container. The domain policy covers the entire domain.
    >
    > What could be different about my computer that allows the policy to be
    applied on it and not others and why only partially applied on others? Makes
    no sense whatsoever.
  10. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Did you run netdiag and if so did it pass all tests? Also try pasting a copy of
    your gpresult from that machine in a reply. -- Steve


    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:72BE463B-BD8A-4BB4-A6E5-2A338FE692BC@microsoft.com...
    > I worded that badly - you are correct. I'm new to W2K and the manner in which
    MS implemented Group Policy. Both machines are in the Computers container. I
    have no special delegation permissions set for groups other than the defaults
    and Authenticated users.
    >
    > My domain policy security config is being applied to the Local Security policy
    at the workstation(I can see it) but with different results, i.e., message text
    will appear on one workstation but not another and gpresults indicates GPO
    Denied - Local Policy (empty) on the latter while it appears as an Applied Group
    Policy Object on the former.
    >
    > Other than the two machines being different there is fundamentally no
    difference that I can see in AD between them.
    >
    > I'm stumped!
    > DNS is fine, ran netsh diag, ipconfig and reviewed DNS - the workstation is
    updated in DNS correctly.
  11. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    The first(bbergman) gpresult output is obviously on the system where the policy is fully applied. The second(jyoung) is does not appear to be receiving the policy.

    Single domain. All computers in same container and all on the same net. DNS appears to be configured correctly.


    RSOP results for HQ\bbergman on BBERGMAN-DT : Logging Mode
    ---------------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: HQ
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\bbergman.001
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=BBERGMAN-DT,CN=Computers,DC=hq,DC=mycompany,DC=com
    Last time Group Policy was applied: 5/26/2004 at 8:19:12 AM
    Group Policy was applied from: wulfgar.hq.mycompany.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy
    Local Group Policy

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    BBERGMAN-DT$
    Domain Computers
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
    CN=Bill Bergman,OU=Information Systems,DC=hq,DC=mycompany,DC=com
    Last time Group Policy was applied: 5/26/2004 at 8:12:31 AM
    Group Policy was applied from: wulfgar.hq.mycompany.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    IT
    LOCAL
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users

    --------------------------------------------------------------------------------------------------------------------

    RSOP results for HQ\jyoung on JYOUNG-LT : Logging Mode
    -------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: HQ
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\jyoung
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=JYOUNG-LT,CN=Computers,DC=hq,DC=bader-rutter,DC=com
    Last time Group Policy was applied: 5/26/2004 at 9:18:26 AM
    Group Policy was applied from: wulfgar.hq.bader-rutter.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    JYOUNG-LT$
    Domain Computers
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
    CN=Jane Young,OU=Account Services,DC=hq,DC=bader-rutter,DC=com
    Last time Group Policy was applied: 5/26/2004 at 9:22:41 AM
    Group Policy was applied from: grendel.hq.bader-rutter.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    AcctSvcs
    LOCAL
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
  12. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    The first(bbergman) gpresult output is obviously on the system where the policy is fully applied. The second(jyoung) is does not appear to be receiving the policy.

    Single domain. All computers in same container and all on the same net. DNS appears to be configured correctly.


    RSOP results for HQ\bbergman on BBERGMAN-DT : Logging Mode
    ---------------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: HQ
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\bbergman.001
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=BBERGMAN-DT,CN=Computers,DC=hq,DC=mycompany,DC=com
    Last time Group Policy was applied: 5/26/2004 at 8:19:12 AM
    Group Policy was applied from: wulfgar.hq.mycompany.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy
    Local Group Policy

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    BBERGMAN-DT$
    Domain Computers
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
    CN=Bill Bergman,OU=Information Systems,DC=hq,DC=mycompany,DC=com
    Last time Group Policy was applied: 5/26/2004 at 8:12:31 AM
    Group Policy was applied from: wulfgar.hq.mycompany.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    IT
    LOCAL
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users

    --------------------------------------------------------------------------------------------------------------------

    RSOP results for HQ\jyoung on JYOUNG-LT : Logging Mode
    -------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: HQ
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\jyoung
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=JYOUNG-LT,CN=Computers,DC=hq,DC=bader-rutter,DC=com
    Last time Group Policy was applied: 5/26/2004 at 9:18:26 AM
    Group Policy was applied from: wulfgar.hq.bader-rutter.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    JYOUNG-LT$
    Domain Computers
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
    CN=Jane Young,OU=Account Services,DC=hq,DC=bader-rutter,DC=com
    Last time Group Policy was applied: 5/26/2004 at 9:22:41 AM
    Group Policy was applied from: grendel.hq.bader-rutter.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    AcctSvcs
    LOCAL
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
  13. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Ran netdiag and noticed that on the system I tested it did fail the DCList test
  14. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Did have a DcList fail on the test system. The I set the message title as you suggested and now it work on all systems!!!

    What the hell is that about?
  15. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Failure of dclist may mean the machine password has expired due to not being
    connected to the domain for more than thirty days or other problems communicating
    with the domain controllers/computer account. As far as message title, I remember
    reading somewhere that it is required in order to use text message. --- Steve


    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:24AF8A58-92E4-4896-B507-4D6AA90693EE@microsoft.com...
    > Did have a DcList fail on the test system. The I set the message title as you
    suggested and now it work on all systems!!!
    >
    > What the hell is that about?
  16. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    The machine I was getting the dclist failure on has been up and connected nearly every day. Other than the DClist failure there is no hint that the laptop has any trouble.

    As for the message test problem - it was popping up just fine on my system without the title bar. Another MS mystery?

    I am still getting in the Computer Config gpresult the GPO Denied on the Local Policy (empty) on the laptop but it comes up applied on my workstation. Although it seems to be applied on both. I'm at a loss.
  17. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    ARe the users on these two systeme on the same acess (security) levels? I have seem policies fit cooly on systems with high rights and never applied on systems with users with only user rights.
  18. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Shouldn't matter. It's the Computer Configuration\Security settings that don't appear to be applied at the workstation according to gpresult output. In fact they do apply, so why does gpresult tell me my Local Policy is applied on one and not the other?
  19. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I am not sure why you consistently get the dclist failure if your dns is
    configured correctly and you have network communications to the domain
    controller. As long as you do not get a fatal error in the trust
    relationship test, you still should have a computer account in good standing
    in the domain. I have never seen the GPO denied for Local Group Policy
    before, particulary for computer configuration which is configured by
    default. So at this point I am at a loss also but will keep thinking about
    it. --- Steve


    "Bill" <anonymous@discussions.microsoft.com> wrote in message
    news:93E552D0-D83A-4EBB-8617-E6E6C10ADD94@microsoft.com...
    > The machine I was getting the dclist failure on has been up and connected
    nearly every day. Other than the DClist failure there is no hint that the
    laptop has any trouble.
    >
    > As for the message test problem - it was popping up just fine on my system
    without the title bar. Another MS mystery?
    >
    > I am still getting in the Computer Config gpresult the GPO Denied on the
    Local Policy (empty) on the laptop but it comes up applied on my
    workstation. Although it seems to be applied on both. I'm at a loss.
  20. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    This particular issue is driving me batty, since it does seem to be applying the Computer Config security setting to the box's Local Policy. The DCList failures are corrected so that avenue is a dead-end. Since I'm new to this flavor of MS Server I've gotta think I'm missing something but don't know enough yet to ID it.

    I have taken the machines out of the default Computers container and moved them to thier respective OUs and I'm going do some troubleshooting. Because I used the Default Domain policy rather than creating a new default I'm going to restore the original with Dcgpofix(just the domain not the domain controller policy) and create a new one from scratch and see if I can't at least get it to work and report properly at the OU level before I apply it to the domain.

    Can't think of anything else to do at this point.

    Thanks for your help. If you have an epiphany let me know.
Ask a new question

Read More

Policy Workstations Windows