Re: GPO testing

From: Scott <scotts@xxxxxxxxxxxxxx>
Date: Thu, 19 Oct 2006 11:22:48 -0700

Florian,

Here are the steps I used to create and link the GPO :
- In Active Directory Users and Computers created an OU under the domain
called Test OU
- In Active Directory Users and Comptuers created a security group under
Test OU called Test Group.
- Placed two users in the security group Test Group.
- In GPMC snap-in went to Group Policy Objects, right clicked and
selected New.
- Right clicked on the new policy called "test" and selected edit.
- Went into the User Configuration -> Administrative Templates ->
Control Panel and set "Prohibit access to the Control Panel" to enabled.
- In GPMC right clicked on Test OU and selected "Link an existing GPO.."
and selected "test".
- test now shows up as linked to Test OU in the GPMC.
- Went to the server and ran secedit /refreshpolicy [machine &&
policy]_policy /enforce (two seperate commands written in compact form)
- Went to the XP workstation and ran gpupdate /force
- Went to GPMC and right clicked on Group Policy Results and selected
Group Policy Result Wizard and set it to give a RSoP for both users in
Test Group on my XP workstation.
- Now under User configuration -> Group Policy Objects -> Applied GPOs
the only policy listed is "Default Domain Policy" and under User
configuration -> Group Policy Objects -> Denied GPOs the only policy
listed is Local Group Policy which has a Link Location = Local and
Reason Denied = Empty
- Under "Security Group Membership when Group Policy was applied" there
is a list of security groups but my Test Group is not in the list.
Moreover one of the security groups is old and the user has not been a
member of that group for at least a couple of days.

Also, took Toni's advice and downloaded FAZAM 2000. Ran the analysis.
In FAZAM 2000 :
Right clicked on the domain and selected Perform analysis
Set the user to testuser (one of my users in Test Group)
Set the machine to my XP workstation
Performed What-if analysis with the scenario where testuser is moved to
the OU called Test OU (which my test GPO is linked to) and the result is
a success!?! When I click on the User Hierarchy -> Test OU the test
GPO comes up and the Order of Precendence = 1. Under Machine Hierarchy
the Test OU is not present probabably because there are no machines in
the security group.

Looked at your website and went through the list and I cannot figure
out where I am going wrong.

Cheers,
Scott

Florian Frommherz wrote:

Howdie Scott!

Scott wrote:
Installed the Microsoft User Profile Hive Cleanup Service as you suggested and restarted the XP workstation. Did a secedit /REFRESHPOLICY [machine && user]_policy /ENFORCE on the server. Did a gpupdate /FORCE on the workstation. Then used the RSoP snap-in for the mmc to test to see if the GPO was applied. It wasn't applied and even worse I removed one of my users from a different security group and that was not updated. Under "Security Group Membership when Group Policy was applied." the user is still a member of the security group I removed it from a couple days ago. This is why I have no idea what is going on with this processing of the GPOs and the updating of the policy.

The more I read about your issue, the more complex it might get and the more confused I get. I don't get the thing you write about your security group? Have you changed anything with the NTFS permissions of the Group Policy? Or put a security group into the OU? Group Policies will not work on groups as only users and machines can be a target for Group Policies.

If you have the time, I'd be nice if you could write down the steps you take to create a policy. Do these errors exist with every policy you create or just a particular one?

cheers,

Florian

Follow-Ups:
- Re: GPO testing
  - From: Florian Frommherz
- Re: GPO testing
  - From: T. Uranjek

References:
- GPO testing
  - From: Scott
- Re: GPO testing
  - From: Florian Frommherz
- Re: GPO testing
  - From: Scott
- Re: GPO testing
  - From: Florian Frommherz
- Re: GPO testing
  - From: Scott
- Re: GPO testing
  - From: Florian Frommherz

Prev by Date: Re: Windows NT - Group Policy for screensaver
Next by Date: Re: GPO testing
Previous by thread: Re: GPO testing
Next by thread: Re: GPO testing
Index(es):
- Date
- Thread

Relevant Pages

Re: Preventing logon to local accounts
... Just to go over it from the beginning, you have created a new gpo with the ... you have created a security group and added the ... this works because RDP is enabled and greyed out on the remote tab is system ... then, add another workstation to the domain, don’t add this workstation in to ...
(microsoft.public.windows.server.active_directory)
Re: GPO testing
... Group policy actually has nothing to do with groups. ... NOT work if user account is not in OU where GPO is linked? ... I put the users into a security group under the OU. ... - In Active Directory Users and Computers created an OU under the ...
(microsoft.public.windows.group_policy)
Re: GPO testing
... If I go into Active Directory Users and Computers -> Users and right click on a user and then go to "Add to group.." ... Group policy actually has nothing to do with groups. ... GPO will NOT work if user account is not in OU where GPO is linked? ... I put the users into a security group under the OU. ...
(microsoft.public.windows.group_policy)
Re: Security Groups in OUs
... > APPLY GROUP POLICY rights to the GPO. ... > Let's say that you have an OU in which there are 55 user account objects. ... If one does not already exist, create a security group that ...
(microsoft.public.win2000.group_policy)
Re: AD error in Group policy
... This problem occurs because older versions of the Group Policy editor cannot ... the problem occurs when you try to view or modify a GPO that has ... been viewed by a different workstation, ... > explorer security for binary behaviours. ...
(microsoft.public.win2000.advanced_server)