GROUP POLICY not working. New domain setup

[adzza]

OK...hi everyone to start with. Im new here. FIRST POST!

OK, I have setup a windows 2003 server, and a windows XP machine to play with group policy, etc. On the server I have AD, and have installed the GPMC. I know how to use AD, so thats not new to me, but I am new to GP, although it appeared very simple.

After reading other posts, let me clearly state,

I have installed AD

I have setup an OU called Call Centre

In that OU I have a group called Call Centre Users

In that Group is a user

In GP, I have created a GPO under Call Centre

I have setup do not allow CMD to be used

The GP is Linked

The GP is Enabled

I have added Call Centre Users to the security filter, and removed authorized users

I have done a GPUPdate on the client, no luck

I have removed the profile, and tried again, no luck.

Can anyone point me in the right direction here? Seems like I have covered everything.. Thanks.

[chilifrei64]

It sounds like you have a good start. AD (from what you typed) appears to be in good order for GP Deployments

Is it safe to assume that you used the

User Configuration -> Administrative Templates -> System -> Prevent Access to the Command Prompt?

One thing to know about Group Policy is that you cannot apply a Group Policy to a group in an OU. Group Policies are applied to the user. If you take that same GPO and link it to the OU where the user resides then it should work

Domain.local

-----Call Center OU <--------From what I gathered.. you applied it here.. is this correct?

-----------Call Center Group

-----Domain Users OU <-----Apply the policy here

-----------Call Center User

[adzza]

Hey thanks for the fast reply. OK, so i have an understanding of how this works, I create an OU in AD, when I go to GPMC, I create a GPO in that OU and it is applied to every user in that OU?....Im a little confused by you saying it cannot be applied to groups but users...It can be applied to OU's correct? I have had a look at out work setup and they have it setup as follows:

Domail.local

GPO...

GPO...

GPO...

ETC...

Then they have a couple of OU's, with specific GPO in them. I though it was good practice rather than having them right under the domain.loca, to use OU's to organize this. BTW, that "Domain Users" OU, is that in AD/GP by default, cause its not in our work structure, have to check mine...

[chilifrei64]

No domain users is not a default OU.. since the domain was domain.local.. the OU was domain users.. as if the domain was msfn.local the OU would of been msfn users.

I knew I didnt make myself too clear on this one.. I figured I would jsut wait for your response

Your AD structure is good for GP Deployment, I myself do not recommend adding GP's on the very top of the structure. Doing it the way you have it is fine..

Basically what I am trying to say is you cannot apply the Group Policy to a group within an OU.. You need to apply the GP to a user or computer in an OU... You can use Groups for security filtering but the group policy must be placed on or above the OU where the user is located and NOT the OU of the group that the user is a part of..

Example.. I will normally do something like this

danfrei.com

----- All Default Folders

-----danfrei.com

-------Users

---------Management

---------Reception

---------Tech

-------Group

---------Security Groups

---------Distribution Groups

-------Computers

---------Workstations

---------Laptops

---------Servers

-----------Domain Controllers

-----------Member Servers

This is a scaled down version.. I like to do it this way.. it removes the possibility of affecting default windows Users or Groups.

Within my structure.. ALL groups are located in my Groups OU under their specific type. Any GPO's applied to the Group OU will not apply because there are no users in the Group OU.. Just groups.. and a GPO will not apply to a group.

Now.. say I wanted to apply a No access to command prompt GP to my users.. I would create a group called NO_CMD and I would add my users I didnt want to have access to this group. I could then apply it to the users OU but use security filtering and remove authenticated users and add my NO_CMD Group.

I hope this makes a little more sense