Applying Security Template Through GPOs
Mmartin_47
Member Posts: 430
Ok here is my current setup:
1) Domain controller
Computer name: PDC
Domain: TechLabs2003.local @ 172.16.0.2
2) Member Server
Computer name: Member1
Joined to TechLabs2003.local
IP: 172.16.0.3 with DNS @ 172.16.0.2
Both are running Server 2003 Enterprise with NO SP
I created a new OU named Member Servers on the domain controller. Moved Member1 out of the computers container into the Member Servers OU.
Then created a new security template on the domain controller called Member Servers Template Defined password & auditing settings.
Then I right-click on the Member Servers OU and created a new group policy called GPO SECURITY POLICY FOR ALL MEMBER SERVERS.
Finally I drilled down into Computer Settings > Security Settings. Right-click on that and click import policy. I applied my security template. Ran GPUPDATE on Member1. Then ran GPRESULT and all I see being applied is default domain policy.
Shouldn't I see my template being applied?
Oh and I tried running gpupdate /force. Also made sure DNS is working properly and everyone is connected. No luck. Any suggestions? I currently access both servers from my Vista machine via remote desktop.
1) Domain controller
Computer name: PDC
Domain: TechLabs2003.local @ 172.16.0.2
2) Member Server
Computer name: Member1
Joined to TechLabs2003.local
IP: 172.16.0.3 with DNS @ 172.16.0.2
Both are running Server 2003 Enterprise with NO SP
I created a new OU named Member Servers on the domain controller. Moved Member1 out of the computers container into the Member Servers OU.
Then created a new security template on the domain controller called Member Servers Template Defined password & auditing settings.
Then I right-click on the Member Servers OU and created a new group policy called GPO SECURITY POLICY FOR ALL MEMBER SERVERS.
Finally I drilled down into Computer Settings > Security Settings. Right-click on that and click import policy. I applied my security template. Ran GPUPDATE on Member1. Then ran GPRESULT and all I see being applied is default domain policy.
Shouldn't I see my template being applied?
Oh and I tried running gpupdate /force. Also made sure DNS is working properly and everyone is connected. No luck. Any suggestions? I currently access both servers from my Vista machine via remote desktop.
Comments
-
Mmartin_47 Member Posts: 430Well nevermind looks like I didn't give it enough time to update group policy? How is this possible? I used the /force switch. Also before I got it working and ran GPRESULT I ticked block policy inheritance.
Was it because I ticked that box or because I didn't give it enough time? -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Block policy inheritance simply prevents the OU from inheriting GPOs from higher up the hierarchy (unless they have no override specified). It wouldn't affect the time in which the policy was refreshed. Member servers and clients are updated every 90 minutes with an offset of +/- 30 minutes, and DCs are every five minutes.
Did you restart the member server? Sometimes computer settings require a reboot, so the automatic refresh or gpudate can't make them take affect. -
Mmartin_47 Member Posts: 430dynamik wrote:Block policy inheritance simply prevents the OU from inheriting GPOs from higher up the hierarchy (unless they have no override specified). It wouldn't affect the time in which the policy was refreshed. Member servers and clients are updated every 90 minutes with an offset of +/- 30 minutes, and DCs are every five minutes.
Did you restart the member server? Sometimes computer settings require a reboot, so the automatic refresh or gpudate can't make them take affect.
Nope.
I thought the GPUPDATE/force switch would update the policy immediately? The only policy settings I configured were password and auditing. -
royal Member Posts: 3,352 ■■■■□□□□□□Yep, like dynamik said, some updated computer policies require you to reboot. Heck, some computer policies actually require you to reboot twice. Once to get the policy applied but since asycronous logon is enabled, the user might logon before the computer policy actually applies. If your policy is one of those, the computer policy will apply during/after user logon and you will have to reboot a second again for the policies to actually show up properly. Or you can enable syncronous logon (defaulytin 2k) so you would only have to reboot once for these policies since the computer will wait for all computer settings to apply before winlogon allows you to logon.“For success, attitude is equally as important as ability.” - Harry F. Banks