General discussion

Locked

Active Directory GPO aplication

By Rackin ·
I am having a problem with the internet settings on the user portion of the GPO. the Home page and proxy settings will apply the first time, but if changed will only re-apply sporatically. I know I can lock these settings down so that they can notbe touched by the user and plan to do so, but am trying to understand how and when the settings get applied. Any one have any idea on this?
Thanks
Rod

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Active Directory GPO aplication

by Jeremy The IT Guy In reply to Active Directory GPO apli ...

By default, the GPO is "refreshed" every 90 minutes, with a random offset of 0-30 minutes. This can be changed to a lower amount of time but remember, that will increase network bandwidth consumed. If you need more information, let me know. HTH, Jeremy

Collapse -

Active Directory GPO aplication

by Rackin In reply to Active Directory GPO apli ...

I think you misunderstood the question. The GPO should also refresh everytime the user boots the computer. What is happening is that the Home page set in the GPO and the proxy settings in the GPO will apply the first time you log in, but if you change them on the system manually the GPO does not refresh them consistantly. sometimes it will change them back, but most of the time it will not. If I go and change the settings in the GPO the it tipically will reaply them to the computer.

Collapse -

Active Directory GPO aplication

by dshuang5858 In reply to Active Directory GPO apli ...

If you need the policy to refresh right away on the client side, you may force update it by using either syntax for win2k "secedit /refreshpolicy {machine_policy | user_policy} /enforce" or winxp "gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]". Hopefully this help.

Collapse -

Active Directory GPO aplication

by Rackin In reply to Active Directory GPO apli ...

No the point is that when a refrsh happens by reboot or by using secedit it does not reaply the settings. It is like it thinks it has the right settings so it does not change them, but the settings are different then the policy.

Collapse -

Active Directory GPO aplication

by Jeremy The IT Guy In reply to Active Directory GPO apli ...

You ask how and when and I gave you the answer, atleast to when. The how is a bit more difficult to explain. Since the policy is refreshed on a random interval (90 + (0 to 30)), it's easy to think that they aren't being refreshed. The policy is initially set when the user logs onto the machine and refreshes in the interval set by you. With something like this, where it's not locked down and can be modified, it's easy to bypass the GPO settings all together. By the way...is this a domain GPO, a GPO linked to an Organizational Unit or a Local GPO for the system? All these are factors in why this isn't working. I've come to realize that the GPO isn't fool-proof as alot of the stuff locked down by GPO can be bypassed by a good user. What you see is only achievable by the method you spoke of by locking down the settings. If they aren't locked down, they can be changed. Later, Jeremy

Collapse -

Active Directory GPO aplication

by Rackin In reply to Active Directory GPO apli ...

You are right that I asked the original question poorly. I am trying to find out what is causing the policy not to be applied to the system after it has been applied the first time. It is a Domain policy and the only reason that I do not have it locked down right now is to try and troubleshoot problems with it applying. We are still only applying it to our test group. My understanding is just as you said that a policy should be applied at the system startup (for machine policies) and at login (for user policies). The policy usually applied the first time a user or system is added to the group of test users, but it does not appear to apply it to the system again unless you go change the policy setting. It seems to think that the policy is applied right and leaves the system alone. Since policies are not suppose to be permanent in win2k, but applied only if the user and computer have the policy assigned to them, I am confused why it is not applying the settings at each log in putting the system back to a state of being in compliance with the policy. My question is is this normal behavior for group policy, or do I have something wrong, and if so any ideas what.

Hope that is a better question.

Thanks

Rod

Collapse -

Active Directory GPO aplication

by Jeremy The IT Guy In reply to Active Directory GPO apli ...

I'm doing more digging. There is no reason it shouldn't update/refresh. I went to MS and looked at a White Paper they had on troubleshooting GPO and nothing seems to stick out as reasons it's not updating. I'll be back later with a better answer.

Collapse -

Active Directory GPO aplication

by Rackin In reply to Active Directory GPO apli ...

Thanks,

I am doing some testing in the test lab. I am thinking that it I may have a screwed up GPO, maybe remaking it will fix it.

Thanks

Rod

Collapse -

Active Directory GPO aplication

by Spanky In reply to Active Directory GPO apli ...

It is possible that this is a leftover behavior of the Pre-Windows 2000 settings. Prior to Group Policy settings for Internet Explorer, any customization or restriction had to be created with an Internet Explorer Administration Kit (IEAK) package, which incremented a counter in it's setting file every time it was updated so that the client machine could determine if there was a newer version to apply. Trying to put together a test system for this scenario, will follow up when/if I'm able to verify.

Collapse -

Active Directory GPO aplication

by Rackin In reply to Active Directory GPO apli ...

We just figured this out, but you are on the right track so you can have the points. We had created a custom browser for the company with the IEAK. Those settings are per computer not per login, and were interfering with the GPO settings. We removed the custom browser and it works just fine now. I had forgotten that we had used the IEAK so it did not think of it until today when we were playing with it. Anyway thanks for all of the feedback.

Rod

Back to Windows Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums