GPO does not work fully

Toggle sidebar Toggle sidebar
nick

nick

Distinguished
Dec 31, 2007
994
0
18,980
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a gpo setup on my windows 2000 AD server. I have 3 groups,
Instructors, Students, and Administrators. I have different policies for each
group. On my local XP Pro Machine, the policies only work for administrators,
What am I doing wrong?

Thanks in advance for your help
 
nick

nick

Distinguished
Dec 31, 2007
994
0
18,980
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I think I found the problem, but I don't know how to fix it.....
when i log on to the local computer using a user name in the administrator
group, gpresult works. When I log on using an instructor or student name,
gpresult gives me the following:

INFO: The policy object does not exist.


how do i fix this?

Thanks

"Nick" wrote:

> I have a gpo setup on my windows 2000 AD server. I have 3 groups,
> Instructors, Students, and Administrators. I have different policies for each
> group. On my local XP Pro Machine, the policies only work for administrators,
> What am I doing wrong?
>
> Thanks in advance for your help
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Nick,

Think about what you are doing for a moment!

GPOs are typically a domain thing. Granted, they apply to four levels:
local, Site, Domain, OU. And, they apply only to the objects that directly
reside in the level to which the GPO is linked. The key words are 'directly
reside'. It seems that you are doing something with groups! Not gonna
happen.

Please explain to us your AD environment ( do the computer account objects
reside in an OU or do they reside in the default COMPUTERS container , at
what level is the GPO linked, are the computer account objects members of
the domain or of a workgroup, etc. etc. etc. ).

We need a lot more information from you....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Nick" <Nick@discussions.microsoft.com> wrote in message
news:9CB6DDB4-EA90-4BBE-AEF7-18CDF2C9CEF7@microsoft.com...
>I have a gpo setup on my windows 2000 AD server. I have 3 groups,
> Instructors, Students, and Administrators. I have different policies for
> each
> group. On my local XP Pro Machine, the policies only work for
> administrators,
> What am I doing wrong?
>
> Thanks in advance for your help
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Nick88" wrote:
> I think I found the problem, but I don't know how to fix
> it.....
> when i log on to the local computer using a user name in the
> administrator
> group, gpresult works. When I log on using an instructor or
> student name,
> gpresult gives me the following:
>
> INFO: The policy object does not exist.
>
>
> how do i fix this?
>
> Thanks
>
> "Nick" wrote:
>
> > I have a gpo setup on my windows 2000 AD server. I have 3
> groups,
> > Instructors, Students, and Administrators. I have different
> policies for each
> > group. On my local XP Pro Machine, the policies only work
> for administrators,
> > What am I doing wrong?
> >
> > Thanks in advance for your help

Hi,

DNS is usually the culprit when GP’s aren’t applying. Check my site to
see if you have the XP dns setup correctly for the workstations
http://www.sd61.bc.ca/windows2000/dns.htm .

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-GPO-work-fully-ftopict257248.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=796061
 
nick

nick

Distinguished
Dec 31, 2007
994
0
18,980
Archived from groups: microsoft.public.win2000.group_policy (More info?)

sorry about that....

all of the users are located in OUs which are inside another OU called
SBJATC Users (sbjatc is our domain)..... here is the basic set up
sbjatc.local
OU
OU
OU
Sbjatc Users
Instructors
Groupname
Username
Students
Groupname
1st year
Username
2nd year
Username
3rd year
Username
Administrators
Groupname
Username

I have the GPOs for the Instructor OU, the Student OU and the administrators
OU.

The GPO works for the Administrators OU (could this work because these are
also administrators for the local computers?)

anyways.... the instructors, and students when I logon with one of the
usernames gives me "INFO: The policy object does not exist." when i run
gpresult

when i run it on one of the administrators accounts it works fine.

The only thing that doesn't seem to work is the folder redirection on the
administrators GPO. I have that redirected to
\\server\administrator\documents\%username% but it doesn't work...
all of the scripts work, but not the redirection...

Thanks for your help so far.
"Cary Shultz [A.D. MVP]" wrote:

> Nick,
>
> Think about what you are doing for a moment!
>
> GPOs are typically a domain thing. Granted, they apply to four levels:
> local, Site, Domain, OU. And, they apply only to the objects that directly
> reside in the level to which the GPO is linked. The key words are 'directly
> reside'. It seems that you are doing something with groups! Not gonna
> happen.
>
> Please explain to us your AD environment ( do the computer account objects
> reside in an OU or do they reside in the default COMPUTERS container , at
> what level is the GPO linked, are the computer account objects members of
> the domain or of a workgroup, etc. etc. etc. ).
>
> We need a lot more information from you....
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Nick" <Nick@discussions.microsoft.com> wrote in message
> news:9CB6DDB4-EA90-4BBE-AEF7-18CDF2C9CEF7@microsoft.com...
> >I have a gpo setup on my windows 2000 AD server. I have 3 groups,
> > Instructors, Students, and Administrators. I have different policies for
> > each
> > group. On my local XP Pro Machine, the policies only work for
> > administrators,
> > What am I doing wrong?
> >
> > Thanks in advance for your help
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Nick88" wrote:
> sorry about that....
>
> all of the users are located in OUs which are inside another
> OU called
> SBJATC Users (sbjatc is our domain)..... here is the basic set
> up
> sbjatc.local
> OU
> OU
> OU
> Sbjatc Users
> Instructors
> Groupname
> Username
> Students
> Groupname
> 1st year
> Username
> 2nd year
> Username
> 3rd year
> Username
> Administrators
> Groupname
> Username
>
> I have the GPOs for the Instructor OU, the Student OU and the
> administrators
> OU.
>
> The GPO works for the Administrators OU (could this work
> because these are
> also administrators for the local computers?)
>
> anyways.... the instructors, and students when I logon with
> one of the
> usernames gives me "INFO: The policy object does not exist."
> when i run
> gpresult
>
> when i run it on one of the administrators accounts it works
> fine.
>
> The only thing that doesn't seem to work is the folder
> redirection on the
> administrators GPO. I have that redirected to
> \serveradministratordocuments%username% but it doesn't
> work...
> all of the scripts work, but not the redirection...
>
> Thanks for your help so far.
> "Cary Shultz [A.D. MVP]" wrote:
>
> > Nick,
> >
> > Think about what you are doing for a moment!
> >
> > GPOs are typically a domain thing. Granted, they apply to
> four levels:
> > local, Site, Domain, OU. And, they apply only to the
> objects that directly
> > reside in the level to which the GPO is linked. The key
> words are 'directly
> > reside'. It seems that you are doing something with groups!
> Not gonna
> > happen.
> >
> > Please explain to us your AD environment ( do the computer
> account objects
> > reside in an OU or do they reside in the default COMPUTERS
> container , at
> > what level is the GPO linked, are the computer account
> objects members of
> > the domain or of a workgroup, etc. etc. etc. ).
> >
> > We need a lot more information from you....
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24014
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "Nick" <Nick@discussions.microsoft.com> wrote in message
> > news:9CB6DDB4-EA90-4BBE-AEF7-18CDF2C9CEF7@microsoft.com...
>  > >I have a gpo setup on my windows 2000 AD server. I
> have 3 groups,
>  > > Instructors, Students, and Administrators. I have
> different policies for
>  > > each
>  > > group. On my local XP Pro Machine, the policies only
> work for
>  > > administrators,
>  > > What am I doing wrong?
>  > >
>  > > Thanks in advance for your help
> >
> >
> >

Hi,

1. Have you checked that your DNS is setup correctly? Do your XP
Clients point ONLY to the DC as their DNS (not your ISP) and if you
look in DNS do you see the xp client names with the Correct IP?

2. Did you set permissions or change permissions on your Group Policy
Objects? Eg. If you set any type of permissions they could be messing
with things. Users need the ’read’ on the policy to apply it. I just
don’t change the default settings ever unless it is a specific GPO
that I need access to.

As websites don’t do spacing, it is difficult to see your structure.
Your Group Policy IS on the OU that the Users reside in? Forget the
groups. The Groups can be anywhere and have no affect on GP unless you
are using them to change permissions on the Group Policy itself.

3. Personally I will make a note of the settings, delete all the group
policies EXCEPT the Domain Policy and the Default Domain Controllers
policy (which HAVE to be the default ones created by Install or the
Domain won’t run correctly) and start again.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-GPO-work-fully-ftopict257248.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=799747
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"lforbes" wrote:
> Hi,
>
> 1. Have you checked that your DNS is setup correctly? Do your
> XP Clients point ONLY to the DC as their DNS (not your ISP)
> and if you look in DNS do you see the xp client names with the
> Correct IP?
>
> 2. Did you set permissions or change permissions on your Group
> Policy Objects? Eg. If you set any type of permissions they
> could be messing with things. Users need the 'read' on the
> policy to apply it. I just don't change the default settings
> ever unless it is a specific GPO that I need access to.
>
> As websites don't do spacing, it is difficult to see your
> structure. Your Group Policy IS on the OU that the Users
> reside in? Forget the groups. The Groups can be anywhere and
> have no affect on GP unless you are using them to change
> permissions on the Group Policy itself.
>
> 3. Personally I will make a note of the settings, delete all
> the group policies EXCEPT the Domain Policy and the Default
> Domain Controllers policy (which HAVE to be the default ones
> created by Install or the Domain won't run correctly) and
> start again.
>
> Cheers,
>
> Lara

i posted it from microsoft’s support group site........ the spacing
works fine there......

sbjatc users
>instructors (group policy for instructors)
>> <Username>
> Students (group policy for students)
>> 1st year
>>> <username>
>> 2nd year
>>> <username>
> Administrators (group policy for administrators)
>> <username>

1. DNS doesn’t seem to be a problem....all of the dns is set up
through the windows 2000 server

2.In the GPOs I did set it so the Instrouctor group (instructors) read
and execute as well as the Student (students) and administrators
(administrators)

3. I have done that

Thanks for the help!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Nick,

So long as the user account objects reside directly in the OUs to which the
GPOs are linked ( or in an OU that is under - not at the same level - as the
OU to which the GPO is linked ) then there should be no problems. UNLESS
you have somewhere ticked the Block Inheritance checkbox. It is important
that the user account objects reside directly in the OU to which the GPO is
linked. Hmmm....I have stated this several times. It could be important!
;-)

So, my first question to you is: the GPO that is to affect the
Administrators - to what OU have you linked it? To the Administrators OU or
to the "username" OU? And is the "username" OU the OU in which the user
account objects directly reside? If you linked it to the "Groupname" OU
then things are not going to work! Er, unless the user account objects that
are to fall under the Scope of Management of this GPO directly reside in
that OU - which I am assuming is not the case! It would seem that you have
answered this question already in your previous post. What happens if you
link it to the "username" OU? In fact, since this one is working I might
just leave it alone!

My second question to you is: the GPO that is to affect the Instructors - to
what OU have you linked it? To the Instructors OU or to the "username" OU?
And is the "username" OU the OU in which the user account objects directly
reside? Again, if you linked it to the "Groupname" OU then things are not
going to work. Again, making the same assumption as in my first question.
It would seem that you have answered this question already in your previous
post. What happens if you link it to the "username" OU?

My third question to you is: the GPO that is to affect the Students - to
what OU have you linked it? To the Students OU or to the "username" OU for
each year? And is the "username" OU the OU in which the user account
objects directly reside? Again, if you linked it to the "Groupname" OU then
things are not going to work. Again, making the same assumption as in my
first question. And, for this GPO - do you have the same GPO for all years
or a different GPO for each year? It would seem that you have answered this
question already in your previous post. What happens if you link it to the
"username" OU?

My fourth question for you is: are you making use of Group Filtering? This
is where you go to the security tab of each GPO and remove the Authenticated
Users security group ( which has both READ and APPLY GROUP POLICY rights )
and replace it with a security group of your choosing! So, if you are doing
this......are you using the correct security group? And in the case of the
Students are you using all of the security groups ( 1st year, 2nd year, 3rd
year, etc. )

My fifth question for you is: the GPOs that you have created are *naturally*
affecting the user configuration side of things. Please correct me if I am
wrong. Are you sure that you have not somehow disabled the user
configuration side of these GPOs? There is a place where you can disable
either one half or the GPO ( either the user configuration or the computer
configuration ) or both!

My sixth question for you is: have you used any of the troubleshooting tools
available to you? GPOTOOL is one such tool that is available to you. So is
GPResult.

My final question to you is: is everything fine and dandy with DNS? I know
that you have answered this already a couple of times but with Active
Directory a lot of things go back to DNS.......

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Nick" <Nick@discussions.microsoft.com> wrote in message
news:A18A9DB6-8E82-4F78-8292-2C08D5FE0B71@microsoft.com...
> sorry about that....
>
> all of the users are located in OUs which are inside another OU called
> SBJATC Users (sbjatc is our domain)..... here is the basic set up
> sbjatc.local
> OU
> OU
> OU
> Sbjatc Users
> Instructors
> Groupname
> Username
> Students
> Groupname
> 1st year
> Username
> 2nd year
> Username
> 3rd year
> Username
> Administrators
> Groupname
> Username
>
> I have the GPOs for the Instructor OU, the Student OU and the
> administrators
> OU.
>
> The GPO works for the Administrators OU (could this work because these are
> also administrators for the local computers?)
>
> anyways.... the instructors, and students when I logon with one of the
> usernames gives me "INFO: The policy object does not exist." when i run
> gpresult
>
> when i run it on one of the administrators accounts it works fine.
>
> The only thing that doesn't seem to work is the folder redirection on the
> administrators GPO. I have that redirected to
> \\server\administrator\documents\%username% but it doesn't work...
> all of the scripts work, but not the redirection...
>
> Thanks for your help so far.
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Nick,
>>
>> Think about what you are doing for a moment!
>>
>> GPOs are typically a domain thing. Granted, they apply to four levels:
>> local, Site, Domain, OU. And, they apply only to the objects that
>> directly
>> reside in the level to which the GPO is linked. The key words are
>> 'directly
>> reside'. It seems that you are doing something with groups! Not gonna
>> happen.
>>
>> Please explain to us your AD environment ( do the computer account
>> objects
>> reside in an OU or do they reside in the default COMPUTERS container , at
>> what level is the GPO linked, are the computer account objects members of
>> the domain or of a workgroup, etc. etc. etc. ).
>>
>> We need a lot more information from you....
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Nick" <Nick@discussions.microsoft.com> wrote in message
>> news:9CB6DDB4-EA90-4BBE-AEF7-18CDF2C9CEF7@microsoft.com...
>> >I have a gpo setup on my windows 2000 AD server. I have 3 groups,
>> > Instructors, Students, and Administrators. I have different policies
>> > for
>> > each
>> > group. On my local XP Pro Machine, the policies only work for
>> > administrators,
>> > What am I doing wrong?
>> >
>> > Thanks in advance for your help
>>
>>
>>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom