Announcement

Collapse
No announcement yet.

Group Policy Not Applying Computer Config

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy Not Applying Computer Config

    Hi Everyone,

    My first of many postings , I am trying to drill group policy into my brain but it getting a little frustrating reading books that have got a 1000+ pages on this topic. So time to ask the professionals

    I have created a group policy and linked it to the OU that I want to test, I am using server 2003 and GPMC by the way. Now I have set a simple lockout policy (2 attempts) for the computer config and just put a random title on internet explorer for a user setting.

    I tried 3 duff passwords and then the correct password and I was still able to logon? how come?. I opened IE and the title was showing the title that I had typed so some of the GP was applied.

    Back to the gpmc, on the settings tab of the policy it is showing the lockout policy as applied, but if I run the GP results wizard on the pc and user I am using it is saying computer settings are not defined?

    Is there something simple I am overlooking here?

    Any help will be very much appreciated guys
    Mark Couch
    A+, MCTS, MCITP(SA, EDA7)
    South Wales, UK.

  • #2
    Re: Group Policy Not Applying Computer Config

    GPResult | more will tell you why a policy wasn't applied.,
    COMPUTER SETTINGS
    ------------------
    CN=XXX01,OU=Workstations,OU=Computers,OU=XXX,DC=XX X,DC=local
    Last time Group Policy was applied: 21/09/2009 at 7:14:03 AM
    Group Policy was applied from: xxx.xxx.local
    Group Policy slow link threshold: 500 kbps
    Applied Group Policy Objects
    -----------------------------
    Small Business Server Windows Firewall
    xxx_WS_EventLogs
    xxx_WSUS_Workstations
    xxx Route Script
    Small Business Server Client Computer
    Small Business Server Remote Assistance Policy
    Default Domain Policy
    xxx_Add_Trusted_CA_Root
    xxx_Password Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Small Business Server Internet Connection Firewall
    Filtering: Denied (WMI Filter)
    WMI Filter: PreSP2
    xxx_Use_Proxy
    Filtering: Not Applied (Empty)
    Small Business Server - Windows Vista policy
    Filtering: Disabled (GPO)
    Local Group Policy
    Filtering: Not Applied (Empty)
    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    xxx01$
    Domain Computers
    This te;lls me that the xxx_use_proxy GPO was not applied to the COMPUTER object, because it's empty.. ie, the settings aren't valid for a computer but are valid for a user.
    If I showed you more of that output, you would see Xxx_use_proxy IS applied to the user object.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Group Policy Not Applying Computer Config

      Keep in mind that with a 2003 domain, you can only have one password policy per domain.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Group Policy Not Applying Computer Config

        Thanks for the replies guys.

        So my next question would be.........is it better to set the pasword lockout policy on the default domain policy? and then this will apply to all the ou's in the domain?

        It dosent really tell you about best policies etc where have read so far
        Mark Couch
        A+, MCTS, MCITP(SA, EDA7)
        South Wales, UK.

        Comment


        • #5
          Re: Group Policy Not Applying Computer Config

          Yes - modify the existing policy rather than creating a new one.

          As for "best", pick the settings which best meet your needs? You'll need to design your policy based on what sort of devices users are accessing the system from, what services they access from those devices, whether they're onsite, offsite or connected over a VPN etc... We can't tell you what the best settings are.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Group Policy Not Applying Computer Config

            Originally posted by Couch View Post
            So my next question would be.........is it better to set the pasword lockout policy on the default domain policy? and then this will apply to all the ou's in the domain?
            Yes, when the password policy is configured on the Default Domain Policy it does apply (and the Default Domain Policy should apply) to all the ou's in the domain >> meaning, the pasword policy will affect also the useraccounts created locally in the SAM on all client computers! But more important is that the password policy now will be applied also to the DC - since the domain users exist in the AD the policy should be appliet to the DC. Actually, for the password policy to take affect on Domain users the one DC holding the PDC emulator role should be able to read the password policies from the Default Domain Policy.

            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Group Policy Not Applying Computer Config

              Thank you for all your help guys. Just by asking a few questions I now have a much better understanding.

              No doubt I will come across some more grey areas that I will need answers to in the future
              Mark Couch
              A+, MCTS, MCITP(SA, EDA7)
              South Wales, UK.

              Comment


              • #8
                Re: Group Policy Not Applying Computer Config

                Train Signal have a Lab on Group Policies and it makes it a lot easier to understand when you see it being done visually rather than read 1,000+ page books.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment

                Working...
                X