RE: [ActiveDir] only 1 GPO not applying...
Hi,
I'm activating the logging with verbose... do you think it's
enough?
Here is a part of whats in there.
USERENV(210.214) 11:22:59:390 CUserProfile::CleanupUserProfile: Ref
Count is not 0
USERENV(210.1a0) 01:34:18:174 ProcessGPOs: GetGPOInfo failed.
USERENV(208.608) 10:15:07:406 ReadMembershipList: Group
S-1-5-21-1785794336-1158417043-4547331-2117 not in current list of token
groups
USERENV(208.144) 10:15:09:937 PolicyChangedThread: UpdateUser failed
with 0.
USERENV(208.b6c) 13:52:56:848 PolicyChangedThread: UpdateUser failed
with 6.
Here is the complete configuration of the policy that I'm testing with:
ScreenSaver_User
General
Details
Domain Domain
Owner Domain\Domain Admins
Created 15/09/2005 9:07:24 AM
Modified 19/09/2005 3:28:06 PM
User Revisions 10 (AD), 10 (sysvol)
Computer Revisions 1 (AD), 1 (sysvol)
Unique ID {356D9C9D-53A3-49CD-ABB5-}
GPO Status Enabled
Links
LocationEnforced Link Status
Technique No Enabled
Usagers_direction No Enabled
Usagers_inventorieesNo Enabled
Usagers_portables No Enabled
Usagers_portables_valides No Enabled
Usagers_valideesNo Enabled
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:
NT AUTHORITY\Authenticated Users
Domain\Domain Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPOName
Allowed Permissions
Inherited
Everyone Read (from Security Filtering) No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
DOMAIN\Domain Admins Edit settings, delete, modify security No
DOMAIN\Domain Users Read (from Security Filtering) No
DOMAIN\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Administrative Templates
System/Logon
Policy Setting
Always wait for the network at computer startup and logon Enabled
User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Hide Screen Saver tab Enabled
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name %systemroot%\system32\ssmarque.scr
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 600
Thanks for your help!
Darren: I can send you the result file for the userenv log. It's about
200KB.
You can contact me offlist at mbruyere at gmail dot com.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Ok, so in the RSOP report, does it show the setting being applied to the
user? If not, then the next step is to enable userenv logging and see
what it shows when it enumerates the GPOs to process for the user. These
kinds of problems typically break down into:
--infrastructure problems (e.g. DNS, FRS, etc. which usually means no
GPOs apply)
--Configuration problems (e.g. GPO linked wrong, filtered wrong or
blocked by some config. error)
--Client problems (e.g. Required client services not running, issues
with client communicating with DC, etc.)
In your case it sounds like either a config. problem or a client
problem--probably the latter. One thing to double-check--sometimes a
setting gets applied but the client doesn't behave as expected. Look in
the system.adm file and determine what registry value should be set for
that screen saver policy then confirm on the client that it indeed is
not being set. That way you know that it's a problem of not processing
the GPO correctly rather than a problem of the policy not responding the
way you expect.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, September 19, 2005 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] only 1 GPO not applying...
Hi,
I thought that this could be a problem... I added domain users
and everyone in the permissions to test things out... still no go.
The gpresult message does not report any filtering (except for the
computers GPOs that have the users section disabled, but the reason
listed is "disabled" which is normal).
Still in the dark ...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: September 19, 2005 4:00 PM
To:
RE: [ActiveDir] only 1 GPO not applying...
There is no errors, only this Event Type: Success Audit Event Source: Security Event Category: Policy Change Event ID: 806 Date: 19/09/2005 Time: 3:36:07 PM User: AUTORITE NT\SYSTEM Computer: Computername Description: Per User Audit Policy was refreshed. Number of elements: 0 Policy ID: (0x0,0xB72C) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: September 19, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... So setting that policy enabled the computer policy to apply, but the user policy still isn't? are you getting any errors in the event logs? Usually when a group policy does not apply you will get some. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
No, its only XP SP2 adm settings, there is only one object push IE config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: September 19, 2005 5:14 PM To: ActiveDir.org Subject: Re: [ActiveDir] only 1 GPO not applying... Are you deploying any IE branding/customisation in the GPO, if so you will need a hotfix to enable the application of GPO's Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, That's the first thing I checked ;) they have the read and apply perms. I also added domain users in the perms (with read and apply) just to be sure. Still no go. Thanks for the thought! ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: September 19, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... One other thing to look at in the filtering permissions... The user account/group must actually have two rights. It must have the right to read the policy object and the right to apply the policy object. FWIW - Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is "disabled" which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] only 1 GPO not applying...
Are you deploying any IE branding/customisation in the GPO, if so you will need a hotfix to enable the application of GPO's Mark -Original Message- From: "Bruyere, Michel" <[EMAIL PROTECTED]> Date: Mon, 19 Sep 2005 14:03:49 To: Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
So setting that policy enabled the computer policy to apply, but the user policy still isn't? are you getting any errors in the event logs? Usually when a group policy does not apply you will get some. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] only 1 GPO not applying...
Hi, Some ideas... 1) check if the "disabled configuration user parameters" is checked on the properties of your gpo: that can avoid users GPO to be applied. 2)is security filtering with a denied ACE applied to authenticated users instead of read & apply ACEs ? 3) is WMI Filter applied with a GPO Denied ? try disable WMI filter 4) what's on the app eventlog ? do u enable userenv log file ? here is a good doc for tsoot GPO: http://www.microsoft.com/downloads/thankyou.aspx?familyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displayLang=en Hope it helps Yann De: [EMAIL PROTECTED] de la part de Bruyere, Michel Date: lun. 19/09/2005 21:46 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] only 1 GPO not applying...
Ok, so in the RSOP report, does it show the setting being applied to the user? If not, then the next step is to enable userenv logging and see what it shows when it enumerates the GPOs to process for the user. These kinds of problems typically break down into: --infrastructure problems (e.g. DNS, FRS, etc. which usually means no GPOs apply) --Configuration problems (e.g. GPO linked wrong, filtered wrong or blocked by some config. error) --Client problems (e.g. Required client services not running, issues with client communicating with DC, etc.) In your case it sounds like either a config. problem or a client problem--probably the latter. One thing to double-check--sometimes a setting gets applied but the client doesn't behave as expected. Look in the system.adm file and determine what registry value should be set for that screen saver policy then confirm on the client that it indeed is not being set. That way you know that it's a problem of not processing the GPO correctly rather than a problem of the policy not responding the way you expect. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 1:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is "disabled" which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
One other thing to look at in the filtering permissions... The user account/group must actually have two rights. It must have the right to read the policy object and the right to apply the policy object. FWIW - Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 4:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is "disabled" which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, I thought that this could be a problem... I added domain users and everyone in the permissions to test things out... still no go. The gpresult message does not report any filtering (except for the computers GPOs that have the users section disabled, but the reason listed is "disabled" which is normal). Still in the dark ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: September 19, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, Look within quotes... >Are you applying the policy to an OU that does not have "users"? If so >that is why the GPO is not applying. You would need to do a loopback >processing option for this. Nope, there are user's accounts in the OU. The AD OUs are defined with some OUs for users and some OUs for computers (by dept.) >You need to enable "loopback Processing" This is under >Computer/administrative templates/system/group policy Used it in 1 case and it works fine. I had to apply user settings on a "per computer" basis. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
The filtering message you got from RSOP indicates that either security group filtering or WMI filtering may be getting in the way of this. How have you configured security on that GPO? By default, Authenticated Users (meaning all users and computers in the domain) will process a GPO. So if you removed the Authenticated Users ACE you need to replace that with a user group that contains all the users you wish to receive that GPO. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Are you applying the policy to an OU that does not have "users"? If so that is why the GPO is not applying. You would need to do a loopback processing option for this. You need to enable "loopback Processing" This is under Computer/administrative templates/system/group policy What is happening is that your GPO is in a container that contains the computers not the users. So the settings only apply to objects in that OU. Since there are no users in that OU the user settings do not apply, even though they are logging on to machines in that group. By enabling loopback processing you are telling it to apply the user settings to all users of this machine when they log on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Hi, I found that only computer policies applies ;/ The user only policy do not apply, still searching but will appreciate any inputs. It may be permissions issue, I' looking this way. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Nope, I'll try it! Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan Sent: September 19, 2005 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] only 1 GPO not applying... Have you tried enabling the "Always wait for the network at computer startup and logon"? it is in computer configuration>administrative templates>system>logon. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] only 1 GPO not applying...
Have you tried enabling the "Always wait for the network at computer startup and logon"? it is in computer configuration>administrative templates>system>logon. Dan DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, September 19, 2005 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] only 1 GPO not applying... Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] only 1 GPO not applying...
Hi, I have a little problem applying a GPO. SETUP: windows 2k native domain with XPsp2 ADM files. All stations are WinXP sp2. I had a GPO the pushed a screen saver configuration and some other restrictions. I had to split the GPO in 2 because I needed to deploy the Screensaver without the other restrictions. There is a problem woth this new GPO because it just do not apply to any machine/user. I used GMPC on a winXP sp2 with 2k3 adminpak to define and link the GPOs. Note: all other Policies are applied correctly and the one that do not apply isn't listed in the " The following GPOs were not applied because they were filtered out" section... Any ideas? Thanks for your time! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
