Re: New GPO are failing
From: Bruce Sanderson (bsanders_at_junk.junk)
Date: 12/09/04
- Next message: Glenn L: "Re: Fully locked down GPO on XP still leaves 'printers and faxes' link on Start menu - How do I get rid ?"
- Previous message: Steve Seguis [MVP]: "Re: Blocking windows update?"
- In reply to: jesusq: "Re: New GPO are failing"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 8 Dec 2004 21:30:29 -0800
Settings in the User Configuration part of a GPO are ONLY applied to USER
ACCOUNTS that are present in the OU to which the GPO is linked. If that OU
only has COMPUTER ACCOUNTS, the User Configuration part of the GPO will be
ignored.
If a GPO that ONLY has User Configuration settings is applied to an OU that
has Computer Accounts, RSOP will report that GPO as Empty in the Computer
Configuration part of its report.
That's what the report you posted is saying.
a. The GPO called "Lockdown GPO" is linked to the OU called "Nursing Test
GP" that has the Computer Account for the computer called "OCC38034", but
there are no settings in the Computer Configuration part of that GPO (thus
the GPO is Empty in that sense).
b. The User Account called "Administrator" is in the OU called "Users" and
the only GPO that applies to that OU is the Default Domain Policy (which
does have some User Configuration settings).
So, to get the settings in the Lockdown GPO applied, link it to the OU
containing the Administrator user account (e.g. Users).
However, exercise caution. If you apply this GPO to the Users GPO and all
of your accounts, including Administrator are in there, you could end up
"locking down" the Administrator account so that it is useless! This is
called "shooting yourself in the foot via GPO".
Better to try out the GPO on an OU that has a less important user account in
it first!
The settings in the User Configuration part of a GPO are applied to the User
whose User Account is in an OU to which the GPO is linked (or inherited)
when that user logs on at any computer.
The settings in the Computer Configuration part of a GPO are applied to the
computer whose Computer Account is in an OU to which the GPO is linked (or
inherited) when that computer starts and periodically thereafter.
(Note that you can use the gpupdate command to get changes to Group Policies
applied immediately (use the command gpupdate /? to see the options
available)).
This is a fundamental, but not necessarily obvious, concept with Group
Policies. For this reason, to keep my life simple, I have established for
myself, these simple rules:
1. do not mix user accounts and computer accounts in the same OU.
2. do not mix User Configuration settings and Computer Configuration
settings in the same GPO
3. link GPOs with User Configuration settings only to OUs with User Accounts
and link GPOs with Computer Configuration Settings only to OUs with Computer
Accounts
Link all simple rules, there are some situations where setting them aside
makes sense, but there must be a good, rational reason for doing so. One
such reason is when "loopback processing" is used, but that's a story for
another day.
End of Lecture!
Hope this helps!
-- Bruce Sanderson MVP It is perfectly useless to know the right answer to the wrong question. "jesusq" <jesusq.1gz0a7@mail.mcse.ms> wrote in message news:jesusq.1gz0a7@mail.mcse.ms... > > I'm having the same problem. I have basically the same settings. The > only weird thing is that on the GPO, I have a password policy and the > SUS ADM file configuration. I get the same as stated before. The only > thing is that the SUS configuration doesn't work, but the password > policy works. > > I only have one OU with one policy. > > > > > > Ted wrote: >> *Hello, >> >> I am running W2K servers sp4, I created a new GPO for a machine OU on >> a XP >> pro box in user configuration. The new GPO shows up in AD under the >> right OU >> but I receive the below message, what could be causing the Lockdown >> GPO >> Filtering: Not Applied (Empty)?? >> >> Any insight would be great! >> Ted >> >> COMPUTER SETTINGS >> ------------------ >> CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu >> Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM >> Group Policy was applied from: mastertn.Testnet.edu >> Group Policy slow link threshold: 500 kbps >> >> Applied Group Policy Objects >> ----------------------------- >> Default Domain Policy >> Local Group Policy >> >> The following GPOs were not applied because they were filtered out >> ------------------------------------------------------------------- >> Lockdown GPO >> Filtering: Not Applied (Empty) >> >> The computer is a part of the following security groups: >> -------------------------------------------------------- >> BUILTIN\Administrators >> Everyone >> BUILTIN\Users >> NT AUTHORITY\NETWORK >> NT AUTHORITY\Authenticated Users >> OCC38034$ >> Domain Computers >> >> >> USER SETTINGS >> -------------- >> CN=Administrator,CN=Users,DC=Testnet,DC=edu >> Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM >> Group Policy was applied from: mastertn.Testnet.edu >> Group Policy slow link threshold: 500 kbps >> >> Applied Group Policy Objects >> ----------------------------- >> Default Domain Policy >> Local Group Policy >> >> The user is a part of the following security groups: >> ---------------------------------------------------- >> Domain Users >> Everyone >> BUILTIN\Users >> BUILTIN\Administrators >> NT AUTHORITY\INTERACTIVE >> NT AUTHORITY\Authenticated Users >> LOCAL >> Group Policy Creator Owners >> Exchange Domain Servers >> Domain Admins >> Schema Admins >> Enterprise Admins >> Exchange Enterprise Servers * > > > > -- > jesusq > ------------------------------------------------------------------------ > Posted via http://www.mcse.ms > ------------------------------------------------------------------------ > View this thread: http://www.mcse.ms/message1230242.html >
- Next message: Glenn L: "Re: Fully locked down GPO on XP still leaves 'printers and faxes' link on Start menu - How do I get rid ?"
- Previous message: Steve Seguis [MVP]: "Re: Blocking windows update?"
- In reply to: jesusq: "Re: New GPO are failing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
