Announcement

Collapse
No announcement yet.

Problem with GPresult /RSOP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with GPresult /RSOP

    Hi all,

    I'm new to this forum but I have an question about GPO and RSOP.
    Few days ago we had to block for some users the Internet access.
    We created an GPO blocked, we blocked the internet of creating an policy to set the proxy at 127.0.0.1 and it worked all fine.

    I created an OU Blocked and linked the GPO to it.
    I put the users in it and all works fine. No problems till now!

    Also I moved my own username in the in the OU for testing, after I noticed all was OK, I moved my username back to the default OU which has further no policies except the default domain policy.

    When I'm now running gpresult /v I can see that the policies are not applied anymore but in the Resultant of Policy the settings still shows up?
    How come? How can I clean this. Also the firewall client still remains even also this GPO is not used anymore....

    Hopefulyl some can help me.
    Thank you.

    Hereby my GP result. I have made red what I mean.

    RSOP data for ***\pven on IT-PAUL : Logging Mode
    ---------------------------------------------------------
    OS Configuration: Member Workstation
    OS Version: 6.1.7100
    Site Name: Default-First-Site-Name
    Roaming Profile: fileserver01\profiles$\pven.V2
    Local Profile: C:\Users\pven
    Connected over a slow link?: Yes

    COMPUTER SETTINGS
    ------------------
    CN=IT-PAUL,OU=Test,OU=BelfeldOffice,OU=***,DC=***e,DC=lo cal
    Last time Group Policy was applied: 10/1/2009 at 9:00:22 AM
    Group Policy was applied from: ***
    Group Policy slow link threshold: 500 kbps
    Domain Name: ***
    Domain Type: Windows 2000
    Applied Group Policy Objects
    -----------------------------
    WSUS
    Default Domain Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)
    The computer is a part of the following security groups
    -------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    This Organization
    IT-PAUL$
    Domain Computers
    System Mandatory Level
    Resultant Set Of Policies for Computer
    ---------------------------------------
    Software Installations
    ----------------------
    GPO: N/A
    Name: Microsoft Firewall Client
    Version: 3.0
    Deployment State: Assigned
    Source: C:\Program Files\Microsoft ISA Server\CLIENTS\
    MS_FWC.MSI
    AutoInstall: True
    Origin: Applied Application
    Startup Scripts
    ---------------
    N/A
    Shutdown Scripts
    ----------------
    N/A
    Account Policies
    ----------------
    GPO: Default Domain Policy
    Policy: MaximumPasswordAge
    Computer Setting: 42
    GPO: Default Domain Policy
    Policy: MinimumPasswordAge
    Computer Setting: 1
    GPO: Default Domain Policy
    Policy: LockoutBadCount
    Computer Setting: N/A
    GPO: Default Domain Policy
    Policy: PasswordHistorySize
    Computer Setting: 24
    GPO: Default Domain Policy
    Policy: MinimumPasswordLength
    Computer Setting: 4
    Audit Policy
    ------------
    N/A
    User Rights
    -----------
    N/A
    Security Options
    ----------------
    GPO: Default Domain Policy
    Policy: PasswordComplexity
    Computer Setting: Not Enabled
    GPO: Default Domain Policy
    Policy: ClearTextPassword
    Computer Setting: Not Enabled
    GPO: Default Domain Policy
    Policy: ForceLogoffWhenHourExpire
    Computer Setting: Not Enabled
    GPO: Default Domain Policy
    Policy: RequireLogonToChangePassword
    Computer Setting: Not Enabled
    N/A
    Event Log Settings
    ------------------
    N/A
    Restricted Groups
    -----------------
    N/A
    System Services
    ---------------
    N/A
    Registry Settings
    -----------------
    N/A
    File System Settings
    --------------------
    N/A
    Public Key Policies
    -------------------
    N/A
    Administrative Templates
    ------------------------
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\ScheduledInstallTime
    Value: 10, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\RebootRelaunchTimeoutEnabled
    Value: 1, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\NoAutoUpdate
    Value: 0, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\UseWUServer
    Value: 1, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ W
    UStatusServer
    Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0
    , 116, 0, 101, 0, 115, 0, 116, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0
    , 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\RebootRelaunchTimeout
    Value: 160, 5, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\AUOptions
    Value: 4, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ W
    UServer
    Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0
    , 116, 0, 101, 0, 115, 0, 116, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0
    , 0, 0
    State: Enabled
    GPO: Default Domain Policy
    KeyName: Software\Policies\Microsoft\Windows\System\AddAdmi n
    GroupToRUP
    Value: 1, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\NoAutoRebootWithLoggedOnUsers
    Value: 1, 0, 0, 0
    State: Enabled
    GPO: WSUS
    KeyName: Software\Policies\Microsoft\Windows\WindowsUpdate\ A
    U\ScheduledInstallDay
    Value: 0, 0, 0, 0
    State: Enabled

    USER SETTINGS
    --------------
    CN=Paul van de Ven,OU=Recover Policy,OU=BelfeldOffice,OU=***,DC=***e,DC=local
    Last time Group Policy was applied: 10/1/2009 at 9:00:50 AM
    Group Policy was applied from: doco01.***.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: ***
    Domain Type: Windows 2000
    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)
    Restore Policy
    Filtering: Not Applied (Empty)
    The user is a part of the following security groups
    ---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    rsAdmin
    *** Mailusers
    Domain Admins
    ICT
    DHCP Administrators
    WebProject
    High Mandatory Level
    The user has the following security privileges
    ----------------------------------------------
    Bypass traverse checking
    Manage auditing and security log
    Back up files and directories
    Restore files and directories
    Change the system time
    Shut down the system
    Force shutdown from a remote system
    Take ownership of files or other objects
    Debug programs
    Modify firmware environment values
    Profile system performance
    Profile single process
    Increase scheduling priority
    Load and unload device drivers
    Create a pagefile
    Adjust memory quotas for a process
    Remove computer from docking station
    Perform volume maintenance tasks
    Impersonate a client after authentication
    Create global objects
    Change the time zone
    Create symbolic links
    Increase a process working set
    Resultant Set Of Policies for User
    -----------------------------------
    Software Installations
    ----------------------
    N/A
    Logon Scripts
    -------------
    N/A
    Logoff Scripts
    --------------
    N/A
    Public Key Policies
    -------------------
    N/A
    Administrative Templates
    ------------------------
    N/A
    Folder Redirection
    ------------------
    N/A
    Internet Explorer Browser User Interface
    ----------------------------------------
    GPO: Blocked
    Large Animated Bitmap Name: N/A
    Large Custom Logo Bitmap Name: N/A
    Title BarText: N/A
    UserAgent Text: N/A
    Delete existing toolbar buttons: No
    Internet Explorer Connection
    ----------------------------
    HTTP Proxy Server: 127.0.0.1:80
    Secure Proxy Server: N/A
    FTP Proxy Server: N/A
    Gopher Proxy Server: N/A
    Socks Proxy Server: N/A
    Auto Config Enable: No
    Enable Proxy: Yes
    Use same Proxy: Yes
    Internet Explorer URLs
    ----------------------
    GPO: Blocked
    Home page URL: N/A
    Search page URL: N/A
    Online support page URL: N/A
    Internet Explorer Security
    --------------------------
    Always Viewable Sites: N/A
    Password Override Enabled: False
    GPO: Blocked
    Import the current Content Ratings Settings: No
    Import the current Security Zones Settings: No
    Import current Authenticode Security Information: No
    Enable trusted publisher lockdown: No
    Internet Explorer Programs
    --------------------------
    GPO: Blocked
    Import the current Program Settings: No

  • #2
    Re: Problem with GPresult /RSOP

    Your Problem is because you Global policy setings are "Not Defined" meaning that that can be changed by the user.

    so what yo have done is moved your workstation to a GPO object OU and that policy was applied, i.e. firewall and proxy, when you move out of this container the policy you have is now not defined but you still have the setting applied as you have not changed it.

    Working as intended.

    change the Proxy settings manually and Firewall or make you global policy define the settings you want globally.

    hope this helps
    MCSE 2003; MCTS Vista; Sec+; CCNA
    Attitude Makes The Difference!
    in other words you got to WANT to do it..

    Comment


    • #3
      Re: Problem with GPresult /RSOP

      Originally posted by ikon View Post
      Your Problem is because you Global policy setings are "Not Defined" meaning that that can be changed by the user.

      so what yo have done is moved your workstation to a GPO object OU and that policy was applied, i.e. firewall and proxy, when you move out of this container the policy you have is now not defined but you still have the setting applied as you have not changed it.

      Working as intended.

      change the Proxy settings manually and Firewall or make you global policy define the settings you want globally.

      hope this helps
      Hi Ikon,

      Thanks for your reply, so if I understood well I have to link the Default Domain Policy to the OU were my user account now is in?

      Please let me know.
      Thanks!

      Paul

      Comment


      • #4
        Re: Problem with GPresult /RSOP

        http://forums.petri.com/showthread.php?t=40473

        The post above should help you, see the last reply.
        MCSE 2003; MCTS Vista; Sec+; CCNA
        Attitude Makes The Difference!
        in other words you got to WANT to do it..

        Comment


        • #5
          Re: Problem with GPresult /RSOP

          Originally posted by ikon View Post
          http://forums.petri.com/showthread.php?t=40473

          The post above should help you, see the last reply.
          Hi Ikon,

          I have tested but no result.
          I have enforfed the WSUS policy for example, it is applied.
          In the WSUS policy no software installation is in or proxy setting all is emtpy. because you cannot configure these items to enable and disable.

          Still in gpresult /v the problem exists from my first post..

          Can you help me further perhaps?

          Thanks.
          Paul

          Comment


          • #6
            Re: Problem with GPresult /RSOP

            Ok

            Run "gpotool" on one of your DC's gpotool.exe is found in the windows 2003 resource kit.

            This tool will show any problems with GPO accorss your DC's

            also your log you generated was logging mode, logging mode shows you Currently applied GPO's

            Planning mode will show you what you should recieve from new GPO's like a compare.

            Please post both.

            Thanks
            MCSE 2003; MCTS Vista; Sec+; CCNA
            Attitude Makes The Difference!
            in other words you got to WANT to do it..

            Comment


            • #7
              Re: Problem with GPresult /RSOP

              Hi Ikon,

              This is all information I get..

              Searching for policies...
              Found 9 policies
              ================================================== ==========
              Policy {00D9C5F4-8C0E-43D1-8C98-AB02B9F0AE82}
              Friendly name: WSUS
              Policy OK
              ================================================== ==========
              Policy {03861CEB-7589-461A-B349-6CADF9F696EA}
              Friendly name: GFIMAIL
              Policy OK
              ================================================== ==========
              Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
              Friendly name: Default Domain Policy
              Policy OK
              ================================================== ==========
              Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
              Friendly name: Default Domain Controllers Policy
              Policy OK
              ================================================== ==========
              Policy {6E033083-48B8-49DF-A755-4769A93A8888}
              Friendly name: Blocked
              Policy OK
              ================================================== ==========
              Policy {A1AB0DFE-CFAD-4DD3-9063-1B9D5CEF941C}
              Friendly name: WSUS1
              Policy OK
              ================================================== ==========
              Policy {C469DC60-CC06-407E-A16F-E28F070CA5FD}
              Friendly name: TS Default
              Policy OK
              ================================================== ==========
              Policy {E26EA285-8051-4513-BE73-065DF69A0E75}
              Friendly name: TEST SSO
              Policy OK
              ================================================== ==========
              Policy {F81A5AC0-0758-41E4-B785-186A5377A18D}
              Friendly name: New Group Policy Object
              Policy OK
              ================================================== ==========
              Policies OK

              Can you help me?

              Regards,
              Paul

              Comment


              • #8
                Re: Problem with GPresult /RSOP

                Can you post you RSoP logs for Planning Mode and Logging mode?

                Thanks
                MCSE 2003; MCTS Vista; Sec+; CCNA
                Attitude Makes The Difference!
                in other words you got to WANT to do it..

                Comment


                • #9
                  Re: Problem with GPresult /RSOP

                  Originally posted by ikon View Post
                  Can you post you RSoP logs for Planning Mode and Logging mode?

                  Thanks

                  Hi Ikon,

                  Sorry I was delayed for some time due other problems.
                  Where can I find the logs, I run the logging and Planning mode but after this I see no logging?

                  Can you help me, because my problem still exists?

                  Best regards,

                  Paul

                  Comment

                  Working...
                  X