Group Policy Problems

[rakem]

im hvaing some trouble getting my group polcies to apply. Im using windows Server 2003 with GPMC. I have about 5 seperate GP's which all do different things e.g. desktop, startmenu, internet explorer etc. All GP's have the same security, that is they are disable for Administrators, domain admins, eneterprise admins and enterprise domain controllers.

The problem is that not all the GP's are being applied, the logon message GP does not work, the Controll pannel GP does not work and neither does the internet explorer settings. Its so frustrating, i really cant see what else i can do.

The weird thing was they all the GP's were working fine until i did a gpupdate command and now only the disable run from startmenu is the only one working.

Anyone got any suggestions on this?

thanks

[chilifrei64]

The BEST solution is to read up on proper deployment of group policies..

For starters.. your active directory tree should be set up so that you dont have to use security filters too often.. this makes things much easier to troubleshoot and manage..

Then apply the policy to the OU where you want to apply it.. Example: Instead of setting the sales laptop policy on the domain root and applying security filtering.. apply the policy to [domain_root]\site_name\department_name\Computers\Laptops\sales and leave security filtering as authenticated users.. this way you know that this will happen on all computers in that OU.. NOW.. if you need to filter the Sales Managers laptop.. then you would use filtering to exclude him/her

Basically.. dont use security filtering to apply deny globally.. but apply it to the farthest down the tree.. then exclude the onzey toozey's from that point.. your troubleshooting will go MUUUUCH faster this way...

[cluberti]

I second the layout suggestions - if you want to do GP filtering downlevel, you should apply the LEAST restrictions (or none at all) to the top-level domain policy, and get MORE restrictive the farther down the OU and GPO tree you go. Also, remember that policies with overlapping security settings will use the LOWEST GPO to the user or machine in question, not the highest.

Also, it is better to make changes and restrictions apply in the User Configuration tree, rather than the Computer Configuration tree. Most GP settings are found both in the User and the Computer container, and making sure each user gets the right policies is easier when policies are configured for the user, rather than the machine the user uses - they may not always use the same machine, but they're likely to always use the same user account. Just some food for thought, slightly OT, but probably still relevant.

[rakem]

ok i have changed the GP's so that they apply to specific OU's only. However now it is only applying some settings. For example the disable run setting from start menu always works. But the GP to display a desktop and also the logon scripts dont work. Well actaully the logon script worked once, but thats it.

All GP's have the same settings, i havent even touched filtering this time.

[chilifrei64]

run the group policy results wizard and find out where the problem is.. this will normally tell you what policies are applied and in a conflict.. which one wins..

[rakem]

the wizard is telling me that all the policies are being applied sucsesfully

When a suer logs in there is a desktop image that should load for them. The image does loads up, stays as the wall paper for about 10 secconds then dissapears and the user is left with the plain blue wallpaper.

[chilifrei64]

are you setting a specific desktop wallpaper to apply via group policy.

since you said that the wizard is telling you that the policies are being applied successfully and that wallpapers are changing.. my guess is you have conflicting policies.

As my first suggestion was to read up on Group Policies.. I will again recommend it and suggest that you deploy them on test machines until you get them right. Group Policies are very confusing when you are new to them. I to wondered how and why they worked sometimes and not others when everything seemed to be correct.. through time.. setting them have become second nature.

As a troubleshooting step.. disable all of them and apply them one at a time.. move on to the next one when they apply how you want them to.

Also as a word of advice.. since most policies can be applied per user and per computer, actually spend some time and think about how you want to apply them that makes the most sense. This can make a world of difference when making them work with other policies.

[rakem]

yes it is set via group policy, and we are doing this in a test envorinment, i know not to try new things on the live envorinment.

But we have got most of it working now through alot of trial and error..

thanks for your suggestions

[cluberti]

Is the wallpaper a .bmp, or is it a .gif or .jpg? If it's not a .bmp, I'd strongly suggest changing your wallpaper to a .bmp and using that. Also, is it stored on a network share, or on the local machine? I know the GPO will state that you can use a UNC path, but that has never worked properly (actually, that whole portion of group policy is a mess, but I digress ).