GPO doesn't work for an OU
-
Friday, April 27, 2012 1:20 PM
Hi!
I know someone has already asked for the same thing but I didn't find that one very helpful... I have an OU which includes my PC. I've create a GPO to the OU, but the changes I make doesn't apply for my computer. Should creating new GPO's be this easy or what am I doing wrong? Not any kind of errors appear, my PC just works like the gpo wouldn't exist at all. I wouldn't like to use only the Default Group Policy for the changes I want to make. Thanks!
All Replies
-
Friday, April 27, 2012 3:53 PM
I definitely agree with you about not editing the default policy. I recommend setting up separate GPOs for different purposes - for example, I have one for Office, one for IE, another one for ForeFront, etc. Aside from the obvious organizational benefits, this lets me unlink an GPO that's acting badly, so I can fix it without affecting other policies.
Several thoughts come to mind about your question. Group Policy Objects can contain computer settings, user settings, or both. If you link a GPO to an OU containing computers, no user settings will apply. And vice versa - computer settings won't process in an OU containing users. There are two options for this: create GPOs that only contain the same type of settings as the OU, or link a GPO with both computer and user settings higher up so it covers both OUs. For example, you could link a GPO with both types of settings to the MyBusiness OU, or at the domain level.
Once you've created your policy and linked it at the appropriate level, either restart the client PC or do Start -> Run -> gpupdate /force to apply the policy. Then you can do Start -> Run -> RSOP.msc to generate a console showing all the policies that got applied to that PC and user account. See if your policy shows as applied.
If you have the policy linked to the appropriate OU, and you restart and login without the policy getting applied, your next step would be to check the system and application logs for errors. You're most likely to find them on the client PC where the policy didn't apply correctly, but if you don't find anything there you could check the server as well.
And if you're still not getting anywhere, please post back with more specifics about the settings you're trying to apply.
Dave Nickason - SBS MVP
-
Saturday, April 28, 2012 4:01 PM
Hi, thank you very much for your reply!
Actually, I have two OUs for testing: one includes my PC and in the linked GPO there are only computer configurations made. The other OU includes users (=me) and in the linked GPO there are only user configurations made. Both GPOs have been linked only to these OUs. I've been trying to restart the client PC and the server also, but nothings seems to help. Only the changes I make to the default GPO will affect. I have also tried to delete the badly acting GPOs and tried to re-create them, but no it doesn't work.
I'm a beginner with windows servers, so I have to admit I don't know how to explore the logs :S that's also the reason why I have only one computer with windows 7 pro, I will upgrade my other windowses later this year. First I just would like to get everything work. I also didn't realize how to check the active GPOs from RSOP.
Is it possible that SBS11 Essentials doesn't allow me to create more than one GPO?
And at the end it's time to apologize for my bad English and thank you one more time for your help :)
-
Saturday, April 28, 2012 7:56 PM
SBS will let you create as many GPOs as you want, so that's not the problem.
To check the event logs on either the server or on a client PC, open Start and right-click Computer; on the resulting menu, click Manage. Accept the UAC prompt and in the resulting console, left pane, expand Event Viewer and Windows Logs. In this case, you're looking at the System and Application logs. If you note the time when you reboot, you can just look at log entries since that time. You're looking at warnings (yellow) and errors (red). Any time a group policy doesn't get applied, something should be logged, most often on the client PC.
Since changing the default GPO is working as expected, you could try linking your new GPO at the same level as the default policy. In the Group Policy Management Console, you'll see Forest: yourdomain.local. Under that, Domains, and under that, yourdomain.local. Under that last yourdomain.local you can see all the policies that are applied at the domain level, including Default Domain Policy. Right click that yourdomain.local and select "Link an existing GPO" - then from the list, choose your new GPO and see if it works when linked at that level.
Your English is fine - no problem there.
Lastly, if you're interested in group policy, you could buy the book "Group Policy Fundamentals, Security, and the Managed Desktop," by Jeremy Moskowitz. I've found it to be an easily understandable and very complete reference - definitely one of the most useful tech books in my library.
Dave Nickason - SBS MVP
- Marked As Answer by Sean Zhu -Moderator Tuesday, May 01, 2012 7:14 AM
- Unmarked As Answer by Aleksiv95 Tuesday, May 01, 2012 5:29 PM
-
Tuesday, May 01, 2012 5:29 PM
Hi!
Ok, I found the logs and some errors and warnings. Error 1058 is about group policies, but I don't know if it applies to my problem (it's a couple days old). I would copy it here but I assume nobody speaks Finnish here. But it's something like "Windows couldn't use a group policy. Windows tried to read file \\DOMAIN1B\... from the domain controller, but couldn't manage to do it. Group policy configurations may not be used until this problem is solved. Problem may be temporary or the reason may be one of the followings: a) network connection fail to the domain controller, b) replication something (not my case), c) DFS has been removed." And I don't know if it's possible to see the logs in English in Finnish Windows :)
There is logged an error 5719 every single day. It says "this computer couldn't set a secured session". Is it serious? Can you tell me what I should do for it?
I tried to create a GPO at the same level as the default policy and it works perfectly. Only the GPO's that are only linked to a specific OU don't work.
Just if the problem is about this... My domain name is DOMAIN1B (my imagination is not very good). Is it OK to include 'domain' into the internal domain name? When windows asked me to name the internal domain name, there was a list about words that must not be included in the name but I cannot remember if one is DOMAIN.
I have two books in Finnish about windows servers an there are something about group policies, too. I'm just a guy who learns new things by doing them, not by reading about them :)
-
Tuesday, May 01, 2012 9:47 PM
Any help here?
Event ID 1058 — Group Policy Preprocessing (Networking) http://social.technet.microsoft.com/wiki/contents/articles/1456.aspx
Dave Nickason - SBS MVP
-
Wednesday, May 02, 2012 5:48 AM
Not actually... In the article it's told that everything should be ok if one of the event id's 1500-1503 is logged; there is event id 1503 logged in my logs (today) which tells me "new group policy object user configurations has been put up to use." But I still can't see any effect. I have made multiple changes to my test GPO, those changes I've concidered workable in the default gpo; now these settings haven't been configured to the default gpo but to my test gpo's.
Is the next step to re-install whole windows? And I'm still wondering if my internal domain name is ok with word 'domain' in it.
-
Wednesday, May 02, 2012 6:07 PM
Am I remembering correctly that if you edit the Default Domain Policy, your polices apply as expected? If so, the issue is one of configuration - you wouldn't have a situation where some properly configured policies would apply while others would not.
"Domain" is not a problem. See http://support.microsoft.com/kb/909264 and scroll way down to the bottom to see the list of reserved words - domain is not on it.
Does RSOP.msc show any policies applying correctly?
Do you have another client PC where you can test this? There could be errors with group policy application on that one PC. If you have one where group policy works, I'd compare an ipconfig /all between the two to make sure networking is configured correctly.
My general policy is to never reinstall Windows in the absence of a diagnosed problem indicating that a reinstall is required. If nothing else, you might go to all that work, only to end up in the same place.
Dave Nickason - SBS MVP
-
Thursday, May 03, 2012 2:20 PM
Yes, that's right. When I edit the Default Domain Policy (or any other policy that is at the same level with the Default Policy), all the changes I do apply as expected. The changes I make to the policies that are only linked to OUs (and are not linked to a domain 'root' level) do never apply. I agree with you - it seems not to be possible. I've tried to make dozens of different configurations to different group policies with desctop icons, control panel settings, IE settings, folder redirections, network mappings... Let's say I have a Policy A which is at the same level with the Default one, and a Policy B which is linked to an OU. All the configurations I make work perfectly with Policy A, then I set the configurations as "not configured" and make same kind of configurations to Policy B with some differences so I will recognize which change it's about. Old icons dissappear as expected but the new ones never appear. The old configurations stay in the control panel no matter what I do with GPOs.
When I run RSOP.msc, I can't see any other GPO settings than Default Domain Policy's. Actually, I can't even see all the Default Policy configurations that have correctly been applied.
Unfortinately I don't have another PC with windows 7 professional :( It's a difficult situation for me, because if I can't solve this problem out there is no need to buy professional upgrades. And I can't afford something that's unnecessary :) I've checked ipconfig /all many times and everything seems to be ok. primary DNS points to my Domain Controller etc.
-
Thursday, May 03, 2012 10:13 PM
When you r-click the Default Domain Policy in the GP Management Console, you'll notice there's a check mark next to "Link Enabled." On the newly created policies that are linked at the OU level, you see that check on those as well, right? If not, just click that menu item to enable the link, and we'll both pretend we thought of this days ago, especially me : -) There's a difference in the icon appearance when the link isn't enabled, but the difference is so slight it's easy to overlook.
Dave Nickason - SBS MVP
-
Friday, May 04, 2012 12:37 PM
I wish the solution would have been that easy :D but no, the GPOs have been linked, that was actually the first thing I checked when I noticed this problem. I've also tried to unlink and relink the policies with windows restart in between but it doesn't help. Though, there would be no sense if it had helped. Should "Enforced" also be enabled? What does it even mean? This starts to be a little frustrating - I don't know whether to laugh or cry... :P
-
Friday, May 04, 2012 5:32 PM
I'm with you on the laugh or cry. "Enforced" shouldn't be necessary - if you have two GPOs with conflicting settings, the Enforced one will trump the other.
If you select the GPO that is not applying as expected, and click the Settings tab in the right pane, then "show all" - do you see the settings there? Then if you go to the bottom of the left pane and r-click Group Policy Results, selecting the computer and user account invoved, run the GP Results Wizard. Then in Settings -> show all, do you see the expected policies?
Dave Nickason - SBS MVP
-
Friday, May 04, 2012 7:41 PM
OK, thanks for the information :)
I can see the settings in the settings tab. I can also see the settings correctly in the Group Policy Results (I ran the wizard). Why doesn't it work then? :D That's weird. I wasn't able to run the wizard for another computer (some errors again) but I ran it for the DC computer. Yes, I never realized that I can try this whole thing with my DC computer, so I made a couple configurations to the Default Domain Controller Policy > Computer Configuration. And the same result: the changes never apply to my DC computer. I can still see the settings as expected in the Group Policy Results. So it's not up to my client PC - unfortunately. It would have been an easier case I guess. There's something wrong with the DC computer.
-
Monday, May 07, 2012 12:00 PM
Have we run out of ideas? :( Does Microsoft have any kind of remote help?
One more stupid question came to me... in the list of reserved words, there is word 'server' - my server's computer name is SERVER1B. Does it make a difference?
- Edited by Aleksiv95 Monday, May 07, 2012 1:00 PM adding information
-
Monday, May 07, 2012 10:36 PM
No, I have one named "server2" without any issues.
Out of ideas is close. I think that at this point I would probably try disjoining the client PC from the network (put it back to Workgroup) and delete it from AD. Go in and add it back using the SBS wizard and see if you get any better result.
The other thing would be to run the SBS Best Practices Analyzer to see if it comes up with any issues on your SBS. Also make sure the SBS is fully patched (run Microsoft Update and see if it finds anything missing). http://www.sbslinks.com/sbsbpa.htm
It would be nice to find another PC to join to that domain to see what happens with that. Maybe install one in Virtual PC or hyper-v temporarly just to test?
You can link policies at the domain level if that works, and use security groups to filter their application rather than linking them directly to OUs. The big problem with that idea is that something isn't working properly, and without knowing what, you don't really know what other effects the problem might be causing.
Dave Nickason - SBS MVP
-
Thursday, May 10, 2012 1:46 PM
Hi again and sorry for a late reply. Re-joining to domain doesn't help, but I found out something new...
I tried to delete an user profile and logon again (windows creates the desktop again) most of the policies apply correctly. But after it, no changes will apply no matter what I do. So in my situation, everytime I want a policy to apply, I always should delete user's profile and then logon.
Still some settings were missing (though, there was only one policy that didn't apply). The policy includes user settings and it's in an OU which includes right users.
So for some reason Windows updates ONLY the the settings from the Default Group Policy when logging in and out. And it's the same with all PCs (I tried it by logging on to the DC computer). Is there some kind of setting that prevents Windows from applying new configurations?
I don't know (yet) how to use security groups, so it would be great if this information helped us (to?) solve this problem :)
EDIT: I ran the SBS best Practices Analyzer and it found one error and four warnings, most of them are some kind of DNS issues. 1) DNS Client not configured, 2) Extension Mechanism for DNS (EDNS) is enabled, 3) No binding for SSL on the Default Web Site, 4) The DNS parameter MaxCacheTTL is not set, 5) The most recent Update Rollup is not installed
- Edited by Aleksiv95 Thursday, May 10, 2012 1:56 PM adding some information
-
Thursday, May 10, 2012 7:30 PM
I would address the issues found in the BPA and applying the rollup. DNS could be related to this - the BPA should tell you how to resolve the issues it found.
Is there any possibility you're logging into the client PC with a local account rather than a domain account? That seems like it would cause computer policies to apply but not user policies, and there probably aren't any user policies in the Default - hence it would appear that the Default policy is applying correctly but no user-specific policies are getting applied. (If you look under the password field on the Win7 login screen, it should indicate whether you're logging into the domain or the local PC).
Using security groups to filter policies is pretty easy. If you go into Group Policy Management and select a policy in the left pane, you'll notice that on the Scope tab in the right pane is a section called Security Filtering. By default, GPOs apply to the Authenticated Users group (which includes the domain computers). So, for example, if you just want the GPO to apply to your managers, create a security group, put them in it, and use the group to filter the policy so it doesn't apply to anyone not in the security group.
Dave Nickason - SBS MVP
-
Tuesday, May 15, 2012 5:44 AM
Thank you for telling me about the GPO filters - user settings work like a dream! But I cannot use the filters for computers, right? - I still have to point GPOs to OUs to use computer configurations? Because working with OU-level GPOs don't work too well...
In the latest days I've been working with the errors and warnings. the BPA tells now that everything should be fine - I've also fixed most of the problems in Server Management > Roles > BPA. Now I found something new from server's logs that might refer to my problem. Or I'm not sure...
Do you think this might be the problem? I don't know if you still remember, but my client PC keeps showing me errors like: the PC couldn't find a DC computer. This is a DNS error, right? I still have a lot of DNS errors and honestly I don't know how to configure DNS settings correctly. In the DNS settings, as a primary DNS server I have my ZyXEL ZyWALL's (router) local IP address (192.168.0.254 below) and as a secondary I have that loopback thing (127.0.0.1). But it's complaining with me...
EDIT: OK now we're getting somewhere... I just got some warnings at my client PC logs. Now it shows all the GPO settings that don't apply correctly. Reason: access denied, error code: 0x80070005. An other one... Reason: cannot find the file, error code: 0x80070002. For the first time it admits everything's not ok :D maybe it shows the errors because I forced all the clients to run gpupdate every 10 minutes.- Edited by Aleksiv95 Tuesday, May 15, 2012 5:56 AM I clicked submit too early - again...
-
Tuesday, May 15, 2012 8:28 PM
The DNS on the server should be pointing to its own IP address, not the router. If you run the Fix My Network Wizard, it should fix any DNS configuration issues, or at least suggest how to fix them yourself.
You can use security filtering for group policy for computers in the same way you do for users. I do this to limit new GPOs to just my own PC for testing purposes. The trick is that if you're trying to filter on individual PCs rather than security groups, after you click Add to add the filter, you have to click Object Types and check the Computers box. Then enter the computer name and click Check Names - it should work once you've checked that box.
Dave Nickason - SBS MVP
-
Thursday, May 24, 2012 12:06 PM
Everything seems to get better now. During the last week, every day some changes apply to my computer. One by one. This makes no sense at all :D but it seems that if I wait another week, everyhing will be ok then. Today some shortcuts appeared to my desktop and adobe reader X was installed correctly. Yesterday my control panel settings appeared. Waiting for tomorrow with interest...
And I have absolutely no idea what happened; I haven't made any changes to my DC computer :O
- Edited by Aleksiv95 Thursday, May 24, 2012 12:07 PM
-
Thursday, May 24, 2012 11:08 PM
I wouldn't even attempt to explain that one. Sounds like the situation calls for a supernatural explanation : -)
It's possible for policies not to get implemented exactly as you'd logically expect. For example, on one reboot the policy is detected. Something needs to be done that is now going to happen on the next reboot. But this sounds more random than logical. I'm mystified.
Dave Nickason - SBS MVP
-
Wednesday, May 30, 2012 2:39 PM
Exactly what I expected happened... now everything works perfectly :) Needless to say, it's a huge relief for me, but I still have no idea what happened :D this sounds supernatural, indeed.
I still have separate OUs for my PCs and laptops, and GPOs that are only linked to these OUs. Computer settings work as expected. For user settings, I use Security Filtering. So, problem solved, but I cannot mark any reply as answer. This whole thing supports my view that computers are individuals, and if you're nice to them, some day they will be nice to you, too :)
But thank you for your help, I really appreciate it! You helped me to understand windows servers better and also helped me to solve my stupid dns problems :P
- Edited by Aleksiv95 Wednesday, May 30, 2012 2:42 PM
-
Wednesday, May 30, 2012 7:04 PM
You're welcome, and I'm happy to hear that the problem is solved. Thanks for the update.
FWIW, I suspect that the Fix my Network Wizard sorted on the DNS, and something to do with that problem stopped the GPOs from applying as expected.
Dave Nickason - SBS MVP
.png)
