No announcement yet.

AD Not applying MY computer config

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Not applying MY computer config

    Greetings all. Quick summary - ran my own smallish domain for a while, but now I'm decommissioning that to join my teaching lab machines to the overall university domain.

    During the initial config, we found Computer Config policy isn't being applied (User is, when, to simplify, we moved both user and comp into ou in question). Quick version: myself and faculty in an ou, lab machines in a few others (one ou per lab), but students will NOT be in those OUs. Sooo, to control certain things like login scripts (that utilize user name in them to map to different drives) we're going to use loopback to apply login script among other things - testing that sort of worked so far, but we are paused there, because...

    Many other computer config settings are simply not applying - namely firewall exception config, computer startup scripts (that write to a folder, just to test) and software restriction policy (to test, a path rule on c:\windows\system32\calc.exe). Simple, right? (WOULD those be good tests? Another simpler easy to test one to pick?)

    That computer config is never getting applied. Now, the nitty gritty - there are some campus-wide (3) gpos on higher OUs whose settings apply. Locals show. LSDOU seems to be working fine, with the exception of my computer config in the specific ou with the gpo. Enforce on the higher OUs is off, and block policy inheritance when we turned it on did indeed prevent the higher ones - when enabled, no higher-up computer config. With or without block inheritance, my GPO settings are never the winning GPO, whether the setting is one that conflicts/overrides a higher-up, nor one specifically not in any of the other three (picked to see if it was an override situation.)

    (ASIDE - my new overlords use NetIQ and have assigned me very specific perms to my OUs, so I can't see the full settings on the higherups. However, my next-higher-up can, and he's verified these things with me.)

    gpresult shows, if I can paraphrase because i'm out of the office, "no data available" for the computer config if we're blocking and mine is the only one. rsop basically ditto.

    My account is not a domain admin, but through GPO, added to local administrators.

    FL is 2008. OS is MDT deployed Win7Sp1.

    Any ideas where to look here? Event log indicates the GPO was processed, just the settings never appear. Turned off loopback in case I was getting myself too loopy... can't get any comp config in MY ou's gpo to apply (athough some from higher up are). Going batty figuring out what to check next. Again, enforce is off in the higher ups, but even with block inheritance on as well, NADA from comp config.

    Is there some permission setting that would allow my user config settings to apply but not the computer config? I suspect the NetIQ tool somehow, but can't say why

    Where should I look? Try next?

    Thanks for reading my story, just wondering if I'm overlooking something truly stupid. Lost a week on this already.

  • #2
    Re: AD Not applying MY computer config

    1. to confirm, the computer account is in the OU where the GPO in question is linked?

    2. Are you using any GPO filtering in the GPO in question?

    3. Block Inheritance does not block settings from parent containers that are Enforced.

    4. Block inheritance only matters if you have settings in a parent GPO that are also set in the child GPO. Block Inheritance prevents the parent GPO settings from applying, unless the parent GPO is Enforced. If no settings are set in the parent GPO then Block Inheritance doesn't do anything. It has no inherited settings to block.

    5. Loopback policy processing affects User Configuration settings. It has no relation to Computer Configuration settings.


    • #3
      Re: AD Not applying MY computer config

      Heya! Thanks for the quick reply. Yeah, I may have babbled a bit there, so let me try to restate the relevant parts...

      1. Yes, well, under the ou in question (whose computer config settings aren't being applied) contains the computer account. Well, actually, it's one level deep INSIDE there -roughly:
      --Campus OU -- Parent gpo here
      -----CampusLabs OU --nother gpo here
      ----------Lab345 OU -- My troublesome GPO linked here
      -----------------Lab345COmputers OU
      ------------------------Desk1Compuer <- this is the comp
      -----------------Lab345Users OU
      -----------------Lab345Printers OU

      So the GPO in question is attached to lab345. It contains a child ou called LAB345Computers, which actually contains the computer object. There is no GPO linked to Lab345Computers.

      2. Nope - no filtering, WMI filter box be bare.

      3. I agree, block inheritance is ignored by Enforced parents. This was my original suspicion - there was some weird parent gpo was enforced and cancelling me out somehow.

      4. Guess I was trying to relay that with block inheritance on, the parent Computer config settings are indeed blocked - indeed, NO computer config shows at this point (including that of the GPO in question). Blocking the parents works as expected - with it on, no parent settings, with it off, parent settings, demonstrating enforced is off. Either way though, no computer config from current ou.

      4a. Unless a blocked but enforced setting wouldn't show in gpresult? When I get to the lab tomorrow, I'll attach the output.

      4b. I went through gpresult, found a setting I saw wasn't set in any of the three parents, and set it for the ou in question. Still a no show - even through the event log showed the gpo had been processed.

      5. I agree on loopback as well - no relation to comp settings, rather, allowing you to apply user settings from the GPO of an ou that contains only the (relavant) computer object. I mentioned it only to relay that I was taking it out to simplify...

      5a. Although, since enabling loopback is a computer config setting itself, you might say it has SOME relation to computer settings - as in, if computer settings can't be applied, you can'ts turn loopback on! Loopback was just a goal here - a setting that can't be turned on, among others (firewall, software restriction policy etc)

      I think I've covered all the basic basics but I'm expecting I've missed something stupid. Its so weird - I ended up stripping it down to the simplest computer setting, turned on block inheritance just to double check there wasn't some weird thing above me screwing me up... Just not applying. Move the user into that ou? User settings of the gpo apply just fine.

      Thanks for your time... got any ideas, i'll try em!



      • #4
        Re: AD Not applying MY computer config

        My bad. I misstated Block Inheritance. It does block any and all settings from the parent GPO from applying, not just those settings that may be set in both the parent and child GPO. - So if you have a setting in the parent GPO and no setting in the child GPO the parent GPO settings are applied unless you use Block Inheritance (unless the parent GPO is Enforced). If you have parent GPO settings that are also configured in the child GPO then the application of those settings is dependent on the state of Block Inheritance and Enforced.

        I'll look for your update tomorrow to see if you've made progress. In the meantime, if I think of anything I'll post it here.


        • #5
          Re: AD Not applying MY computer config

          Forgiven. Honestly, I think it's either a GPO permissions thing (which, with my previous experience, I didn't have to explore much because i was the big dog) or that tool whose name i forget - but i have no clue, obviously. I was told by other techs to expect a "watch out... you're inheriting 10 years of adding a setting at a time, but nobody knows what they all do together" kind of environment. Long story. If i figure it out, i promise to post the answer.

          Maybe i'll post some logs or screenshots tomorrow so yall can tell me what stupid little thing i missed. I'm still convinced it's me.



          • #6
            Re: AD Not applying MY computer config

            Quick update - getting some occasional "RPC server unavailable" issues running gpresult et all... using the same DNS servers that the rest of the campus uses, and I seem to have no issues with it. RPC service is running on the client.

            Using the correct time provider, although it reminds me of a story 4 years ago, my server machines were in the datacenter, and my client clocks were drifting with the expected oddites. I say "um, trying to diagnose time, can't connect - is it open in the firewall?" Yes, it is, I'm told...

            I chase it for 4 months... one day, they're like "hey, there's another firewall! It was closed there." Gaaaaaaaaaaa....

            They're starting to be thinking it's a firewall issue somewhere. I'll post back the solution if it helps others - they opened a microsoft support ticket and I ran a diagnostic and sent it to MS.



            • #7
              Re: AD Not applying MY computer config

              Just a quick update for you... Seems to have been a combination of outdated tools and or misunderstood permissions. My higher up guy can push my policies fine with The native tools under his account, but not with the addon tools (they basically just provide gpo versioning and change tracking). So, a pain, but not insurmountable.

              Thanks for thoughts though!