|
|
| Stevet 2002-01-21, 4:15 am |
| got a win 2k server and win 2k pro boxes. i'm setting policies on the server to be implomented by pro. i'm using the sybex study guide and following there directions but cannot get the policies to work any one help!!!
thanks steve t | |
| Joe Blacke 2002-01-21, 8:32 am |
| Is your network set up as a domain?
Where are you applying the policies? | |
| PotatoHead 2002-01-21, 5:47 pm |
| Just started playing around with GPO's and they are very neat and interesting. Make sure you are in a domain and you have to log off then back on for them to take effect. | |
| Joe Blacke 2002-01-21, 5:52 pm |
| quote:
Originally posted by PotatoHead
Make sure you are in a domain and you have to log off then back on for them to take effect.
Logging off/on would only refresh any user assigned GPO's.
To refresh GPO's for machine settings, you can wait 90 minutes plus a randomized offset of up to 30 minutes (no more than 120 minutes total time).
Or you can run secedit /refreshpolicy machine_policy if is a GPO that affects computers. | |
| PotatoHead 2002-01-21, 5:56 pm |
| quote:
To refresh GPO's for machine settings, you can wait 90 minutes plus a randomized offset of up to 30 minutes (no more than 120 minutes total time).
Or you can log off and back on for a total of 28 seconds. | |
| Joe Blacke 2002-01-21, 6:09 pm |
| Logging off and then back on will not refresh GPO's that are applied to the computer. GPO's that are applied to the computer are only applied when:
The machine is rebooted.
The GPO propagation period has expired. This only applies any GPO's that have changed since the last time the policy was applied.
The secedit /refreshpolicy command is run.
GPO's that are applied to USERS are refreshed when you log off and then log back on.
There are 2 levels at which you can apply GPO's. Computers and Users. | |
| PotatoHead 2002-01-21, 6:11 pm |
| Ok, my fault Joe, I thought you were talking about users, like i said i'm somewhat new to the GPO's. Thanks for clearing that up for me. | |
| Stevet 2002-01-22, 12:43 pm |
| i got my computers set up in a domain. i'm creating the policies on the server and trying to get them to be applied to various user \ groups but the win 2k pro system wont pick the settings up. is there somewhere that i need to acivate them ?
please help! | |
| Joe Blacke 2002-01-22, 4:01 pm |
| Okay, if your computers are set up in a domain, and you are trying to apply the policies by using Acitve Directory Users and Computers, you need to do the following:
The GPO's will only be applied to users and computers if the policy is set at the domain level, or at an ou level that contains the users and computers. If you set up a policy at an OU level that doesn't hold these users or computers, then it will never apply to those you want.
If you set the policy at the domain level, but there is a policy at the OU level that blocks inheretance, then the domain level policy will not be applies unless it is set to "no override".
All user assigned policies, must have the "read and apply group policy" DACLS set for the users to whom you want affected.
If you provide the detail as to how you are trying to apply the settings, I can help you further. | |
| Stevet 2002-01-23, 4:33 pm |
| ok heres what i'm doing. I'm just after a simply policy to block out control panel in the start menu.
on the server i'm going to the active directory users + computers and selecting the OU 's properties. i then select the group policy. i add a new policy call it control panel then i click on edit.
i go down to user configuration and select administrative templates and click on control panel and enable the hide control panel. I then apply it and ok it
back on the OU properties page i go to properties and select security and add the OU i give them Read & Apply group policy and tick the no override button and close the window down.
i have no other policies in use except the default domain policy which had everything disabled.
every time i try the policy i reboot the pro computer and then when i log on to the win 2k pro computer the OU still has access to the control panel.
the OU contains just user no admins or any other type of user. what am i doing wrong? | |
| Joe Blacke 2002-01-23, 5:51 pm |
| Okay, the policy you should enable is the "Disable control panel". You want to be sure that this is set to ENABLED. This will remobe control panel from the users start menu, and prevent them from running it should they go into "my computer".
Now, here is something you said that I don't understand.
"back on the OU properties page i go to properties and select security and add the OU i give them Read & Apply group policy and tick the no override button and close the window down. "
First, you can only apply a group policy to an OU where the users accounts reside. You cannot assign an OU to groups. If the Users accounts are not in the OU, or beneath the OU, to which you have been assigning the group policy then the settings will never apply. Even if you go into the properties page and allow them read and assign group policy. Tpically, Authenticated Users are assigned the read and apply group policy DACLS on the Group policy. If you haven't modified the security properties of the GPO, then you shouldn't have to assign anybody the read or apply group policy, again as long as their user accounts are in the OU to which you assigned the GPO.
One thing to check is to make sure that you do not have anyone set to the apply group policy to "deny". It's like NTFS permissions, deny overrides any instance where you allow.
Let me give you an example that might help:
Under your domain, you create an OU called "Test". In this OU, you create two users, Test1 and Test2.
If you right click the Test OU, and choose properties, and then click on the Group Policy Tab, Click "new". Call your new policy any name you want, then click on Edit. Go to the User configuration, Administrative Templates, Control panel, and in the details pane, double click on "Disable control panel". Change the Policy to Enabled. Close all windows (the group policy is applied without you having to "save" or "apply them"). Now, if you have multiple domain controllers, you must propigate the policy from the PDC emulator to all the other domain controllers. You can do this by using the Active Directory Sites and Services, or by waiting for propagation to occur. If you only have 1 domain controller, then it should only take a few minutes.
The client computer must be a Windows 2000 client. You must log onto the PC as either Test1 or Test2. The policy should apply without any problems, also provided that there is sufficient network connectivity between the client and domain controller. | |
| Stevet 2002-01-23, 11:00 pm |
| thanks for all your help joe but i still carnt get the policy to apply. i did like you said and set up the test group. on my network all i got is the two computers one running server the other running pro.i ve got the server set up for dhcp, got no dns and no wins does this effect the policies?
are there any settings i need to apply on the win 2k pro computer?
what the hell am i doing wrong? | |
| PotatoHead 2002-01-23, 11:10 pm |
| Hmm..If your not running DNS then your server is not a domain controller is it? | |
| Stevet 2002-01-23, 11:27 pm |
| just checked i do have wins and dns running but the policy still wont apply.
are there any settings i need to change on the pro computer? | |
| Joe Blacke 2002-01-24, 2:35 pm |
| I think what Potatohead and I are asking by "Is your network set up in a domain", is do you have a server set up as a domain controller? Did you run Dcpromo.exe to set up your domain? If you haven't done so, and also made your workstations join the domain, then your policies will not apply.
If your network is set up as a workgroup, then you can only apply your policies locally. Meaning you will have to do so on each individual workstation.
So, before we go any further we need to clarify if your network is running as a domain or as a workgroup. Have you run DCPromo.exe on the server? If so, have your computers joined the domain?
If your network is set up as a domain, the policies should have been applied, just as I described earlier. I did a quick test on a small test network, and it worked perfectly. | |
| Stevet 2002-01-25, 2:41 pm |
| id not run the dcpromo before but when i ran it it said the server was a global catalog server for the domain asked if i wanted to uninstall active directory and change the server to a member server. so imtake it that i'm running a domain.
the only other thing i can think of is that i upgraded the win 2k pro system from win 95.
could this have any effect on the system?
i tried implomenting a policy domain wide. it worked on the server but not on the pro machine.
thanks again steve | |
| PotatoHead 2002-01-25, 3:41 pm |
| Are your workstation(s) logging in to the domain or to the local computer? | |
| Stevet 2002-01-26, 4:57 am |
| yep the server is authenticating log in. | |
| bluhen99 2002-01-28, 11:59 pm |
| I also find myself having the same problem as you stevet. I have a domain (ran dcpromo) and attempt to apply a GP to an OU with a couple of Test users. I "enabled" the policy to disable change temp internet settings. however the policy doesnt apply when i log on to domain with the user. Hmmmmmmmmm. | |
|
|
|
|
| cm2gj 2002-01-31, 12:52 am |
| I spend almost three weeks with similar problems with GPOs.
I make several tests and i never see the GPO applied to domain users.
I make all simple:
dcpromo
OU
test users
New GPO to OU
i test several times without result.
i test in several locations
with several MCP´s / MCSEs, anybody can apply GPO to users in the domain.
Server is win2k adv server
Workstations are win2k pro
best regards
alex |
|
|
|
Instead of confusing anyone even further on this subject go to