1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Group policies not being applied to machines running Windows 2000 SP4

Discussion in 'Software' started by Rostros22, Jun 19, 2006.

  1. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Group policies not being applied to machines running Windows 2000 SP4

    A group policy that removes the clock from the system tray has been created as the HR manager says people are clocking in and out from different clock times to get more than an hour for dinner, you know the really important business issues here.

    The policy has been pushed out and this worked fine for all the Windows XP machines, but not the Windows 2000 machines. So I looked this up on the Microsoft KB and found a document that explains what needs to be done.

    Run gpedit.msc and enable the allow cross-forest user policy. Then I update the computer using secedit /refreshpolicy

    The clock still appears on the Windows 2000 machines

    Has anybody come across this before?

    I am looking through the KB and using google but just wondered if anybody could shed any light on this for me. My group policy knowledge is minimal, as the Sys Admin usually deals with it all but it is holiday time.

    Thanks
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  2. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Are you running this as a local policy, or a Domain one?

    I ask because I thought Gpedit.msc was for editing of local policies? :blink
     
  3. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    The policy is a domain policy. I am running the gpedit.msc because of what I read on the KB, as I explained knowledge of policies isn't my strong point at the moment. My understanding of it is that enabling the cross-forest option then allows the domain policies to run on the local machine? I am pretty sure I am wrong but just wanted to check.
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  4. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    im not expert but have you tried placing all the 2000 workstations into a OU in active directory and linking a group policy from there?

    EDIT: simon i think has got a point now that i think of it... its for local system policies...
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  5. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  6. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    The Domain based Policies should, in the default order of processing for Group Policy, override the local settings if the same value is specified.

    One the XP clients how was the ploicy created? Through ADUC?

    Also, what Functional level is the Domain Operating at?
     
  7. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    The group policy is setup for users and not physical machines. The idea being whatever machine the user logs onto they pickup the policy.

    Would this create a problem? Should the policy be set against machines and not users?
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  8. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  9. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    The policy was created by the sys admin but I presume it was done through ADUC yes.

    All the DC's are running Windows server 2000
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  10. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    people, the removal of the clock is a user policy.
     
  11. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Stuart, can you explain exactly how the original policy was pushed out?

    I'm simply trying to determine how you are deploying policies throughout your organisation, as I see no reason why a policy would apply to one (XP) but not the other (2k)? :blink
     
  12. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,412
    3
    82
    When you say that you are refreshing the policy by using secedit /refresh policy, I assume you are using the full syntax for this command i.e.

    secedit /refreshpolicy user_policy /enforce
     
    Certifications: A+, 70-210, 70-290, 70-291
    WIP: 70-294
  13. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Ok Simon this is how it works (I think)

    Using ADUC

    The policy is setup in the OU ‘Users’ for example. In this OU a group policy has been setup called ‘No Clock’

    When a user log onto the domain on any machine this policy should kick in and be applied. So when user ‘A’ logs onto machine ‘B’ there should be no clock. I have tested this with several user accounts on our domain and when a user logs onto an XP machine the clock does not appear. When the same user logs onto a Windows 2000 machine the clock appears.

    Hope this clears it up
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  14. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    I have been using

    secedit /refreshpolicy machine_policy /enforce

    :oops:

    Let me try again

    Thanks Nelix

    Edit: Ran secedit /refreshpolicy user_policy /enforce and then restarted the machine but the clock still appeared.
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  15. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    is the policy linked to a wmi filter?
     
  16. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    To the best of my knowledge no.

    Is there anyway I can check D-Faktor?
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  17. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    i assume you have the group policy manager installed. open it, click on the policy object or link, (don't double click to edit), and you'll see a wmi filter option at the very bottom of the page.

    reason i ask is that wmi filters only work with xp.
     
  18. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    and while you're at it, check the security filter (same page) to see if there are any limiting groups defined.
     
  19. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    I see no wmi filter

    Edit: And there are no limiting groups
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  20. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199

Share This Page

Loading...