Sign in with
Sign up | Sign in
Your question

GPO not applied in remote sites

Last response: in Windows 2000/NT
Share
Anonymous
October 18, 2004 5:03:09 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have created a GPO that will be used to lock down workstations. I have
created a test OU, and linked the GPO to the test OU. I have copied the
default domain policy to make sure the permissions are right, and changed the
contents of the policy to my own specificaitons. I have added a few
workstations from my corp office and all is well. The policy is applied with
no problem. My problem is that the policy is not being applied to
workstations in remote sites. My remote sites all have their own DC. The
GPO has replicated to the remote site sysvol, as I see the object (named by
GUID), on the remote server. I have added the remote workstation objects to
the test OU, and this has replcated in AD......yet the policy is not applied.
Am I missing something. I have compared permissions on the GPO in my site
and they match the GPO in the remote site. Please help..... Thanks.
Anonymous
October 18, 2004 7:16:12 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You need to look for userenv errors on the clients in the remote site.
Run gpresult in the remote site after logging on.
Does GPresult show the policy?

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


"JesseK" <JesseK@discussions.microsoft.com> wrote in message
news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> I have created a GPO that will be used to lock down workstations. I have
> created a test OU, and linked the GPO to the test OU. I have copied the
> default domain policy to make sure the permissions are right, and changed
the
> contents of the policy to my own specificaitons. I have added a few
> workstations from my corp office and all is well. The policy is applied
with
> no problem. My problem is that the policy is not being applied to
> workstations in remote sites. My remote sites all have their own DC. The
> GPO has replicated to the remote site sysvol, as I see the object (named
by
> GUID), on the remote server. I have added the remote workstation objects
to
> the test OU, and this has replcated in AD......yet the policy is not
applied.
> Am I missing something. I have compared permissions on the GPO in my
site
> and they match the GPO in the remote site. Please help..... Thanks.
Anonymous
October 19, 2004 5:46:57 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Jesse,

What is the connection speed between the 'HQ' and the remote offices?

Cary

"JesseK" <JesseK@discussions.microsoft.com> wrote in message
news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> I have created a GPO that will be used to lock down workstations. I have
> created a test OU, and linked the GPO to the test OU. I have copied the
> default domain policy to make sure the permissions are right, and changed
the
> contents of the policy to my own specificaitons. I have added a few
> workstations from my corp office and all is well. The policy is applied
with
> no problem. My problem is that the policy is not being applied to
> workstations in remote sites. My remote sites all have their own DC. The
> GPO has replicated to the remote site sysvol, as I see the object (named
by
> GUID), on the remote server. I have added the remote workstation objects
to
> the test OU, and this has replcated in AD......yet the policy is not
applied.
> Am I missing something. I have compared permissions on the GPO in my
site
> and they match the GPO in the remote site. Please help..... Thanks.
Related resources
Anonymous
October 19, 2004 5:53:09 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Er, not necessarily a factor...Sorry for not reading the entire post.

But, maybe it is. Which DC is being used to authenticate?

Cary

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
> Jesse,
>
> What is the connection speed between the 'HQ' and the remote offices?
>
> Cary
>
> "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> > I have created a GPO that will be used to lock down workstations. I
have
> > created a test OU, and linked the GPO to the test OU. I have copied the
> > default domain policy to make sure the permissions are right, and
changed
> the
> > contents of the policy to my own specificaitons. I have added a few
> > workstations from my corp office and all is well. The policy is applied
> with
> > no problem. My problem is that the policy is not being applied to
> > workstations in remote sites. My remote sites all have their own DC.
The
> > GPO has replicated to the remote site sysvol, as I see the object (named
> by
> > GUID), on the remote server. I have added the remote workstation
objects
> to
> > the test OU, and this has replcated in AD......yet the policy is not
> applied.
> > Am I missing something. I have compared permissions on the GPO in my
> site
> > and they match the GPO in the remote site. Please help..... Thanks.
>
>
Anonymous
October 19, 2004 11:05:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Cary,

The link is 56K, but the sites are authenticating to thier site server.
There are userenv 1000 errors, stating that the domain cannot be found, and
the computer or user name cannot be found. I checked DNS and all looks well.
I did nslookup set type=srv and got response from DC's. I checked for
kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
gpresult on workstations and the policy's are applied. Remember one policy
(computer) runs a script and is working. The user policy does not. Only
remote sites are having trouble applying GPO and most sites have userenv
errors??? what now?

"Cary Shultz [A.D. MVP]" wrote:

> Er, not necessarily a factor...Sorry for not reading the entire post.
>
> But, maybe it is. Which DC is being used to authenticate?
>
> Cary
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
> > Jesse,
> >
> > What is the connection speed between the 'HQ' and the remote offices?
> >
> > Cary
> >
> > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> > news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> > > I have created a GPO that will be used to lock down workstations. I
> have
> > > created a test OU, and linked the GPO to the test OU. I have copied the
> > > default domain policy to make sure the permissions are right, and
> changed
> > the
> > > contents of the policy to my own specificaitons. I have added a few
> > > workstations from my corp office and all is well. The policy is applied
> > with
> > > no problem. My problem is that the policy is not being applied to
> > > workstations in remote sites. My remote sites all have their own DC.
> The
> > > GPO has replicated to the remote site sysvol, as I see the object (named
> > by
> > > GUID), on the remote server. I have added the remote workstation
> objects
> > to
> > > the test OU, and this has replcated in AD......yet the policy is not
> > applied.
> > > Am I missing something. I have compared permissions on the GPO in my
> > site
> > > and they match the GPO in the remote site. Please help..... Thanks.
> >
> >
>
>
>
Anonymous
October 20, 2004 6:58:42 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

enable userenv logging per
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
then login as the user that fails to apply the policy and retrieve the
userenv.log file and post it to this thread.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


"JesseK" <JesseK@discussions.microsoft.com> wrote in message
news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
> Cary,
>
> The link is 56K, but the sites are authenticating to thier site server.
> There are userenv 1000 errors, stating that the domain cannot be found,
and
> the computer or user name cannot be found. I checked DNS and all looks
well.
> I did nslookup set type=srv and got response from DC's. I checked for
> kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
> gpresult on workstations and the policy's are applied. Remember one
policy
> (computer) runs a script and is working. The user policy does not. Only
> remote sites are having trouble applying GPO and most sites have userenv
> errors??? what now?
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > Er, not necessarily a factor...Sorry for not reading the entire post.
> >
> > But, maybe it is. Which DC is being used to authenticate?
> >
> > Cary
> >
> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
> > > Jesse,
> > >
> > > What is the connection speed between the 'HQ' and the remote offices?
> > >
> > > Cary
> > >
> > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> > > news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> > > > I have created a GPO that will be used to lock down workstations. I
> > have
> > > > created a test OU, and linked the GPO to the test OU. I have copied
the
> > > > default domain policy to make sure the permissions are right, and
> > changed
> > > the
> > > > contents of the policy to my own specificaitons. I have added a few
> > > > workstations from my corp office and all is well. The policy is
applied
> > > with
> > > > no problem. My problem is that the policy is not being applied to
> > > > workstations in remote sites. My remote sites all have their own
DC.
> > The
> > > > GPO has replicated to the remote site sysvol, as I see the object
(named
> > > by
> > > > GUID), on the remote server. I have added the remote workstation
> > objects
> > > to
> > > > the test OU, and this has replcated in AD......yet the policy is not
> > > applied.
> > > > Am I missing something. I have compared permissions on the GPO in
my
> > > site
> > > > and they match the GPO in the remote site. Please help.....
Thanks.
> > >
> > >
> >
> >
> >
Anonymous
October 22, 2004 12:25:04 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Glenn,

I did not have the user accounts in the ou, but had user policy specified.
I enabled grou ppolicy loopback proccesing under computer configuration and
all is working. Although once the policy was applied it did not allow
applciation shortcuts to the desktop and i did not select clear icons in the
policy.... wierd. Also the active desktop that specifies a wallpaper is not
working. At least the computers are secure now. Thanks.

"Glenn L" wrote:

> enable userenv logging per
> http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
> then login as the user that fails to apply the policy and retrieve the
> userenv.log file and post it to this thread.
>
>
> --
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
> > Cary,
> >
> > The link is 56K, but the sites are authenticating to thier site server.
> > There are userenv 1000 errors, stating that the domain cannot be found,
> and
> > the computer or user name cannot be found. I checked DNS and all looks
> well.
> > I did nslookup set type=srv and got response from DC's. I checked for
> > kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
> > gpresult on workstations and the policy's are applied. Remember one
> policy
> > (computer) runs a script and is working. The user policy does not. Only
> > remote sites are having trouble applying GPO and most sites have userenv
> > errors??? what now?
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> > > Er, not necessarily a factor...Sorry for not reading the entire post.
> > >
> > > But, maybe it is. Which DC is being used to authenticate?
> > >
> > > Cary
> > >
> > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
> > > > Jesse,
> > > >
> > > > What is the connection speed between the 'HQ' and the remote offices?
> > > >
> > > > Cary
> > > >
> > > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> > > > news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> > > > > I have created a GPO that will be used to lock down workstations. I
> > > have
> > > > > created a test OU, and linked the GPO to the test OU. I have copied
> the
> > > > > default domain policy to make sure the permissions are right, and
> > > changed
> > > > the
> > > > > contents of the policy to my own specificaitons. I have added a few
> > > > > workstations from my corp office and all is well. The policy is
> applied
> > > > with
> > > > > no problem. My problem is that the policy is not being applied to
> > > > > workstations in remote sites. My remote sites all have their own
> DC.
> > > The
> > > > > GPO has replicated to the remote site sysvol, as I see the object
> (named
> > > > by
> > > > > GUID), on the remote server. I have added the remote workstation
> > > objects
> > > > to
> > > > > the test OU, and this has replcated in AD......yet the policy is not
> > > > applied.
> > > > > Am I missing something. I have compared permissions on the GPO in
> my
> > > > site
> > > > > and they match the GPO in the remote site. Please help.....
> Thanks.
> > > >
> > > >
> > >
> > >
> > >
>
>
>
Anonymous
October 26, 2004 2:59:20 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Try adding the setting:

Computer Config> Administrative templates > System > Group Policy -
Group Policy slow link detection (Enabled) Connection Speed (0 to
disable slow link detection) if you have problems with remote users
since your WAN link is too slow.

Run gpupdate from a command prompt on the clients, or reboot the
clients (the best is to boot, I have seen GPO`s not being active
unless a reboot) after changing the GPO.

Not sure if this applies to your config as you have a DC in the remote
site, but it is worth a try.

Best regards

Stein Waalen
Norway
Do not reply to personal e-mail, groups only.

JesseK <JesseK@discussions.microsoft.com> wrote in message news:<C4D1755F-AD9D-4D3A-AFAD-03B993265667@microsoft.com>...
> Glenn,
>
> I did not have the user accounts in the ou, but had user policy specified.
> I enabled grou ppolicy loopback proccesing under computer configuration and
> all is working. Although once the policy was applied it did not allow
> applciation shortcuts to the desktop and i did not select clear icons in the
> policy.... wierd. Also the active desktop that specifies a wallpaper is not
> working. At least the computers are secure now. Thanks.
>
> "Glenn L" wrote:
>
> > enable userenv logging per
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
> > then login as the user that fails to apply the policy and retrieve the
> > userenv.log file and post it to this thread.
> >
> >
> > --
> > Glenn L
> > CCNA, MCSE 2000, MCSE 2003 + Security
> >
> >
> > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> > news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
> > > Cary,
> > >
> > > The link is 56K, but the sites are authenticating to thier site server.
> > > There are userenv 1000 errors, stating that the domain cannot be found,
> and
> > > the computer or user name cannot be found. I checked DNS and all looks
> well.
> > > I did nslookup set type=srv and got response from DC's. I checked for
> > > kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
> > > gpresult on workstations and the policy's are applied. Remember one
> policy
> > > (computer) runs a script and is working. The user policy does not. Only
> > > remote sites are having trouble applying GPO and most sites have userenv
> > > errors??? what now?
> > >
> > > "Cary Shultz [A.D. MVP]" wrote:
> > >
> > > > Er, not necessarily a factor...Sorry for not reading the entire post.
> > > >
> > > > But, maybe it is. Which DC is being used to authenticate?
> > > >
> > > > Cary
> > > >
> > > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > > > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
> > > > > Jesse,
> > > > >
> > > > > What is the connection speed between the 'HQ' and the remote offices?
> > > > >
> > > > > Cary
> > > > >
> > > > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
> > > > > news:D EB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
> > > > > > I have created a GPO that will be used to lock down workstations. I
> have
> > > > > > created a test OU, and linked the GPO to the test OU. I have copied
> the
> > > > > > default domain policy to make sure the permissions are right, and
> changed
> the
> > > > > > contents of the policy to my own specificaitons. I have added a few
> > > > > > workstations from my corp office and all is well. The policy is
> applied
> with
> > > > > > no problem. My problem is that the policy is not being applied to
> > > > > > workstations in remote sites. My remote sites all have their own
> DC.
> The
> > > > > > GPO has replicated to the remote site sysvol, as I see the object
> (named
> by
> > > > > > GUID), on the remote server. I have added the remote workstation
> objects
> to
> > > > > > the test OU, and this has replcated in AD......yet the policy is not
> applied.
> > > > > > Am I missing something. I have compared permissions on the GPO in
> my
> site
> > > > > > and they match the GPO in the remote site. Please help.....
> Thanks.
> > > > >
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >
!