GPO not applied in remote sites

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have created a GPO that will be used to lock down workstations. I have
created a test OU, and linked the GPO to the test OU. I have copied the
default domain policy to make sure the permissions are right, and changed the
contents of the policy to my own specificaitons. I have added a few
workstations from my corp office and all is well. The policy is applied with
no problem. My problem is that the policy is not being applied to
workstations in remote sites. My remote sites all have their own DC. The
GPO has replicated to the remote site sysvol, as I see the object (named by
GUID), on the remote server. I have added the remote workstation objects to
the test OU, and this has replcated in AD......yet the policy is not applied.
Am I missing something. I have compared permissions on the GPO in my site
and they match the GPO in the remote site. Please help..... Thanks.
7 answers Last reply
More about applied remote sites
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You need to look for userenv errors on the clients in the remote site.
    Run gpresult in the remote site after logging on.
    Does GPresult show the policy?

    --
    Glenn L
    CCNA, MCSE 2000, MCSE 2003 + Security


    "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > I have created a GPO that will be used to lock down workstations. I have
    > created a test OU, and linked the GPO to the test OU. I have copied the
    > default domain policy to make sure the permissions are right, and changed
    the
    > contents of the policy to my own specificaitons. I have added a few
    > workstations from my corp office and all is well. The policy is applied
    with
    > no problem. My problem is that the policy is not being applied to
    > workstations in remote sites. My remote sites all have their own DC. The
    > GPO has replicated to the remote site sysvol, as I see the object (named
    by
    > GUID), on the remote server. I have added the remote workstation objects
    to
    > the test OU, and this has replcated in AD......yet the policy is not
    applied.
    > Am I missing something. I have compared permissions on the GPO in my
    site
    > and they match the GPO in the remote site. Please help..... Thanks.
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Jesse,

    What is the connection speed between the 'HQ' and the remote offices?

    Cary

    "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > I have created a GPO that will be used to lock down workstations. I have
    > created a test OU, and linked the GPO to the test OU. I have copied the
    > default domain policy to make sure the permissions are right, and changed
    the
    > contents of the policy to my own specificaitons. I have added a few
    > workstations from my corp office and all is well. The policy is applied
    with
    > no problem. My problem is that the policy is not being applied to
    > workstations in remote sites. My remote sites all have their own DC. The
    > GPO has replicated to the remote site sysvol, as I see the object (named
    by
    > GUID), on the remote server. I have added the remote workstation objects
    to
    > the test OU, and this has replcated in AD......yet the policy is not
    applied.
    > Am I missing something. I have compared permissions on the GPO in my
    site
    > and they match the GPO in the remote site. Please help..... Thanks.
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Er, not necessarily a factor...Sorry for not reading the entire post.

    But, maybe it is. Which DC is being used to authenticate?

    Cary

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
    > Jesse,
    >
    > What is the connection speed between the 'HQ' and the remote offices?
    >
    > Cary
    >
    > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > > I have created a GPO that will be used to lock down workstations. I
    have
    > > created a test OU, and linked the GPO to the test OU. I have copied the
    > > default domain policy to make sure the permissions are right, and
    changed
    > the
    > > contents of the policy to my own specificaitons. I have added a few
    > > workstations from my corp office and all is well. The policy is applied
    > with
    > > no problem. My problem is that the policy is not being applied to
    > > workstations in remote sites. My remote sites all have their own DC.
    The
    > > GPO has replicated to the remote site sysvol, as I see the object (named
    > by
    > > GUID), on the remote server. I have added the remote workstation
    objects
    > to
    > > the test OU, and this has replcated in AD......yet the policy is not
    > applied.
    > > Am I missing something. I have compared permissions on the GPO in my
    > site
    > > and they match the GPO in the remote site. Please help..... Thanks.
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Cary,

    The link is 56K, but the sites are authenticating to thier site server.
    There are userenv 1000 errors, stating that the domain cannot be found, and
    the computer or user name cannot be found. I checked DNS and all looks well.
    I did nslookup set type=srv and got response from DC's. I checked for
    kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
    gpresult on workstations and the policy's are applied. Remember one policy
    (computer) runs a script and is working. The user policy does not. Only
    remote sites are having trouble applying GPO and most sites have userenv
    errors??? what now?

    "Cary Shultz [A.D. MVP]" wrote:

    > Er, not necessarily a factor...Sorry for not reading the entire post.
    >
    > But, maybe it is. Which DC is being used to authenticate?
    >
    > Cary
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
    > > Jesse,
    > >
    > > What is the connection speed between the 'HQ' and the remote offices?
    > >
    > > Cary
    > >
    > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > > news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > > > I have created a GPO that will be used to lock down workstations. I
    > have
    > > > created a test OU, and linked the GPO to the test OU. I have copied the
    > > > default domain policy to make sure the permissions are right, and
    > changed
    > > the
    > > > contents of the policy to my own specificaitons. I have added a few
    > > > workstations from my corp office and all is well. The policy is applied
    > > with
    > > > no problem. My problem is that the policy is not being applied to
    > > > workstations in remote sites. My remote sites all have their own DC.
    > The
    > > > GPO has replicated to the remote site sysvol, as I see the object (named
    > > by
    > > > GUID), on the remote server. I have added the remote workstation
    > objects
    > > to
    > > > the test OU, and this has replcated in AD......yet the policy is not
    > > applied.
    > > > Am I missing something. I have compared permissions on the GPO in my
    > > site
    > > > and they match the GPO in the remote site. Please help..... Thanks.
    > >
    > >
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    enable userenv logging per
    http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
    then login as the user that fails to apply the policy and retrieve the
    userenv.log file and post it to this thread.


    --
    Glenn L
    CCNA, MCSE 2000, MCSE 2003 + Security


    "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
    > Cary,
    >
    > The link is 56K, but the sites are authenticating to thier site server.
    > There are userenv 1000 errors, stating that the domain cannot be found,
    and
    > the computer or user name cannot be found. I checked DNS and all looks
    well.
    > I did nslookup set type=srv and got response from DC's. I checked for
    > kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
    > gpresult on workstations and the policy's are applied. Remember one
    policy
    > (computer) runs a script and is working. The user policy does not. Only
    > remote sites are having trouble applying GPO and most sites have userenv
    > errors??? what now?
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    > > Er, not necessarily a factor...Sorry for not reading the entire post.
    > >
    > > But, maybe it is. Which DC is being used to authenticate?
    > >
    > > Cary
    > >
    > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
    > > > Jesse,
    > > >
    > > > What is the connection speed between the 'HQ' and the remote offices?
    > > >
    > > > Cary
    > > >
    > > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > > > news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > > > > I have created a GPO that will be used to lock down workstations. I
    > > have
    > > > > created a test OU, and linked the GPO to the test OU. I have copied
    the
    > > > > default domain policy to make sure the permissions are right, and
    > > changed
    > > > the
    > > > > contents of the policy to my own specificaitons. I have added a few
    > > > > workstations from my corp office and all is well. The policy is
    applied
    > > > with
    > > > > no problem. My problem is that the policy is not being applied to
    > > > > workstations in remote sites. My remote sites all have their own
    DC.
    > > The
    > > > > GPO has replicated to the remote site sysvol, as I see the object
    (named
    > > > by
    > > > > GUID), on the remote server. I have added the remote workstation
    > > objects
    > > > to
    > > > > the test OU, and this has replcated in AD......yet the policy is not
    > > > applied.
    > > > > Am I missing something. I have compared permissions on the GPO in
    my
    > > > site
    > > > > and they match the GPO in the remote site. Please help.....
    Thanks.
    > > >
    > > >
    > >
    > >
    > >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Glenn,

    I did not have the user accounts in the ou, but had user policy specified.
    I enabled grou ppolicy loopback proccesing under computer configuration and
    all is working. Although once the policy was applied it did not allow
    applciation shortcuts to the desktop and i did not select clear icons in the
    policy.... wierd. Also the active desktop that specifies a wallpaper is not
    working. At least the computers are secure now. Thanks.

    "Glenn L" wrote:

    > enable userenv logging per
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
    > then login as the user that fails to apply the policy and retrieve the
    > userenv.log file and post it to this thread.
    >
    >
    > --
    > Glenn L
    > CCNA, MCSE 2000, MCSE 2003 + Security
    >
    >
    > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
    > > Cary,
    > >
    > > The link is 56K, but the sites are authenticating to thier site server.
    > > There are userenv 1000 errors, stating that the domain cannot be found,
    > and
    > > the computer or user name cannot be found. I checked DNS and all looks
    > well.
    > > I did nslookup set type=srv and got response from DC's. I checked for
    > > kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
    > > gpresult on workstations and the policy's are applied. Remember one
    > policy
    > > (computer) runs a script and is working. The user policy does not. Only
    > > remote sites are having trouble applying GPO and most sites have userenv
    > > errors??? what now?
    > >
    > > "Cary Shultz [A.D. MVP]" wrote:
    > >
    > > > Er, not necessarily a factor...Sorry for not reading the entire post.
    > > >
    > > > But, maybe it is. Which DC is being used to authenticate?
    > > >
    > > > Cary
    > > >
    > > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > > > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
    > > > > Jesse,
    > > > >
    > > > > What is the connection speed between the 'HQ' and the remote offices?
    > > > >
    > > > > Cary
    > > > >
    > > > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > > > > news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > > > > > I have created a GPO that will be used to lock down workstations. I
    > > > have
    > > > > > created a test OU, and linked the GPO to the test OU. I have copied
    > the
    > > > > > default domain policy to make sure the permissions are right, and
    > > > changed
    > > > > the
    > > > > > contents of the policy to my own specificaitons. I have added a few
    > > > > > workstations from my corp office and all is well. The policy is
    > applied
    > > > > with
    > > > > > no problem. My problem is that the policy is not being applied to
    > > > > > workstations in remote sites. My remote sites all have their own
    > DC.
    > > > The
    > > > > > GPO has replicated to the remote site sysvol, as I see the object
    > (named
    > > > > by
    > > > > > GUID), on the remote server. I have added the remote workstation
    > > > objects
    > > > > to
    > > > > > the test OU, and this has replcated in AD......yet the policy is not
    > > > > applied.
    > > > > > Am I missing something. I have compared permissions on the GPO in
    > my
    > > > > site
    > > > > > and they match the GPO in the remote site. Please help.....
    > Thanks.
    > > > >
    > > > >
    > > >
    > > >
    > > >
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Try adding the setting:

    Computer Config> Administrative templates > System > Group Policy -
    Group Policy slow link detection (Enabled) Connection Speed (0 to
    disable slow link detection) if you have problems with remote users
    since your WAN link is too slow.

    Run gpupdate from a command prompt on the clients, or reboot the
    clients (the best is to boot, I have seen GPO`s not being active
    unless a reboot) after changing the GPO.

    Not sure if this applies to your config as you have a DC in the remote
    site, but it is worth a try.

    Best regards

    Stein Waalen
    Norway
    Do not reply to personal e-mail, groups only.

    JesseK <JesseK@discussions.microsoft.com> wrote in message news:<C4D1755F-AD9D-4D3A-AFAD-03B993265667@microsoft.com>...
    > Glenn,
    >
    > I did not have the user accounts in the ou, but had user policy specified.
    > I enabled grou ppolicy loopback proccesing under computer configuration and
    > all is working. Although once the policy was applied it did not allow
    > applciation shortcuts to the desktop and i did not select clear icons in the
    > policy.... wierd. Also the active desktop that specifies a wallpaper is not
    > working. At least the computers are secure now. Thanks.
    >
    > "Glenn L" wrote:
    >
    > > enable userenv logging per
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;221833
    > > then login as the user that fails to apply the policy and retrieve the
    > > userenv.log file and post it to this thread.
    > >
    > >
    > > --
    > > Glenn L
    > > CCNA, MCSE 2000, MCSE 2003 + Security
    > >
    > >
    > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > > news:B3C89FD6-13A7-4F13-BAB2-0735C8F3C304@microsoft.com...
    > > > Cary,
    > > >
    > > > The link is 56K, but the sites are authenticating to thier site server.
    > > > There are userenv 1000 errors, stating that the domain cannot be found,
    > and
    > > > the computer or user name cannot be found. I checked DNS and all looks
    > well.
    > > > I did nslookup set type=srv and got response from DC's. I checked for
    > > > kerberos, ldap, and gc records in DNS and all exist for the sites. I ran
    > > > gpresult on workstations and the policy's are applied. Remember one
    > policy
    > > > (computer) runs a script and is working. The user policy does not. Only
    > > > remote sites are having trouble applying GPO and most sites have userenv
    > > > errors??? what now?
    > > >
    > > > "Cary Shultz [A.D. MVP]" wrote:
    > > >
    > > > > Er, not necessarily a factor...Sorry for not reading the entire post.
    > > > >
    > > > > But, maybe it is. Which DC is being used to authenticate?
    > > > >
    > > > > Cary
    > > > >
    > > > > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > > > > news:us3RiOgtEHA.3292@TK2MSFTNGP12.phx.gbl...
    > > > > > Jesse,
    > > > > >
    > > > > > What is the connection speed between the 'HQ' and the remote offices?
    > > > > >
    > > > > > Cary
    > > > > >
    > > > > > "JesseK" <JesseK@discussions.microsoft.com> wrote in message
    > > > > > news:DEB4A32A-0784-41A1-ACAC-E4CA9E95C3EA@microsoft.com...
    > > > > > > I have created a GPO that will be used to lock down workstations. I
    > have
    > > > > > > created a test OU, and linked the GPO to the test OU. I have copied
    > the
    > > > > > > default domain policy to make sure the permissions are right, and
    > changed
    > the
    > > > > > > contents of the policy to my own specificaitons. I have added a few
    > > > > > > workstations from my corp office and all is well. The policy is
    > applied
    > with
    > > > > > > no problem. My problem is that the policy is not being applied to
    > > > > > > workstations in remote sites. My remote sites all have their own
    > DC.
    > The
    > > > > > > GPO has replicated to the remote site sysvol, as I see the object
    > (named
    > by
    > > > > > > GUID), on the remote server. I have added the remote workstation
    > objects
    > to
    > > > > > > the test OU, and this has replcated in AD......yet the policy is not
    > applied.
    > > > > > > Am I missing something. I have compared permissions on the GPO in
    > my
    > site
    > > > > > > and they match the GPO in the remote site. Please help.....
    > Thanks.
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > > >
    > >
    > >
    > >
Ask a new question

Read More

Policy Workstations Windows