Re: GPO testing


Also,

I am using the Group Policy Management Console and the RSoP function that allows to test the policy as a particular user. Here is the output from gpresult /USER testuser /Z:


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/18/2006 at 11:25:24 AM



RSOP results for JRCAMERICA\testuser on JRC001 : Logging Mode
--------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: JRCAMERICA
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\testuser
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=JRC001,CN=Computers,DC=jrcamerica,DC=com
Last time Group Policy was applied: 10/18/2006 at 11:23:56 AM
Group Policy was applied from: jrcnav.jrcamerica.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
JRC001$
Domain Admins
Domain Computers

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A

GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1

GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A

GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42

Audit Policy
------------
N/A

User Rights
-----------
N/A

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A


USER SETTINGS
--------------
CN=Test E.. User,CN=Users,DC=jrcamerica,DC=com
Last time Group Policy was applied: 10/18/2006 at 11:23:56 AM
Group Policy was applied from: jrcnav.jrcamerica.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
roamingprofiles

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
N/A

Internet Explorer Connection
----------------------------
N/A

Internet Explorer URLs
----------------------
N/A

Internet Explorer Security
--------------------------
N/A

Internet Explorer Programs
--------------------------
N/A


The only policy that gets applied is the DDP. The name of the test GPO is called roaming.

Here's the output from

gpotool /gpo:roaming /verbose

Domain: jrcamerica.com
Validating DCs...
Available DCs:
jrcnav.jrcamerica.com
Searching for policies...
Found 1 policies
============================================================
Policy {D8C95B6E-6028-4A92-B0D6-85AC0C58F3F1}
Friendly name: roaming
Policy OK
Details:
------------------------------------------------------------
DC: jrcnav.jrcamerica.com
Friendly name: roaming
Created: 10/10/2006 8:20:39 PM
Changed: 10/18/2006 3:54:01 PM
DS version: 9(user) 0(machine)
Sysvol version: 9(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0
000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================

Policies OK


Thanks,
Scott

Florian Frommherz wrote:
Howdie Scott!

Scott wrote:
Working on W2K server. Right now the DDP and DDCP are set to the default settings. Set up a test OU and a test GPO. Linked the GPO to the OU and refreshed the user and machine policy with secedit. The test GPO does not get applied. Only the DDP is showing up as applied. Went through a file from Microsoft on how to debug Group Policy issues and set up a bunch of extended logging but nothing seems to be failing to as to indicate why the test GPO I set up is not be applied. What is the best way to drill down into this problem? Since the DDP is applied there must be some kind of failure. How can I find out more about what is going on?

In addition to Toni's help, I'd like you to post your "extended logging" output to see if we can find you're problem there.

As you wrote you put user accounts into the OU you linked the policy to - did you define User Configuration options? If you still have no clue, try to go through the steps I posted here:

http://www.frickelsoft.net/blog/?p=9

cheers,

Florian
.

Relevant Pages

  • RE: Group Policy Connundrum - Stick with it, its confusing!!!
    ... Configuration object of the GPO (vs. ... Group Policy Connundrum - Stick with it, ... Small Business Server Internet Connection Firewall ...
    (Security-Basics)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... have a group policy that defines 'log on locally'. ... Small Business Server Remote Assistance Policy ... GPO: Default Domain Policy ... Computer Setting: 3 ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Question
    ... Group Policy Processing ... As described earlier in this paper, Group Policy is processed in the ... Local Group Policy Object, ... Any domain-based GPO may be enforced by using the Enforce ...
    (microsoft.public.win2000.group_policy)
  • Re: Automatic Updates on Server Turned on & greyed out - yikes!
    ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... GPO: Default Domain Policy ... Computer Setting: 50 ... GPO: Default Domain Controllers Policy ...
    (microsoft.public.windows.server.sbs)
  • Re: group policy preferences
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: ShockwaveTest ... GPO: Default Domain Policy ...
    (microsoft.public.windows.server.active_directory)