Group policies not being applied to machines running Windows 2000 SP4

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Group policies not being applied to machines running Windows 2000 SP4

A group policy that removes the clock from the system tray has been created as the HR manager says people are clocking in and out from different clock times to get more than an hour for dinner, you know the really important business issues here.

The policy has been pushed out and this worked fine for all the Windows XP machines, but not the Windows 2000 machines. So I looked this up on the Microsoft KB and found a document that explains what needs to be done.

Run gpedit.msc and enable the allow cross-forest user policy. Then I update the computer using secedit /refreshpolicy

The clock still appears on the Windows 2000 machines

Has anybody come across this before?

I am looking through the KB and using google but just wondered if anybody could shed any light on this for me. My group policy knowledge is minimal, as the Sys Admin usually deals with it all but it is holiday time.

Thanks

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Are you running this as a local policy, or a Domain one?

I ask because I thought Gpedit.msc was for editing of local policies?

 

The policy is a domain policy. I am running the gpedit.msc because of what I read on the KB, as I explained knowledge of policies isn't my strong point at the moment. My understanding of it is that enabling the cross-forest option then allows the domain policies to run on the local machine? I am pretty sure I am wrong but just wanted to check.

 

im not expert but have you tried placing all the 2000 workstations into a OU in active directory and linking a group policy from there?

EDIT: simon i think has got a point now that i think of it... its for local system policies...

 

http://support.microsoft.com/kb/823862/en-us

This is what I have been looking at.

 

The Domain based Policies should, in the default order of processing for Group Policy, override the local settings if the same value is specified.

One the XP clients how was the ploicy created? Through ADUC?

Also, what Functional level is the Domain Operating at?

 

The group policy is setup for users and not physical machines. The idea being whatever machine the user logs onto they pickup the policy.

Would this create a problem? Should the policy be set against machines and not users?

 

The policy was created by the sys admin but I presume it was done through ADUC yes.

All the DC's are running Windows server 2000

 

people, the removal of the clock is a user policy.

 

Stuart, can you explain exactly how the original policy was pushed out?

I'm simply trying to determine how you are deploying policies throughout your organisation, as I see no reason why a policy would apply to one (XP) but not the other (2k)?

 

When you say that you are refreshing the policy by using secedit /refresh policy, I assume you are using the full syntax for this command i.e.

secedit /refreshpolicy user_policy /enforce

 

Ok Simon this is how it works (I think)

Using ADUC

The policy is setup in the OU ‘Users’ for example. In this OU a group policy has been setup called ‘No Clock’

When a user log onto the domain on any machine this policy should kick in and be applied. So when user ‘A’ logs onto machine ‘B’ there should be no clock. I have tested this with several user accounts on our domain and when a user logs onto an XP machine the clock does not appear. When the same user logs onto a Windows 2000 machine the clock appears.

Hope this clears it up

 

I have been using

secedit /refreshpolicy machine_policy /enforce



Let me try again

Thanks Nelix

Edit: Ran secedit /refreshpolicy user_policy /enforce and then restarted the machine but the clock still appeared.

 

is the policy linked to a wmi filter?

 

To the best of my knowledge no.

Is there anyway I can check D-Faktor?

 

i assume you have the group policy manager installed. open it, click on the policy object or link, (don't double click to edit), and you'll see a wmi filter option at the very bottom of the page.

reason i ask is that wmi filters only work with xp.

 

and while you're at it, check the security filter (same page) to see if there are any limiting groups defined.

 

I see no wmi filter

Edit: And there are no limiting groups

 

WMI Filters were only introduced with Windows 2003.

http://www.windowsitpro.com/Article/ArticleID/46475/46475.html