| Author | Messages | |
cwhitmore
Posts:19
 | | 04/26/2008 3:06 PM |
| Darren,
You're right, that is exactly what I was expecting. I thought that if the GPO was changed from the domain it would show up when I ran gpedit.msc on the local PC. Thanks for the clarification.
Carlton.
________________________________
From: ActiveDir-owner@mail.activedir.org on behalf of Darren Mar-Elia
Sent: Fri 4/25/2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
To follow up on Neil's point, it kinda sounds like you are opening the local GPO editor and expecting to see your settings there. That won't be the case. The local GPO is an entirely separate animal from any domain-based GPOs and it does not reflect settings that were delivered by domain-based GPOs, at least within the Admin. Templates section. It will reflect security policy that is being set on the domain inasmuch as it will be disabled from being set in the local GPO editor. But otherwise, you are not going to see your "Always wait for the network..." setting by running gpedit.msc. You have to go and look in the registry to verify that the setting is being received.
Darren
Darren Mar-Elia
CTO & Founder
www.sdmsoftware.com <http://www.sdmsoftware.com/>
darren@sdmsoftware.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: Friday, April 25, 2008 1:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
I think it's time to stop and ask a few basic questions like 'what evidence do you have that these settings are/were NOT applied?'
I have seen no evidence thus far. I think you sent yourself on a wild goose chase  i.e. the settings were working all along - you just looked in the wrong place!
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Carlton L. Whitmore
Sent: 24 April 2008 17:38
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Rocky,
My original problem (or so I thought), was that my GPO changes from the domain were not propagating down to the PCs. When I checked the GPOs on the local PC they didn't show that any were changed so I assumed they weren't getting updated. After I ran gpresult (results below), it did show that the computer was getting GPO updates from the domain. As a test I changed the GPO (from the domain), to make IE full screen w/o toolbars and it worked.
My issue is that the changes are being pushed down, but they aren't showing up on the local PCs.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rocky Habeeb
Sent: Thursday, April 24, 2008 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Please, Please, Please ...
Just tell me how you knew to do this and how in Blue Blazes this had anything to do with this problem.
RH
________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Carlton L. Whitmore
Sent: 24 April, 2008 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Okay, I know they are working now. I changed Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Enforce Full Screen Mode = Enabled and it worked.
At least I know the GPO's are working. If anyone comes up with a solution as to why I can't see the changes locally please let me know.
Thanks for the suggestions!
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Carlton L. Whitmore
Sent: Thursday, April 24, 2008 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
We have four DCs, three here and one in another office thru VPN connection. There are no errors in the event logs on either the PC or DC. I changed the GPO: Computer Configuration > Administrative Templates > Network > QoS Packet Scheduler > Limit reservable bandwidth > Enabled = 5%. Same thing, when I access the GPO locally from the XP box it doesn't show that it was changed, but if I run rsop.msc it shows both of the GPO settings I changed.
Should I just assume that these settings are working?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, April 24, 2008 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: AD: Re: [ActiveDir] GPO not updating?
How many DC's do you have? Are there any errors in the event log on either workstation or DC's. Are there other settings in the same GPO that are working? If not can you make a change in that GPO to see if it works for the computer.
----- Original Message ----
From: Carlton L. Whitmore <cwhitmore@Advocacyinc.org>
To: ActiveDir@mail.activedir.org
Sent: Thursday, April 24, 2008 10:44:11 AM
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Yes, it's a computer GPO. I turned off the firewall, but no help there. I checked two other workstations, but they have the same problem.
Brian - I also logged into the XP box as myself. I have Enterprise Admin and Domain admin rights, but that didn't make a difference.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, April 24, 2008 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: AD: Re: [ActiveDir] GPO not updating?
I dont think this is a user permission issue. This is a computer startup script correct? Is the firewall enabled on the workstation? is this working on any other workstations? Can you test another workstation that has this GPO applied?
----- Original Message ----
From: "Britt, Brian" <brian.britt@Vanderbilt.Edu>
To: ActiveDir@mail.activedir.org
Sent: Thursday, April 24, 2008 10:22:13 AM
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
The user may be an Admin on that PC but do they have the ability to traverse the directories where the GPO is stored on the DC? That is where you need to allow the traverse. Essentailly this means that they may not have explicit rights to parent directories but they go bypass them to go to a subfolder where they do have rights. If they are not allowed, they may be stopped at a level far above the folder where they need to read the GPO settings if they are not allowed.
This worked in my case. It may not apply to yours but worth a try.
Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Carlton L. Whitmore
Sent: Thursday, April 24, 2008 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Brian,
I checked and the user is an admin on that PC. I verified that the user is part of the group in that GPO.
Any other ideas?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Thursday, April 24, 2008 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
I ran into a similar problem once before on a secured machine. The problem was with the setting, "Bypass Traverse Checking." If the user is not allowed to bypass traverse checking, they may not be able to get to the directory where the GPO resides on the server. It may seem like the GPO is applied but the settings are not. Once I allowed the user to Bypass traverse Checking, the policy applied successfully.
Brian Britt
Vanderbilt University
Directory Services Specialist
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of mck1012
Sent: Thursday, April 24, 2008 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: AD: Re: [ActiveDir] GPO not updating?
How about if you run rsop.msc, do you see the script listed.
----- Original Message ----
From: Carlton L. Whitmore <cwhitmore@Advocacyinc.org>
To: ActiveDir@mail.activedir.org
Sent: Thursday, April 24, 2008 9:29:05 AM
Subject: RE: AD: Re: [ActiveDir] GPO not updating?
Okay, I ran gpresult on the XP box and it shows that the GP is being applied every time I reboot.
I even went to the server (trak), that was applying the GP and verified that the GPO was correct. I also tried to apply it from the domain level, but when I check the XP box the GPO hasn't changed.
Here are the results:
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 4/24/2008 at 8:24:45 AM
RSOP results for ADVOCACYINC\scriptuser on GENERIC-FE41A1A : Logging Mode
--------------------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: ADVOCACYINC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\scriptuser
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=GENERIC-FE41A1A,OU=PCs,DC=Advocacyinc,DC=org
Last time Group Policy was applied: 4/24/2008 at 8:11:54 AM
Group Policy was applied from: trak.Advocacyinc.org <http://trak.advocacyinc.org/>
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
New Group Policy Object
Log on Locally
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
GENERIC-FE41A1A$
Domain Computers
CERTSVC_DCOM_ACCESS
USER SETTINGS
--------------
CN=ScriptUser,OU=Test,DC=Advocacyinc,DC=org
Last time Group Policy was applied: 4/24/2008 at 8:20:57 AM
Group Policy was applied from: intake.Advocacyinc.org <http://intake.advocacyinc.org/>
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
New Group Policy Object
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
CompAdmin
Faxserve
CERTSVC_DCOM_ACCESS
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mark Parris (L)
Sent: Thursday, April 24, 2008 1:52 AM
To: ActiveDir
Subject: Re: AD: Re: [ActiveDir] GPO not updating?
Do you have any other policies that could override your policy?
Run RSOP, see if yours is applied - and what else?
Regards,
Mark Parris
-----Original Message-----
From: "Rick Gomez" <febrero@dlpmx.com>
Date: Thu, 24 Apr 2008 00:59:11
To:<ActiveDir@mail.activedir.org>
Subject: AD: Re: [ActiveDir] GPO not updating?
run gpresult on the client to see if that GPO its being applied.
If its not then probably you are authenticating against a DC that has not replicated the new GPO.
Check FRS Event log to see if there are any errors.
Rick
----- Original Message -----
From: Carlton L. Whitmore <mailto:cwhitmore@Advocacyinc.org>
To: ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org>
Sent: Wednesday, April 23, 2008 5:05 PM
Subject: [ActiveDir] GPO not updating?
I EUR(tm)m trying to push the follow registry using the GPO from Windows 2003 AD.
Local Computer Policy -> Administrative Templates -> System -> Logon -> Always wait for the network at computer startup and logon (enable)
I EUR(tm)ve tried it in two different OU EUR(tm)s, one for users and the other for computers. I EUR(tm)ve also changed it at the domain level.
Even if I manually run gpupdate /force it doesn EUR(tm)t update. I know it EUR(tm)s not a rights issue because I can manually change the setting from the PC.
Any ideas why this isn EUR(tm)t propagating from AD?
Carlton.
.+-Å wè EUR Ã>iÿü0Ã? §-Š÷ ?Å º+Æ'òâ ²Ã- ¬ §Ã¢ ²Ã'@Bm §Ã¿Ã°ÃfÅ" ¶+Ãzv*è ®Ã<Å Ã<E ¬ §Ã¢ ²Ã- «r ¯zm §Ã¿Ã°ÃfÅ" ¶+Ãzv*è ®Ã¦k÷^} « ¥ µ «)
.+-Swè?Ûi ü0Á§-S÷?Sº+fò ²Ö¬§ ²Ñ@Bm§ ðÃoe¶+Þv*è®ËSËE¬§ ²Ö«r¯zm§ ðÃoe¶+Þv*è®æk÷^}«¥µ«)
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. <http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20>
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. <http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20>
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. <http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20>
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
|
|