RE: GPO replication problem
- From: v-mileli@xxxxxxxxxxxxxxxxxxxx (Miles Li [MSFT])
- Date: Tue, 05 Aug 2008 10:40:39 GMT
Hello,
Thank you for posting here.
1. From the description, you want to apply group policies to computers in
difference OUs. You can set the policy settings with Computer Configuration
in Group Policy. Computer Configuration typically contains Software
Settings, Windows Settings, and Administrative Templates. However, because
you can add or remove extensions in Group Policy Object Editor, what you
see might be slightly different. Once the you have changed the Computer
Configuration in the group policy, you can run "gpupdate /force" to refresh
the group policies applied on the client computers. Please note that you
may need to restart the computer for applying Computer Configuration.
|
|--desktops_OU
|
|
|--laptops_OU
You can enable "User Group Policy loopback processing mode" if you wants to
configure user configuration group policy settings but apply to OU that
contains computer objects.
231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287
To narrow down the issue, please answer following questions:
a) Which group policy object (which OU the Group Policy object links to?)
you have the non-applied Windows Setting in? Please run "gpupdate /force"
to refresh applied group policies on the clients.
b) Do you configure the Windows Settings under the Computer Configuration
for computer account in the OU instead of the one in User configuration?
c) What is the exact policy settings you have set in the Computer
Configuration--->Windows Settings?
d) You can get the applied Group Policy results on clients through Group
Policy Management Console.
1. On the server that has GPMC installed, login to the
domain with administrator account.
2. In the GPMC, process the Group Policy Result wizard to
collect the data of RSOP.
a) Right click Group Policy Results---> Group Policy
Results Wizard.
b) Choose Another computer to point to a client
computer that resides in the OUs and click next.
c) Select the one user and click next.
- In the Summary tab--->User Configuration
Summary--->Group Policy Objects--->Applied GPOs, verify the GPO that have
policy settings in Windows Settings is properly applied.
- In the Settings tab---> User Configuration, check
whether the Windows settings are listed and is properly applied.
You also can export the Group Policy Result report and send to me
(tfwst@xxxxxxxxxxxxx) for the further investigations.
2. In Windows Server 2008 Active directory, you can use fine-grained
password policies to specify multiple password policies within a single
domain. You can use fine-grained password policies to apply different
restrictions for password and account lockout policies to different sets of
users in a domain. To set the fine-grained password policies for Domain
Admins group, you may refer to the following steps:
a) Click Start, click Run, type adsiedit.msc, and then click OK.
b) In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect
to.
c) In Name, type the fully qualified domain name (FQDN) of the domain in
which you want to create the PSO, and then click OK.
d) Double-click the domain.
e) Double-click DC=<domain_name>.
f) Double-click CN=System.
g) Click CN=Password Settings Container.
All the PSO objects that have been created in the selected domain appear.
h) Right-click CN=Password Settings Container, click New, and then click
Object.
i) In the Create Object dialog box, under Select a class, click
msDS-PasswordSettings, and then click Next.
j) In Value, type the custom name of the new PSO, and then click Next.
k) Continue with the wizard, and enter appropriate values for all mustHave
attributes (specific password policy setting for Domain Admins group).
You may refer to this tech article for understanding the specific Attribute
name.
Step 1: Create a PSO---> Attribute name chart
http://technet2.microsoft.com/windowsserver2008/en/library/67dc7808-5fb4-42f
8-8a48-7452f59672411033.mspx
l) On the last screen of the wizard, click More Attributes.
m) On the Select which property to view menu, click Optional or Both.
n) In the Select a property to view drop-down list, select
msDS-PSOAppliesTo.
o) In Edit Attribute, add the distinguished names of Domain Admins global
security groups such as "CN=Domain Admins,CN=Users,DC=domain,DC=com" that
the PSO is to be applied to, and then click Add.
p) Click Finish.
After you finish to set the fine-grained password policies to Domain Admins
group, you may verify the applied fine-grained password policies in the
Domain Admins group's property by:
Step 4: View a Resultant PSO for a User or a Global Security Group
http://technet2.microsoft.com/windowsserver2008/en/library/21a35cbb-398d-4ab
4-a6f8-39b76fb0323b1033.mspx
Hope it helps. If there's anything else about this issue I can do for you,
please do not hesitate to let me know.
Best regards,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- RE: GPO replication problem
- From: Miles Li [MSFT]
- RE: GPO replication problem
- References:
- GPO replication problem
- From: Eli
- GPO replication problem
- Prev by Date: Re: power saving
- Next by Date: DNS Domain name in 'Log on to' box
- Previous by thread: Re: GPO replication problem
- Next by thread: RE: GPO replication problem
- Index(es):
Relevant Pages
|
