User GPO not applying unless linked to computers

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,
I'm wondering if anyone has a solution to this problem.
Windows 2003 native domain, Win2k and XP workstations. Single domain, no
trusts, 2 DCs in the primary AD site (both running AD integrated DNS) and 1
DC in a DR site containing no workstations. All clients are pointing to the
AD integrated DNS servers.

I have an OU which contains all computer accounts for the domain. I have
another totally separate (not a child) OU which contains user accounts.

If I create a GPO containing only User settings and link it to the OU
containing the user accounts, the GPO does not take effect. GPResult does not
display the GPO at all, even if I wait for a full day to ensure replication
has taken place before rebooting.

It is not until I link the GPO to the OU containing the Computer accounts
that it begins to work. Linking computer setting GPO's to the computers OU
works fine.

DNS is working fine and everything else is healthy on the network.
The only thing I can think of is loopback policies set to Replace and being
applied to the computer accounts, but I haven't been able to find any.

Any ideas?

--

Andy.
6 answers Last reply
More about user applying linked computers
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi,

    Andrew Mitchell schrieb:
    > If I create a GPO containing only User settings and link it to the OU
    > containing the user accounts, the GPO does not take effect. GPResult does not
    > display the GPO at all, even if I wait for a full day to ensure replication
    > has taken place before rebooting.
    > It is not until I link the GPO to the OU containing the Computer accounts
    > that it begins to work. Linking computer setting GPO's to the computers OU
    > works fine.

    It sounds like you are trying to deploy security setting to your
    Users, but even if they are planned to be for users, the security
    settings can only be deployed to computers ...

    CU
    Mark
    --
    Mark Heitbrink - MVP Windows Server
    Homepage: www.gruppenrichtlinien.de
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    It does sound like loopback processing is enabled on the computer OU
    possibly. Try to move one of the computers into the users OU to see what
    happens when a user logs onto it as loopback processing would only be
    applying to computers in the computer OU if enabled only there. If you are
    not using it yet try using Group Policy Management Console and try RSOP in
    logging and planning mode to see what is shown. Verify that user
    configuration is enabled on the GPO and that read and apply permissions are
    correct. If not using default permissions such as authenticated users I like
    to use global groups and not domain local groups in GPO permissions.
    Gpupdate /force first on domain controller and then on user's computer can
    speed up GPO propagation quite a bit. Also when testing be sure to logon and
    logoff at least twice, particularly on XP Pro computers. -- Steve


    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    news:Xns95F0A7AE382BAA12F32EDB83F@207.46.248.16...
    > Hi,
    > I'm wondering if anyone has a solution to this problem.
    > Windows 2003 native domain, Win2k and XP workstations. Single domain, no
    > trusts, 2 DCs in the primary AD site (both running AD integrated DNS) and
    > 1
    > DC in a DR site containing no workstations. All clients are pointing to
    > the
    > AD integrated DNS servers.
    >
    > I have an OU which contains all computer accounts for the domain. I have
    > another totally separate (not a child) OU which contains user accounts.
    >
    > If I create a GPO containing only User settings and link it to the OU
    > containing the user accounts, the GPO does not take effect. GPResult does
    > not
    > display the GPO at all, even if I wait for a full day to ensure
    > replication
    > has taken place before rebooting.
    >
    > It is not until I link the GPO to the OU containing the Computer accounts
    > that it begins to work. Linking computer setting GPO's to the computers OU
    > works fine.
    >
    > DNS is working fine and everything else is healthy on the network.
    > The only thing I can think of is loopback policies set to Replace and
    > being
    > applied to the computer accounts, but I haven't been able to find any.
    >
    > Any ideas?
    >
    > --
    >
    > Andy.
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Mark Heitbrink [MVP]" <spam-only@gruppenrichtlinien.de> said

    > Hi,
    >
    > Andrew Mitchell schrieb:
    >> If I create a GPO containing only User settings and link it to the OU
    >> containing the user accounts, the GPO does not take effect. GPResult
    >> does not display the GPO at all, even if I wait for a full day to
    >> ensure replication has taken place before rebooting.
    >> It is not until I link the GPO to the OU containing the Computer
    >> accounts that it begins to work. Linking computer setting GPO's to the
    >> computers OU works fine.
    >
    > It sounds like you are trying to deploy security setting to your
    > Users, but even if they are planned to be for users, the security
    > settings can only be deployed to computers ...
    >

    No. It happens with all user settings. The ones I am attempting to apply at
    the moment are logon scripts (not startup scripts), although this problem is
    occuring with any user setting. It won't apply unless I also apply the GPO to
    the OU containing the computers.


    --

    Andy.
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Steven L Umbach" <n9rou@nospam-comcast.net> said

    > It does sound like loopback processing is enabled on the computer OU
    > possibly.

    That's what I thought.

    > Try to move one of the computers into the users OU to see what
    > happens when a user logs onto it as loopback processing would only be
    > applying to computers in the computer OU if enabled only there.

    I've tried that and it causes the GPO to work, though I'm not certain if
    that's because the GPO is also being applied to the computer object.

    I'll try creating a temp OU at the domain level and move the computer
    account there to see what happens.

    > If you
    > are not using it yet try using Group Policy Management Console and try
    > RSOP in logging and planning mode to see what is shown.

    Thanks. I'll give that a try.

    > Verify that user
    > configuration is enabled on the GPO and that read and apply permissions
    > are correct.

    Permissions are definitely correct.

    > If not using default permissions such as authenticated
    > users I like to use global groups and not domain local groups in GPO
    > permissions.

    I don't have any Deny permissions on the GPO and I've even set the
    permissions to read and apply for the Everyone group. Still no luck.

    > Gpupdate /force first on domain controller and then on
    > user's computer can speed up GPO propagation quite a bit. Also when
    > testing be sure to logon and logoff at least twice, particularly on XP
    > Pro computers.

    Yep. I've tried all of those an still no good.
    Thanks for the tip on GPMC though. I'll have a look and see what it shows
    up.

    --
    Andy.
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Andrew Mitchell <amitchell@removecasey.vic.gov.au> said

    > "Steven L Umbach" <n9rou@nospam-comcast.net> said
    >
    >> It does sound like loopback processing is enabled on the computer OU
    >> possibly.
    >
    > That's what I thought.
    >
    >> Try to move one of the computers into the users OU to see what
    >> happens when a user logs onto it as loopback processing would only be
    >> applying to computers in the computer OU if enabled only there.
    >
    > I've tried that and it causes the GPO to work, though I'm not certain if
    > that's because the GPO is also being applied to the computer object.
    >
    > I'll try creating a temp OU at the domain level and move the computer
    > account there to see what happens.
    >
    >> If you
    >> are not using it yet try using Group Policy Management Console and try
    >> RSOP in logging and planning mode to see what is shown.
    >
    > Thanks. I'll give that a try.
    >

    Further to this:
    I have applied a GPO containing a user login script to an OU containing the
    users I want to run this script. Everyone has read and apply permissions to
    the GPO. The GPO does not work unless I also link it to the OU containing
    the computer accounts. RSOP shows that the GPO is not applied (it's not
    filtered - just doesn't show up) unless it's linked to the computers OU.
    The strange thing is that when I do this, anyone who is in the Domain
    Admins group also has the policy applied, even if they are not in an OU
    that the GPO is linked to (or a child of that OU).

    RSOP in the GPMC gives an error : "key may not be null. key name is 'key'"
    Checking each GPO in the domain using GPMC shows that they all look OK.

    This is starting to sound like a corrupted AD. Does anyone know of any
    tools to check AD integrity?

    --

    Andy.
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    That is bizarre. I have never experienced such but the error message you get
    does not sound too good. It would be interesting to see what happens if you
    create a new OU that is not a child OU of the "problem" OU with it's own new
    GPO to see if the behavior is repeated. Since you are having unusual
    problems I would run netdiag, dcdiag, and gpotool on at least the pdc fsmo
    domain controller to see if anything unusual is reported. You can
    check/repair AD database with the ntdsutil.exe tool as shown in the link
    below. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 -- please
    read all the fine print before proceeding.


    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    news:Xns95F9D0DA2576AAA12F32EDB83F@207.46.248.16...
    > Andrew Mitchell <amitchell@removecasey.vic.gov.au> said
    >
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> said
    >>
    >>> It does sound like loopback processing is enabled on the computer OU
    >>> possibly.
    >>
    >> That's what I thought.
    >>
    >>> Try to move one of the computers into the users OU to see what
    >>> happens when a user logs onto it as loopback processing would only be
    >>> applying to computers in the computer OU if enabled only there.
    >>
    >> I've tried that and it causes the GPO to work, though I'm not certain if
    >> that's because the GPO is also being applied to the computer object.
    >>
    >> I'll try creating a temp OU at the domain level and move the computer
    >> account there to see what happens.
    >>
    >>> If you
    >>> are not using it yet try using Group Policy Management Console and try
    >>> RSOP in logging and planning mode to see what is shown.
    >>
    >> Thanks. I'll give that a try.
    >>
    >
    > Further to this:
    > I have applied a GPO containing a user login script to an OU containing
    > the
    > users I want to run this script. Everyone has read and apply permissions
    > to
    > the GPO. The GPO does not work unless I also link it to the OU containing
    > the computer accounts. RSOP shows that the GPO is not applied (it's not
    > filtered - just doesn't show up) unless it's linked to the computers OU.
    > The strange thing is that when I do this, anyone who is in the Domain
    > Admins group also has the policy applied, even if they are not in an OU
    > that the GPO is linked to (or a child of that OU).
    >
    > RSOP in the GPMC gives an error : "key may not be null. key name is 'key'"
    > Checking each GPO in the domain using GPMC shows that they all look OK.
    >
    > This is starting to sound like a corrupted AD. Does anyone know of any
    > tools to check AD integrity?
    >
    > --
    >
    > Andy.
Ask a new question

Read More

Windows