none
Window 7 RSAT, 2003 server/2008, GPO's not applying to Win7 clients

    Question

  • Hello Guys,

    I have a problem with the GPO is not applying to Win7 Clients as you know my Primary domain controller is windows 2008 and my secondary domain is windows 2003 server Sp2 R2 and the domain level is windows server 2003

    I have installed the RSAT for windows 7 in one machine to control the GPO but my problem is some of the policy is not applying like if i create a policy for computer management which is contain the security like " Account lockout ,password policy,audit..etc is not applying anymore so could you please help me to solve this issue

    Appreciate your fast response .

    Regards ,

    Ali
    Thursday, September 15, 2016 7:40 AM

Answers

All replies

  • Hi,

    Do you have any WMI filters?

    Add the WIN7 computer accounts to the security filtering and try a gpupdate /force.

    FrenchITGuy.com

    Thursday, September 15, 2016 7:49 AM
  • Hi

    I don't Have so could you please explain me to how to create the WMI Filters

    Thursday, September 15, 2016 7:58 AM
  • If you don’t have that’s fine. Add the WIN7 computer account to the security filter of the GPO in question and try a gpupdate /force on the computer client.

    FrenchITGuy.com

    Thursday, September 15, 2016 8:05 AM
  •  will try then I will get to you.
    Thursday, September 15, 2016 8:28 AM
  • Hi ,


    I have tried some security policy is applied  Like :

    interactive logon: Do not display last user name Enabled
    Interactive logon: Do not require CTRL+ALT+DEL Enabled

    other policy like account policy /lockout is not applied why ?? is there any missing !?



    Thursday, September 15, 2016 8:46 AM
  • Run rsop.msc to check the applied policies on the client computer:

    http://www.howtogeek.com/116184/how-to-see-which-group-policies-are-applied-to-your-pc-and-user-account/

    https://support.microsoft.com/en-us/kb/312321

    And have a look on the event log for any gpo related errors.

    FrenchITGuy.com

    Thursday, September 15, 2016 9:09 AM
  • Hi ,

    I just found the solution in the below link

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/cd51876d-8636-49ac-b584-1176c538def6/account-lockout-policies-are-not-working?forum=winserverGP

    so could you explain me i have create a new GPO only for password to apply in some of OU but in above link say it must create in the domain default policy to applied. so my question is if i create another policy and i link in whole domain it will effect also ? means if i remove the " default domain policy" and create another one and link it it should be work ?

    Thursday, September 15, 2016 9:26 AM
  • The default domain policy cannot be deleted but can be unlinked. But my advice is, don’t unlink the default domain policy. There are some default security settings that you’ll need for the good functionality of the domain.

    You could create another GPO on the root of the domain and configure the account lockout policy if you want.

    FrenchITGuy.com

    Thursday, September 15, 2016 9:46 AM
  • OK Thank you very Much Dear ,

    I have last questions if you can help me on that if i prevent the control panel from the users why the domain administrator is effected also  ?

    Regards ,

    Ali

    Thursday, September 15, 2016 9:58 AM
  • The default setting is yes.

    But you could override it as follow:

    How to prevent domain Group Policies from applying to certain user or computer accounts

    https://support.microsoft.com/en-us/kb/816100

    FrenchITGuy.com

    Thursday, September 15, 2016 10:08 AM