Sign in with
Sign up | Sign in
Your question

User Policy set but no effect

Last response: in Windows 2000/NT
Share
Anonymous
April 20, 2005 10:22:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What am I doing wrong? I tried to set a simple user policy at the domain
level and even after refreshing on the server with secedit and forcing
gpupdate on a client I don't see a change. Here's more details:

I enforced a screen saver in the \\ default domain policy\user
configuration\administrative templates\\control panel\display folder with
->Hide Screen Saver tab policy, Screen saver executable name policy
(logon.scr), Password protect the screen saver policy, Activate screen saver
policy, and Saver time-out policy.

Went to command line and ran secedit /refreshpolicy user_policy. Nothing
changed when I tested client machines by logging in. Client machines are XP
or Win2000 Pro. Then I ran gpupdate /force on client machines. Still no
changes after testing with new logins.

I don't understand what I'm doing wrong. Thanks for any help.

Sol Rodriguez

--
Computers and music geek. Too bad I'm good at music and it doesn't pay, but
I'm lost with computers and it still pays.
http://www.greenleafave.com

More about : user policy set effect

April 22, 2005 3:46:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

First, check to make sure that the permissions of the policy are not
preventing the client machines from applying it. Default permissions for the
policy usually allow Read and Apply Policy to Authenticated Users, which
includes the machines.

Or else, try this...
On the computers that are not applying the policy, look in the
(hidden) folder C:\WINNT\security\templates\policies. There are several
files with extensions -
..dom
..inf

Check the attributes of each file. If the Read-only attribute is set,
delete all the files in that folder and refresh policy with secedit (or a
reboot). That should recreate the files without the Read-only attribute and
the policy should then be applied.


"SolRodriguez" wrote:

> What am I doing wrong? I tried to set a simple user policy at the domain
> level and even after refreshing on the server with secedit and forcing
> gpupdate on a client I don't see a change. Here's more details:
>
> I enforced a screen saver in the \\ default domain policy\user
> configuration\administrative templates\\control panel\display folder with
> ->Hide Screen Saver tab policy, Screen saver executable name policy
> (logon.scr), Password protect the screen saver policy, Activate screen saver
> policy, and Saver time-out policy.
>
> Went to command line and ran secedit /refreshpolicy user_policy. Nothing
> changed when I tested client machines by logging in. Client machines are XP
> or Win2000 Pro. Then I ran gpupdate /force on client machines. Still no
> changes after testing with new logins.
>
> I don't understand what I'm doing wrong. Thanks for any help.
>
> Sol Rodriguez
>
> --
> Computers and music geek. Too bad I'm good at music and it doesn't pay, but
> I'm lost with computers and it still pays.
> http://www.greenleafave.com
Anonymous
April 25, 2005 1:19:06 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for your help. I'm definitely going to remember those tips for
another time, but I figured out what my problem was. After downloading the
Group Policy Managment Console (gpmc.msi) I could see that I accidentally set
the GP for the domain controller instead of the domain. I guess I needed to
take a step back and not be in such a hurry!.

"Maggie" wrote:

> First, check to make sure that the permissions of the policy are not
> preventing the client machines from applying it. Default permissions for the
> policy usually allow Read and Apply Policy to Authenticated Users, which
> includes the machines.
>
> Or else, try this...
> On the computers that are not applying the policy, look in the
> (hidden) folder C:\WINNT\security\templates\policies. There are several
> files with extensions -
> .dom
> .inf
>
> Check the attributes of each file. If the Read-only attribute is set,
> delete all the files in that folder and refresh policy with secedit (or a
> reboot). That should recreate the files without the Read-only attribute and
> the policy should then be applied.
>
>
> "SolRodriguez" wrote:
>
> > What am I doing wrong? I tried to set a simple user policy at the domain
> > level and even after refreshing on the server with secedit and forcing
> > gpupdate on a client I don't see a change. Here's more details:
> >
> > I enforced a screen saver in the \\ default domain policy\user
> > configuration\administrative templates\\control panel\display folder with
> > ->Hide Screen Saver tab policy, Screen saver executable name policy
> > (logon.scr), Password protect the screen saver policy, Activate screen saver
> > policy, and Saver time-out policy.
> >
> > Went to command line and ran secedit /refreshpolicy user_policy. Nothing
> > changed when I tested client machines by logging in. Client machines are XP
> > or Win2000 Pro. Then I ran gpupdate /force on client machines. Still no
> > changes after testing with new logins.
> >
> > I don't understand what I'm doing wrong. Thanks for any help.
> >
> > Sol Rodriguez
> >
> > --
> > Computers and music geek. Too bad I'm good at music and it doesn't pay, but
> > I'm lost with computers and it still pays.
> > http://www.greenleafave.com
June 1, 2009 2:12:39 AM

I have a Win 2000 client that refuses to have its Local Security updated, as defined by my Win 2000 DC's Group Policies. As it turns out, the files in C:\WINNT\security\templates\policies\*.inf & *.dom were indeed set to READ ONLY. Who knows why?! This client computer was created from an image ... but I don't believe that was the cause. After renaming the .DOM and .INF files, then forcing a GPUPDATE ( in Win 2000, that entails: secedit /refreshpolicy user_policy /enforce *and* secedit /refreshpolicy machine_policy /enforce ). Once that completed, my renamed files were actually deleted by the system and replaced with now up-to-date settings from my DC / domain controller.

What lead me to the resolve was looking at the C:\WINNT\security\logs\winlogon.log file and seeing the correct GPO names (eg: gpt00001.inf, gpt00002.doc, etc) and then finding the aforementioned files in the POLICIES folder as read-only ... and, of course, with a very old timestamp meaning they weren't being updated.

You would think that Microsoft would create a clearly-worded event log for this situation, stating that the local policy templates could not be deleted / replaced due to the READ-ONLY attribute! But that would make things too easy, I assume. Instead, the only related entry I found was in the Security Log > Category: Object Access > Event ID: 560 > Type: Failure which stated that C:\SYSTEM VOLUME INFORMATION was failing to synchronize.

Once I figured out the issue, I Googled the resolve and found your related post. A little too late but appreciated nonetheless!
!