Need help – Group Policy Tutorial on Server 2003

Topic

New Reply

I am looking for a basic tutorial on Group Policy. I am running Active Directory and running Windows Server 2003 Standard Edition.

Here are a few requirements:

1) I need an example that I can test in my production environment, as I don’t have a dedicated testing server. So in any posting, please include instructions for how to apply the group policy test to affect just my computer name, or just my account.

2) Please look at previous posts of mine and try and write out the instuctions with lots of spacing, and clear instuctions on where to find the options to adjust.

3) If you don’t write up a solution yourself, but link to a solution, please give a short intro to the solution here.

Thanks,
Peter
(A one-man support team for a small nonprofit. This means everyone in this forum is my best option for help and system support, and that I don’t have dedicated testing boxes.)
Link to help files I have written: Techpraise.com

Reply | Quote

Replies

Before you get any other suggestions, I suggest you do this first:

1. Create a Test OU
2. Create a user in the Test OU
3. Create your group policies applied to that OU–this is the safest way to test things without a separate environment.

Reply | Quote

Group policy has 2 parts, machine policy and user policy.
Machine policy is applied as the machine is starting Windows and before the login prompt.
User policy is applied immediately after login.

Group policy is only a text file with instructions for Windows. This text file can have NFTS permissions applied to limit it’s application to particular machines/users/groups. The permissions should only be set with the group policy editor.

Group policy is always applied to an OU and from there it can be filtered for individual machines, users or groups. This allows you to set different policy for work stations, servers, robots etc.

Be vigilant when editing a group policy object as there is no undo option.

Start by installing the group policy management console. This gives a clear simple view of your GP.
Now create a new group policy object under Group Policy Objects. Always start the name with “TEST” until you have tested the policy and want to move it into production. e.g. “TEST – Run Notepad at startup”.
Now edit the GPO and navigate through User, Windows, Startup Scripts.
Add an item for “notepad.exe”.
Close the GPO.
Remove “Authorised Users” from the security section and add your name instead.
Right click on the OU that contains your user name and select apply existing GPO.
Select the GPO you just created.

Now when you logon to any PC, Notepad will run.

Note: Most of this is off the top of my head from home, so some of the names/sections may not be correct.

cheers, Paul

Reply | Quote

Hi Paul,

I tried what you said in the notebook example, but nothing happened when I logged out and logged back in. I tried it on both my Windows Vista PC, and a Windows XP machine in the office.

Please see the attached Word file with screen shots of how it set it up.

Help from anyone troubleshooting why it didn’t work is appreciated.

Thanks,
Peter

Group policy has 2 parts, machine policy and user policy.
Machine policy is applied as the machine is starting Windows and before the login prompt.
User policy is applied immediately after login.

Group policy is only a text file with instructions for Windows. This text file can have NFTS permissions applied to limit it’s application to particular machines/users/groups. The permissions should only be set with the group policy editor.

Group policy is always applied to an OU and from there it can be filtered for individual machines, users or groups. This allows you to set different policy for work stations, servers, robots etc.

Be vigilant when editing a group policy object as there is no undo option.

Start by installing the group policy management console. This gives a clear simple view of your GP.
Now create a new group policy object under Group Policy Objects. Always start the name with “TEST” until you have tested the policy and want to move it into production. e.g. “TEST – Run Notepad at startup”.
Now edit the GPO and navigate through User, Windows, Startup Scripts.
Add an item for “notepad.exe”.
Close the GPO.
Remove “Authorised Users” from the security section and add your name instead.
Right click on the OU that contains your user name and select apply existing GPO.
Select the GPO you just created.

Now when you logon to any PC, Notepad will run.

Note: Most of this is off the top of my head from home, so some of the names/sections may not be correct.

cheers, Paul

Reply | Quote

You haven’t linked the GPO to an OU. See Erics note about creating a test OU above.

cheers, Paul

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

You haven’t linked the GPO to an OU. See Erics note about creating a test OU above.

cheers, Paul

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Thanks for that hint. First off, on my Vista machine, I saw no system tasks whatsoever running. There were a few processes running with no username. But none of the tasks were “Notepad”.

Then I used another older Windows XP computer on my network, and system tasks did show up. But not Notepad.

More importantly, if you look at my screenshots I sent in my last message, Notepad doesn’t show up in the local computers user policy.
I don’t know what I’m missing, because I ran the “gpupdate /force” command as an administrator on the local PC as well.

Ahh!

Please check out the screenshots I sent in my last emails. If there is something else you would like to me to take a screenshot of on my Domain Controller server, please tell me. Remember, I am testing and learning Group Policy for the first time, so I may be missing something strait forward.

Thanks,
Peter

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

Did you check task manager? Notepad should be running under the SYSTEM user, so you won’t see it.

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Oops! Should have mentioned that bit 🙁

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Attached are the screenshots in jpg format.

I ran rsop and I ran gpresult /h (for html output).

-Peter

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

Open a Command Prompt on the XP / Vista machine and type gpresult. This will tell you what group policies are applied.
Click Start > Run and type rsop.msc. This will show you the result of the application of those policies.

p.s. Save the screenshots as JPG and embed them in your reply. Saves us downloading Word documents.

cheers, Paul

Reply | Quote

I can’t see the any GPOs except Default Domain Policy being applied. (It would be easier to read if you used the text output and pasted the text.)

Is your user in the Test OU?
For the GPO to be applied to a user it needs to be linked the the OU or parent OU of the user. Same goes for a machine GPO.

cheers, Paul

Reply | Quote

See the post I reference below (date=’2010-01-12 16:21′)?
I explain how I liked my Group Policy to a Test OU, AND I included a screenshot.

First you ask me to stop attaching Word Documents with Screenshots, now my screen shots aren’t good enough, ugh, this problem is taking a really long time to diagnose. Group Policy is hard…I still don’t know how to use it. In the future I will try and follow your advice to upload jpg screenshots of text files output, or the text file output itself.

Did you try saving the JPG’s to you computer, so you can expand them? Note that I blocked out my user name and domain in all the screenshots for security purposes.

In this post I have uploaded screenshots of the cmd prompt output. I ran “gpresult /r /v > gpresult.txt”. Please review the whole thread before responding. Remember, I show the screenshot in an earlier post that show my Group Policy and it shows that notepad.exe is supposed to start at startup. But that policy is not flowing to my account, even though my username is linked to that OU in the Policy.

Also, don’t take anything I say as true, I may have just set up the policy wrong, as I have never done this before… Please verify all the steps that I have showed you in my posts.

Let’s get this nut cracked!!! (Nut referring the issue at hand of course.)

Thanks,
Peter

Hi Paul,
I linked my Test Group Policy to a new Test OU, but notepad isn’t opening when I log out and log back in.

Can you please take a close look at my new attached screenshots?
I run my Domain Controller on Windows Server 2003 SP1, and the PC I am testing the User Policy on runs Windows Vista.

Thanks.

I can’t see the any GPOs except Default Domain Policy being applied. (It would be easier to read if you used the text output and pasted the text.)

Is your user in the Test OU?
For the GPO to be applied to a user it needs to be linked the the OU or parent OU of the user. Same goes for a machine GPO.

cheers, Paul

Reply | Quote

Peter, excuse my dislike of pictures – I’m an old text based entity.

USER SETTINGS
————–
CN=Peter ,OU=G,OU=Accounts,DC=a,DC=org
Last time Group Policy was applied: 1/15/2010 at 3:37:36 PM
Group Policy was applied from: A.a.org
Group Policy slow link threshold: 500 kbps
Domain Name: a
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
N/A

As you can see from this section, you do not have any applied user GPO. This is why it doesn’t work.
Try removing the filter you set on the GPO?
Check your user is in the OU that you linked the GPO to?

After an update it is prudent to run gpupdate /force to update the group policy on the machine / user.

cheers, Paul

Reply | Quote

So, I figured out why the Test Group Policy for notepad.exe wasn’t running. In the “Group Policy Test OU/Container” I created, instead of moving my user object there, I created a group called “Group Policy Test Group” in that container. Then I just added myself to the “Group Policy Test Group” security group thinking that would be enough. After I moved my user object directly to that container it worked.

I also removed my user object from the “Security Filtering” section of the Group Policy. That seemed to have no effect either way. I don’t know what “Security Filtering” is for anyway.

On my PC, I ran “gpupdate /force” and got a real error! I am actually happy to get a real error.

C:Windowssystem32>gpupdate /force
Updating Policy…

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.

After reading this article below which I found through the event viewer, I determined that I have a DFS error.
http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx

So basically I want to add a new DFS entry for “\a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt”.
But I think I want to change the path a little bit for where the Group Policies are stored. Where is the setting to change where Active Directory stores group policy?

Is creating a shared folder/DFS entry the correct approach for getting Group Policy to work?

Thanks,
Peter

Reply | Quote

I found the solution to the gpt.ini read error on the network.

openletters
Welcome Newcomer

1 Posts
Status: offline

Posted – 08/19/2008 : 05:30:37 AM

Hi Guys, I have been reading this thread for a number of days now, and still nothing could help me with the 1058 and 1030 error codes.

It was mentioned earlier, Keep it simple stupid. And yep this is what fixed it for me.

The TCP/IP NetBIOS Helper service was disabled.
Please check this before you continue with any majour tasks like I did. This may or may not help.

Good luck!

That was the solution that worked for me!

Here is the link:
http://www.minasi.co…129&whichpage=3%5B/size%5D%5B/font%5D

I have now resolved my group policy testing, and have successfully run my first group policy test by starting notepad.exe automatically on any computer I log onto!
Now to start testing some useful policies!

Peter

So, I figured out why the Test Group Policy for notepad.exe wasn’t running. In the “Group Policy Test OU/Container” I created, instead of moving my user object there, I created a group called “Group Policy Test Group” in that container. Then I just added myself to the “Group Policy Test Group” security group thinking that would be enough. After I moved my user object directly to that container it worked.

I also removed my user object from the “Security Filtering” section of the Group Policy. That seemed to have no effect either way. I don’t know what “Security Filtering” is for anyway.

On my PC, I ran “gpupdate /force” and got a real error! I am actually happy to get a real error.

C:Windowssystem32>gpupdate /force
Updating Policy…

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt
.ini from a domain controller and was not successful. Group Policy settings may
not be applied until this event is resolved. This issue may be transient and cou
ld be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.

After reading this article below which I found through the event viewer, I determined that I have a DFS error.
http://technet.micro…259(WS.10).aspx

So basically I want to add a new DFS entry for “\a.orgsysvola.orgPolicies{CA5EFA8B-BA08-49FD-85A8-0C7850D85F7F}gpt”.
But I think I want to change the path a little bit for where the Group Policies are stored. Where is the setting to change where Active Directory stores group policy?

Is creating a shared folder/DFS entry the correct approach for getting Group Policy to work?

Thanks,
Peter

Reply | Quote

I tried testing the notepad Group Policy on a Windows XP machine, and it worked!
After making the fixes in the previous post, that was the trick. (I did have to re-add my username to the security filtering).

So I know group policy now works for other computers in my network, but not my own.
Any idea how to troubleshoot the error in my previous post still?

Thanks,
Peter

Code:

S:>gpupdate
Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.


S:>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/20/2010 at 5:14:34 PM


RSOP results for Ap on F : Logging Mode
-----------------------------------------------------------

OS Type:     				Microsoft Windows XP Professional
OS Configuration:        	Member Workstation
OS Version:              	5.1.2600
Domain Name: 				A
Domain Type: 				Windows 2000
Site Name:   				Default-First-Site-Name
Roaming Profile:
Local Profile:   			C:Documents and Settingsp
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
	CN=F,CN=Computers,DC=a,DC=
	Last time Group Policy was applied: 1/20/2010 at 5:14:16 PM
	Group Policy was applied from:  	A.a.org
	Group Policy slow link threshold:   500 kbps

	Applied Group Policy Objects
	-----------------------------
    	Default Domain Policy

	The following GPOs were not applied because they were filtered out
	-------------------------------------------------------------------
    	Local Group Policy
        	Filtering:  Not Applied (Empty)

	The computer is a part of the following security groups:
	--------------------------------------------------------
    	BUILTINAdministrators
    	Everyone
    	BUILTINUsers
    	NT AUTHORITYNETWORK
    	NT AUTHORITYAuthenticated Users
    	F$
    	Domain Computers
    	CERTSVC_DCOM_ACCESS


USER SETTINGS
--------------
	CN=P,OU=Group Policy Test OU/Container,DC=a,DC=org
	Last time Group Policy was applied: 1/20/2010 at 5:14:16 PM
	Group Policy was applied from:  	A.a.org
	Group Policy slow link threshold:   500 kbps

	Applied Group Policy Objects
	-----------------------------
    	TEST - Run Notepad at Startup

	The following GPOs were not applied because they were filtered out
	-------------------------------------------------------------------
    	Default Domain Policy
        	Filtering:  Disabled (GPO)

    	Local Group Policy
        	Filtering:  Not Applied (Empty)

	The user is a part of the following security groups:
	----------------------------------------------------
    	Domain Users
    	Everyone
    	BUILTINUsers
    	BUILTINAdministrators
    	NT AUTHORITYINTERACTIVE
    	NT AUTHORITYAuthenticated Users
    	LOCAL
    	Domain Admins
    	RicohPGrp
    	ColorPgrp
    	Group Policy Test Group
    	PWDCgrp
    	TS Users Group
    	Management
    	ReceptionPgrp
    	CERTSVC_DCOM_ACCESS

S:>

Reply | Quote

Nice to see you have it working – makes sense once you get your head around the concept.

Security filtering allows you to limit the GPO application if you have more than one machine/user in the OU. Say you have applied a GPO to the users OU but you are testing it and only want it to apply to you in the short term. Add yourself to the filter and only you will have the GPO applied. You could add users or machines manually or set the filter for group membership.

cheers, Paul

Reply | Quote