Group Policy question

SephStorm

Hi All,

Setup a domain today, ill limit this to the relevant portion.... I have a DC and a client computer server is 2008 R2, client is W7.

I am attempting to deploy group policies, but they do not seem to be getting applied.

The policy is the default domain policy and is applied to a created computers OU, (not the default computers OU), and is linked and enabled.

The client does not appear to be getting any policies, I ran gpresult /h and the report shows no applied GPO's and 2 denied GPO's, the default domain policy, and another policy that I believe is created by default. Now the denied policy says the reason is "empty". I have no idea what that means, or how to fix it. Ideas?

Slowhand

I'd say go into your Group Policy Objects container in in Group Policy Management and see what you have. There should only be two policies, as far as I know, that appear in a fresh domain: the Default Domain Policy and the Default Domain Controllers Policy. Neither of those should have anything that would deny a policy from being applied to an OU with your computer in it. If there are any other policies in there, make sure you disable them before trying to apply your own policy. You could also double-check to make sure you haven't accidentally blocked policy inheritance on the OU that contains your Windows 7 computer.

Other than that, I don't know what to tell you. There are only so many ways to filter out GPO settings before they're applied, hopefully we can help you figure it out before you have to scrap what you've got and start over. Try to grab some screen shots of the messages your getting, maybe someone here on the forum will shake the ol' cobwebs loose and remember how they dealt with it in the past.

ptilsen

What policies have you configured? Are they on a user or computer basis? How is the security filtering on the GPO set (e.g., authenticated users)? If it is reporting "empty", it would indicate to me that none of the policies are applicable for the object in question (e.g., user policies applied to a computer object).

Slowhand

That's actually a good point. If I remember correctly, a GPO won't be applied at all if none of the policies have any affect on the objects in the OU. So, if you've only configured user policies for the OU with computers in it, it might just get kicked back as being empty and won't be applied.

KenC

iirc, you should not make any changes to the default policies. Create a new one and apply it to the OU that you created.

Also, are you at least running gpupdate or restarting the client machines?

ptilsen

There can be legitimate reasons to adjust the default domain policy, but I would advise against it unless you have significant AD experience and are aware of the ramifications. If you want to apply "other" policies domain wide, it is highly preferably to make different GPOs in virtually any given scenario.

higherho

You stated their linked and enabled. When you open up GPMC do you see if it says "Enforced"?

Slowhand

Honestly, I can't think of a time when tinkering with the default domain policy, outside of perhaps modifying the required password length or something like that, would be more beneficial than simply creating a new policy with a more narrow scope, or even simply attaching it to the domain. There's never a reason to add any new items to the Default Domain Policy since you can have as many GPOs as you want in your domain. Heck, James Conrad over at CBT Nuggets tells his students that he will most often use a separate GPO for each change he wants to make so he can more easily keep track of what GPO does what. (That may be a tad extreme/tedious, but there's nothing stopping you from doing it.)

Essendon

I'd also make sure you changed customized settings in the Computer Configuration node of the GPO. It's quite easy to change settings in the other node and scratch your head as to why the policies werent being applied.

And finally have you restarted the client? Computer policies usually take a restart to kick in. A gpupdate /force may not be enough.

Apart from this, what ptilsen said should be where you'd begin.

SephStorm

Originally the policy was a created one, but when it didnt work i saw some articles referencing the default domain policy, so i modified that. I've reverted those changes now. When i click on the OU, it gives me the option to block inheritance, so i assume it is currently unblocked. Essendon, I'm not sure what you are talking about with customized settings. Below are images of the setup.

GPReport from client
http://i2.photobucket.com/albums/y35/LordSephiroth/report.png
Scope of policy
http://i2.photobucket.com/albums/y35/LordSephiroth/gpmc.png
Settings tab
http://i2.photobucket.com/albums/y35/LordSephiroth/settings.png

pumbaa_g

Have you checked the RSOP?

SephStorm

yep, gpresult /h and /v show that the DDP an DDCP are denied, no policies applied.
EDIT: i had forgotten about rsop.msc, it actually shows the created policies... And I tested one of them, the media center policy (prevented from running) and it appears to work... so why doesnt the report show the policy being in effect?

KeithC

Is the windows 7 computer placed inside the IC - Computers OU? I would also suggest to add the computer to the security filter for the GPO.

4_lom

Have you tried updating GP on the client? If not, it could take around 90 minutes for changes to take effect.

SephStorm

It is inside the IC/Computers OU, and I had previously added it to the security filter, at some point the computer did take the policy (excluding the background policy, which is an issue of its own...), but its not showing up as applied on any reports...

so the question, why isnt it showing on the gpresult results?

pumbaa_g

Interesting, will have a think through and get back

Devilry

DNS? Just a thought.

halaakajan

is the client joined to the domain?

SephStorm

What about DNS?

Yes.

Essendon

There could be some kind of deny permission set somewhere. Check the ACL of the Group Policy and see if there are any denies. Or it may just be a bug.

SephStorm

Where do I check the ACL's?

ptilsen

Show us the fully expanded settings (redacted as needed).

Is the computer in question directly within the "Computers" OU pictured, or in a usb-OU?

undomiel

Of course the report in the screenshot is going to show that the policy is denied due to being empty. That report is under the User Configuration. According to your settings screenshot you have Computer policies configured, so they will only show up as applied in a report run on a computer object. Computer policy settings apply to computer objects and User policy settings apply to user account objects. Run the report on the computer object placed in the root/IC/Computer OU.