Policy Problem

Hello,

On a W2K domain, our machines were running Winlock Professional. This stopped users from accessing parts of the system. We have decided, however, that we don't need this program anymore as we could simply use Windows 2000 Server policies.

How simple.


I remove Winlock Professional, and all restrictions we set from the server policies on the clients' start menus are not in effect.
'Run appears', etc, when we asked it not to. It wasnt there BEFORE Winlock installed, it wasn't there WHILE Winlock was installed, but it is there now Winlock has been uninstalled.

It appears that many policies are not taking effect once Winlock has been removed, and it is really starting to irritate me!
If anyone can help me out, I would REALLY appreciate it!!!!!!!!!!!

Thanks in advance!

 

Your best bet would be to run gpresults and find out which policies are in effect and set them how you want them.

How to Use the Group Policy Results (GPResult.exe) Command Line Tool

 

Hello!

I'm still not quite sure how to fix the problem! Sorry, this is quite a new thing for me!

 

How far along before you get stuck? Did you run gpresult? If so, the the results make sense to you? If so, are you comfortable setting domain policies?

 

I am comfortable setting domain policies. I'm not sure where the Winlock policies are coming from.

They only activate 20 seconds or so AFTER logon when the Winlock program runs! Is it a local policy or just registry changing?
If I go 'gpedit.msc' I see nothing set, so I assume it is not a local policy setting.

Once Winlock is removed, no policies set by the domain work, and I fail to understand why.

 

Whoa!

Whoa! Even in the registry on a machine that no longer has Winlock installed... the "NoRun" in reg is set to '1' but run is "STILL" showing on the Start Menu! How is it doing this?? Why arent the policies taking effect? This is really urgent now! :S

 

Did you try the gpresult command Bursley suggested? Very informative stuff for AD & local policies.

 

Yes, and it tells me that the domain policy is in effect (it doesn't appear to be) and that the local security policy is in effect. How do I see the local security policy? Nothing is being 'enforced' in gpedit.msc (which I thought brought up the local policy)...

 

More Network Policy Problems!

(edit note: I merged the other policy post with this one. Easier to keep all the background/history and current situation in one place. - Newt)

Hello,

Got a stage further from my last post. I have a brand new 2000 Server; and I set policies for the domain.

They apply to the server, but not to ANY of the new workstations we have. Why is this? The workstations are freshly installed, but no workstation received policies. This is really buggin' me 'gpresult' reveals that no policies are coming from the server.

WHY? Why is this? The frustration!

 

Any hints (for things you maybe need to do but haven't or need to do differently) from This one pager?

 

Hello,

Thank you for your help - However, I don't feel I've missed anything. I set the whole domain (excluding administrator users) as the OU, and it has worked in the past, but is not doing so now.

 

Well, I pass to Bursley on this one. I have only a passing knowledge of things AD & OU.

 

Wondier if the server may need another reinstall.. Something is obviously wrong, but I wish I knew what it was.

 

[UPDATE]

Interesting.. According to gpresult, any normal logged in user is not a member of any group, yet they are on the server.

Roaming profile: \\2kserver\profiles\jonathan
Local profile: C:\Documents and Settings\jtaunton

The user is a member of the following security groups:



###############################################################

This is rather odd. I have them set as a domain user on the server, but this is not getting through to the client??

Another note is that an administrator receives the policies, but users don't.


This is odd... and I'm truely desperate for help!

 

PM sent. Not with a fix though or I would have posted details here.

 

I'm around, just very busy. I'll be glad to review the gpresults output. Please email me the results. or post them here.

 

ok

Ok, thank you.

Here are the results:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on 04 March 2004 at 16:33:12


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:



Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name

Roaming profile: \\2kserver\profiles\benc
Local profile: C:\Documents and Settings\bcarr.DOMAIN

The user is a member of the following security groups:



###############################################################

Last time Group Policy was applied: 04 March 2004 at 16:31:53



###############################################################

Computer Group Policy results for:



Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name


The computer is a member of the following security groups:


###############################################################

Last time Group Policy was applied: 04 March 2004 at 16:28:14


Why is the user not in any group? I am fairly new to this, but I've been able to do it before... just not now!

Help is appreciated

 

Gpresults doesn't display security information is a problem described in kb article 258595. You may want to check it out.
When you decided to disable a policy you must tell AD to deactivate the policy first. Basically undo what you did before removing any software.
One thing to check if this is the case is to create a new user account and see if the resultant policy is in place there.

 

Not quite with you.
The problem is simply that policies are NOT applying to any non-administrator on remote computers. They DO apply to non-administrators if they logon to the server, however. I'm quite dependant upon policies, although I'm not the most experienced user you'll ever find as I'm sure you can see.
Still not sure what to do to get the ******* policies to apply!

 

Maybe it's not a policy problem but a network issue regarding your client systems. Are they properly registered in DNS? If you apply a new policy to the domain and type secedit /refreshpolicy /userpolicy or reboot the system do those new policies apply? Such as disable the screensaver tab, etc.
If not, it's possible your problem is with AD itself if the users are able to authenicate and map shares properly.
If it is AD, the only resolution that I can think of is to restore from a known good copy of the directory schema, or remove reinstall AD itself. Another option is to engage Microsoft.