No announcement yet.

Group Polcies not pushing out to client accounts

  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Polcies not pushing out to client accounts


    i am using win2k3 as a domain with win2k pro clients, i am trying to apply group policies to an single OU. The problem is even though i set the group polices for that OU doing it via right click ---> properties --> group policy and then editing the policy file, the policies i set do not work when i log into the client computer, such as folder redirection, browser title, administrative templates etc... I have tried re-setting the group policies with the GPMC and have tried disjoining a client computer from the domain and re-joining it to the domain, and the group policies still don't wanna push out to the win2k client.

    Any ideas of why this is happening?

  • #2
    Do you have a normal fast connection to the DC?

    Are your workstations in an appropriate container/OU to apply machine specific policies? Some of the policies aply to machine accounts, not useraccount.


    • #3
      yes, i have a normal fast connection to the DC it's connected via 10/100 switch.

      and in the OU for say i have named "company users" and in that OU i have all the user accounts stored in that container, and that is where i set the group policies (user configurations) like folder redirection, browser title, and IE home page to test. Computers are stored in the default container (computers) i have not touched that.

      could there be some kind of domain naming problem as well? cause the server's netbios name is coserver.server.local but when i have win2k clients join a domain the "coserver" doesn't work i have to use like a pre-win2k name that i specified during install, ie: coserver1.server.local


      • #4
        To cut a long story short, please try the following: move all machine/computer accounts into the same OU as the users and to where the group policy object exists. If it works, I'll explain later why it did and what you need to change


        • #5
          aha, the same thing happened with the local passwords, see my post on security, and when I try to add local admins to machines, the same thing happens.
          But I have all the machines under the same OU, so?move all teh users under this umbrella seems not reasonable, but, who knows



          • #6
            Have you tried turning on verbous GPO logging ?
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"


            • #7
              I think i'm having a string of bad luck! !

              i tried going to that website to see if i can enable GPO verbose in the registry, and what do i find when i get into the registry, no diagnostic folder! ! ! i have tried putting in the computers and users in the same OU still no luck, i don't get the simple things i set such as "folder redirection", and putting up a browser title. i did take a look in the event view log, and it showed this under "application"

              Failed to perform redirection of folder My Documents. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\server\UsersDocuments\%USERNAME%\My Documents>, the final expanded path was <\\server\UsersDocuments\adminssacc\My Documents>. The following error occurred:
              Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied

              then i tried creating a folder with the username and used filesvr.msc to share it, still no luck. i also tried uninstlaling AD and DNS and reinstalling, and still no luck with the policies. Funny how it worked before, when i first started testing it. Though we are behind a linksys router though. should i forward port 53 to the DC?? or does it matter?


              • #8
                2 things to check:

                1) At the client machine using "at" command schedule a cmd prompt:
                at 21:22 /interactive "cmd.exe"

                when the prompt pops up (will run under Local System Account) try to browse to the GPO policies folder in the SYSVOL:
                \\<your_dc>\SYSVOL\<your_ad_domain_name>\Pol icies\<GPO_GUID>

                for example, at my box, it looks like:
                (this is the GUID of Default Domain Policy)

                If you fail to, you have either permissions problem or DNS issues.

                2) when you do folder redirection, you need to make sure that the user owns the folder you are redirecting him to. There are sometimes issues even if you give the user Full Control over the folder, but he is not the owner.

                In any case, diagnostics keys are not there by default. Create them, enable verbose logging and drill down the logs to track the exact place the GPO application fails.
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"


                • #9
                  Thanks for the Help Antid0t

                  k, thanks for all your help, i will have to try that on weds when i go in again.
                  Would be nice to get it working, i specifically followed the tutorial on this site on installing AD and DNS though, and did it 3 times over to get it down pat, so if it is the DNS i wonder what it could be


                  • #10
                    don't think it worked

                    so i did the "at" command at 21:22 /interactive "cmd.exe"
                    got the prompt and tried to type in the path, kept getting the msg, network path not found, and also tried to simplify it by \\servername\sysvol
                    and i got the same message either "network path not found" or "file or folder not found..." but when i do it via at the run prompt and type it in, i can connect and browse the sysvol. Is there a certain gpo am suppose to set or something? for the clients to be able to use GPO? Also, i have been abel to get my hands on a copy of WinXP, and i tried logging in on an account i made. it takes a LONG time to log in. is that a sign of something?