Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GPO only partially applying, User Config Admin Templates not pushing, 2008R2


  • Please log in to reply
5 replies to this topic

#1 Preacherpj

Preacherpj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 21 October 2013 - 08:26 AM

Hello,

I’m really hopeful that somebody might have some ideas to help me out. I have a Server 2008 R2 domain, we are running Microsoft Office 2007 and IE 10. We have a bunch of clients, and I need to configure security settings for Office 2007 and IE 10. I was very happy when I figured out that I should be able to use admx files for this purpose.

 

I set up the central store on my server, configured the settings and pushed out. The problem is, the client machines, all running Windows 7 SP1, only seem to apply a portion of the domain policy.

It seems like the issue I have is with the User Configuration. After running RSOP on the client machines – ALL of my configured settings show up correctly, but the Office 2007 settings under the User Configuration menu don’t actually apply to local policy. Only the administrative template settings under the Computer Configuration seem to actually be applied to the machine.

 

This is despite the fact the RSOP shows all the changes under both the User and Computer and it shows them being pulled from the appropriate GPO. My GPO is linked to both the Domain Users and Domain Computers and I ‘enforced’ it but that didn’t seem to make any difference.

The only error I see, is that under the User Configuration I have an IE Branding Error, but it still says the GPO applied successfully.

 

Would absolutely be thrilled with any help or advice.

 

Thanks in advance,

Ryan

 

Moderator edit: Moved from the Windows 7 Forum to a more appropriate forum

Roger


Edited by rotor123, 21 October 2013 - 09:11 AM.


BC AdBot (Login to Remove)

 


#2 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:06 PM

Posted 22 October 2013 - 04:57 AM

..My GPO is linked to both the Domain Users and Domain Computers"..

I'm not sure what you mean by that...

 

Your GPO needs to be linked* to the OU that contains the user accounts for the settings under 'Users' to apply (and to the OU that contains the desktop or laptop computer accounts for the the 'Computer' settings to apply)

 

* or to an OU from which the users/computers will inherit the GPO settings.

 

x64



#3 Preacherpj

Preacherpj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 22 October 2013 - 09:50 AM

Sorry about the confusion, what I meant is that I linked the GPO to both the domain users and domain computers.

 

Right now, its just the default domain policy that I'm trying to push. Originally I made a seperate GPO, created seperate OUs with the users/computers I wanted and linked the GPO to those OUs.

 

But after having troubles getting the User Configuration to push, I decided to just try configuring the Default Domain Policy to see if that would work, but I'm still running into the same issue.

 

The clients get the Computer Configuration changes, but not the User Configuration changes, however, RSoP shows the changes for both the User and Computer. Very frustrating!



#4 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:06 PM

Posted 23 October 2013 - 01:09 AM

I'm assuming that you've not applied any security filting to the GPOs (I would not think so I've you've added the settings to the default domain GPO)

 

You could try enabing logging on one of the affected clients and see if that unearths any useful information.

 

Goto or create the folllowing registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
Add or modify the dword value "GPSvcDebugLevel”, set it to 0x00030002

Reboot, log on as a user

The log file should be created in c:\windows\debug\UserMode and will be gpsvc.log

 

x64



#5 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:06 AM

Posted 01 November 2013 - 08:25 AM

This could be a problem with the way policy is applied. It goes domain, ou, local. They are applied in that order so it could be something local is over riding your settings. There is a setting in AD under the domain that is called enforce domain policy. This prevents the domain policy from being changed by the policies that come after it.
Get your facts first, then you can distort them as you please.
Mark Twain

#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:09:06 PM

Posted 16 December 2013 - 09:38 PM

Firstly never do this (Right now, its just the default domain policy that I'm trying to push), leave that policy only for Domain wide policies for things like NTP and CA.

 

Next, it might be down to permissions applying the user policies. What domain function level are you using? If its still 2003 then raise it to 2008 R2. It will apply the policies for Windows 7 proerly, similar to the "Allow print drivers" policy.

Also try setting it manually using this command

gpedit /gpcomputer: targetmachineHere

Note:Leave the space after /gpcomputer it has to be there.

The once you have edit the machien manually/remoteley apply this command

wmic /node:targetmachineHere process call create "gpupdate /target:user"

Edited by JohnnyJammer, 16 December 2013 - 09:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users