Group Policies being ignored

[bacca]

Hello all,

As part of my work I get sent around various sites checking up on our IT guys and helping them with governance issues.

One of our sites has lost its IT tech on long-term sick and now the other one has retired.

I'm on site now and there is a massive issue with their research lab and I sort of, kind of, have to try to fix it.

I'll try to cover as much as I know. Please bear with me, I'm not a Network Admin or Manager and I have limited experience with that side of IT.

1 x LAN with Internet access
2 x Windows 2k3 32bit servers
32 x Windows 7 64bit Clients
80 x Users with individual profiles

Cyber Patrol's siteSURV software is running on all clients but not the server. This software apparently sends each IP request off to an external server which then validates the request ("apparently").

The problem as far as I can see is that the Group Policies are not being applied. Please understand that they are in fact being shown in GP Results Wizard as being applied, its just that they aren't!

I've gone ahead and created a new GPO that changes the desktop background and linked that at Domain and OU level and still receive the same default Windows background.

When the techs installed the first server (DC1) they used the Default Domain Policy for the Password policy. (Having done a bit of googling apparently that's not a great practice so I thought I'd put it in here in case that makes a difference to someone).

I know that the Default Domain Policy is working as intended as I have changed the password length policy and have had success with it.

Aside from that the only other thing that doesn't sit well with me is the server setups themselves. DC1 was installed and ran the entire research lab on its own. At some point the techs installed DC2 which was supposed to be a direct replication of DC1 and was supposed to kick in immediately if DC1 failed. However, DC2 does not seem to be a replication as it doesn't have the same roles installed (no DHCP, DNS). Even more strange, DC2 has the profiles stored on it but DC1 doesn't have any of that.

If you read this far then thanks and I sincerely hope you can help. I'm here for another 3 hours tonight and then probably all day tomorrow if I can't get this fixed today.

Any help at all is gratefully received.

 

[tha_vice]

Are the policies enforced? If a default domain policy is enforced, for example, but then other Ou's are added and other Group policies applied, but not enforced at the OU level or default domain policy level, they wont apply to the machines.


Further clarification.


You have the Default Domain policy

>---default domain password + enforced
v OU *applied regardless of block inheritance

v OU *applied regardless of block inheritance

v OU + policy linked just for that site or policy linked at the domain level, and not enforced then they wont apply.

another thing I would check is if the the LAB OU is in the same domain to which you're trying to apply this policy at the domain level.

Remember that if you're linking the policy at the domain level all the machinies will get it , unless the OU is blocking inheritance, to which Enforce will override. Confusing I know but I hope this helps.

Regarding your other issues with replication, I know there's a few good technet articles to which i'll try to find the links to. Generally The problem comes from the site links not being configured correctly in Active directory sites and services. AD dosen't really care if the DC 2 is in the same building or across the world. It just needs to be linked.

 

[bacca]

Are the policies enforced? If a default domain policy is enforced, for example, but then other Ou's are added and other Group policies applied, but not enforced at the OU level or default domain policy level, they wont apply to the machines.

The Default Domain Policy isn't enforced. I shall enforce my test wallpaper change GPO and see what happens.

Have just checked that the Default Domain Policy isn't enforced (it isn't) and have enforced my Wallpaper GPO and then booted from cold my test account and the changes aren't being made.

 

[tha_vice]

I edited my O.G. Reply.

I think what they did is set the policies in the default domain policy to make it easy, and then added other policies in the OUs , but probably have block inheritance set at the OU Level, assuming there are seperate OU's for sites or groupings of computers that need different settings


Best practices say you should have a OU for site specific policies and make a new policy for each Group of changes or Major change to an OU, and have a seperate policy for each.

That way when something breaks you can see a group policy object specific to what is not working instead of one GPO with 1000 settings.
* just lke you're doing with the desktop background*

Finding and removing them from the default domain policy wont hurt, just as long as you reattach them in the correct OU to which they should be applying to.

Ou's keep things simple for groupings. Most of the things in default domain policy should apply to security. No two sites will be the same which is where Sub OU's for each site should exists and so on and so forth.

So as long as you treat an OU like an organizer, and not the entire freaking domain you'll be fine :lol:

Also

Gpupdate /force comes in handy. In this case, becasue I don't know what the refresh interval for group policy refresh is on the machines, probably nothing, because the polices aren't even applying xD

DHCP: typcially unless you want to divide a range of addresses between two DHCP servers, you only typically have one for a Site.

Example 192.168.1.x 254 hosts divied by 2

128 on one dhcp server

128 on another.

DNS: active directory integrated is what you want and typically will only have one per site, setting up another wont hurt but you'll need to understand what you're doing before adding a 2nd DNS server. Just in the case that the 1st one fails. Which If I had it my way i would have 3 different VM's

2 Vm's for AD
2 Vm's for DHCP
2 Vm's for DNS or 6 boxes could also have it split between 2 or 3 physicall servers, the idea is that you don't want a failure of a mobo shutting down all 3 critical roles.

and 2003 is not fun to perform restores on.

 

[bacca]

I edited my O.G. Reply.

I think what they did is set the policies in the default domain policy to make it easy, and then added other policies in the OUs , but probably have block inheritance set at the OU Level, assuming there are seperate OU's for sites or groupings of computers that need different settings


Best practices say you should have a OU for site specific policies and make a new policy for each Group of changes or Major change to an OU, and have a seperate policy for each.

That way when something breaks you can see a group policy object specific to what is not working instead of one GPO with 1000 settings.
* just lke you're doing with the desktop background*

Finding and removing them from the default domain policy wont hurt, just as long as you reattach them in the correct OU to which they should be applying to.

Ou's keep things simple for groupings. Most of the things in default domain policy should apply to security. No two sites will be the same which is where Sub OU's for each site should exists and so on and so forth.

So as long as you treat an OU like an organizer, and not the entire freaking domain you'll be fine :lol:

Also

Gpupdate /force comes in handy. In this case, becasue I don't know what the refresh interval for group policy refresh is on the machines, probably nothing, because the polices aren't even applying xD

DHCP: typcially unless you want to divide a range of addresses between two DHCP servers, you only typically have one for a Site.

Example 192.168.1.x 254 hosts divied by 2

128 on one dhcp server

128 on another.

DNS: active directory integrated is what you want and typically will only have one per site, setting up another wont hurt but you'll need to understand what you're doing before adding a 2nd DNS server. Just in the case that the 1st one fails. Which If I had it my way i would have 3 different VM's

2 Vm's for AD
2 Vm's for DHCP
2 Vm's for DNS or 6 boxes could also have it split between 2 or 3 physicall servers, the idea is that you don't want a failure of a mobo shutting down all 3 critical roles.

and 2003 is not fun to perform restores on.

Really appreciate your help.

There is no block inheritence on any of the OUs or at the Domain level.

I'm using Group Policy Management and in the Security Filters for each of the GPOs it was just listed as Authenticated Users. I understand this to be all Users minus a few special accounts (Guest etc), I have changed that to now be pointed at the specific group of AD users that I wish the GPO to affect and have updated.

Logging on my test account now to hopefully see the changes reflected.....................or am I barking up the wrong tree?

Again, I really appreciate your help and I shall pass your recommendations on to the site management when I see them next.

 

[bacca]

Spoiler

The above image is the return from my GP Result Wizard. It shows that the Admin_GPO has been loaded but I did not experience the changes that it had reportedly made.

 

[tha_vice]

My next thought is to look up the issues in technet. If you're creating and linking the GPO's to the Ou's and they're enforced. You're doing it right. Are there any events in the Windows logs regarding group policy?

Also, the GPOs you're creating are they user polices or Computer policies.

If the GPO you're creating affects the user that's going to log in you'll need to link that to an OU with which the user account resides etc...

If the GPO affects all users that log into the PC then you place the computers in that OU

From my understanding, and I could be incorect, you can only apply one or the other in a GPO either user or computer policies.

which is why in My domains i've created I place and divide users by dept/ site, so when I run into an issue with group policy I know the changes I'm making only affects those users in that OU and not have to nest or work arround polices I don't need because those computers or users are in a sub OU of an OU. I would also check so see if this could be the case as well.

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/dce1c1f3-63ea-4896-903b-660b20e3cd56 check here and see if this applies.

Also, there's a good chance that they never did what is talked about in here.

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/846e1ccb-c9ba-474f-81ee-7106be104d39

 

[bacca]

My next thought is to look up the issues in technet. If you're creating and linking the GPO's to the Ou's and they're enforced. You're doing it right. Are there any events in the Windows logs regarding group policy?

Also, the GPOs you're creating are they user polices or Computer policies.

If the GPO you're creating affects the user that's going to log in you'll need to link that to an OU with which the user account resides etc...

If the GPO affects all users that log into the PC then you place the computers in that OU

From my understanding, and I could be incorect, you can only apply one or the other in a GPO either user or computer policies.

which is why in My domains i've created I place and divide users by dept/ site, so when I run into an issue with group policy I know the changes I'm making only affects those users in that OU and not have to nest or work arround polices I don't need because those computers or users are in a sub OU of an OU. I would also check so see if this could be the case as well.

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/dce1c1f3-63ea-4896-903b-660b20e3cd56 check here and see if this applies.

Also, there's a good chance that they never did what is talked about in here.

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/846e1ccb-c9ba-474f-81ee-7106be104d39

thought I'd got it sorted. Authenticated Users were labelled under the Security Filter. I changed that to the AD group which I wish the GPO to affect.

After I did that I had partial success - the old IT tech account picked up the changes but my temp admin account didn't (although it was a direct copy of the IT tech AD account).

Just having a look at those 2 links, they look promising. One specifically mentions not being able to change the wallpaper.

Bah! I really didn't want to spend more time on this today (still have the original job to do that I came here for 3 days ago) but needs must.

 

[tha_vice]

it really sounds to me like they got two things mixed up. Which GPo's are applying to where and wether or not they are user or computer specific.

I hope you can get this sorted out or at least bring it to the IT teams attention.