+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member
    Join Date
    Dec 2007
    Location
    Bay Area, California
    Posts
    430

    Certifications
    A+, Network+, MCP, MCDST, MCTS; Vista
    #1

    Default Applying Security Template Through GPOs

    Ok here is my current setup:

    1) Domain controller
    Computer name: PDC
    Domain: TechLabs2003.local @ 172.16.0.2

    2) Member Server
    Computer name: Member1
    Joined to TechLabs2003.local
    IP: 172.16.0.3 with DNS @ 172.16.0.2

    Both are running Server 2003 Enterprise with NO SP

    I created a new OU named Member Servers on the domain controller. Moved Member1 out of the computers container into the Member Servers OU.

    Then created a new security template on the domain controller called Member Servers Template Defined password & auditing settings.

    Then I right-click on the Member Servers OU and created a new group policy called GPO SECURITY POLICY FOR ALL MEMBER SERVERS.

    Finally I drilled down into Computer Settings > Security Settings. Right-click on that and click import policy. I applied my security template. Ran GPUPDATE on Member1. Then ran GPRESULT and all I see being applied is default domain policy.

    Shouldn't I see my template being applied?

    Oh and I tried running gpupdate /force. Also made sure DNS is working properly and everyone is connected. No luck. Any suggestions? I currently access both servers from my Vista machine via remote desktop.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Dec 2007
    Location
    Bay Area, California
    Posts
    430

    Certifications
    A+, Network+, MCP, MCDST, MCTS; Vista
    #2
    Well nevermind looks like I didn't give it enough time to update group policy? How is this possible? I used the /force switch. Also before I got it working and ran GPRESULT I ticked block policy inheritance.

    Was it because I ticked that box or because I didn't give it enough time?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #3
    Block policy inheritance simply prevents the OU from inheriting GPOs from higher up the hierarchy (unless they have no override specified). It wouldn't affect the time in which the policy was refreshed. Member servers and clients are updated every 90 minutes with an offset of +/- 30 minutes, and DCs are every five minutes.

    Did you restart the member server? Sometimes computer settings require a reboot, so the automatic refresh or gpudate can't make them take affect.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Dec 2007
    Location
    Bay Area, California
    Posts
    430

    Certifications
    A+, Network+, MCP, MCDST, MCTS; Vista
    #4
    Quote Originally Posted by dynamik
    Block policy inheritance simply prevents the OU from inheriting GPOs from higher up the hierarchy (unless they have no override specified). It wouldn't affect the time in which the policy was refreshed. Member servers and clients are updated every 90 minutes with an offset of +/- 30 minutes, and DCs are every five minutes.

    Did you restart the member server? Sometimes computer settings require a reboot, so the automatic refresh or gpudate can't make them take affect.
    Nope.

    I thought the GPUPDATE/force switch would update the policy immediately? The only policy settings I configured were password and auditing.
    Reply With Quote Quote  

  6. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #5
    Yep, like dynamik said, some updated computer policies require you to reboot. Heck, some computer policies actually require you to reboot twice. Once to get the policy applied but since asycronous logon is enabled, the user might logon before the computer policy actually applies. If your policy is one of those, the computer policy will apply during/after user logon and you will have to reboot a second again for the policies to actually show up properly. Or you can enable syncronous logon (defaulytin 2k) so you would only have to reboot once for these policies since the computer will wait for all computer settings to apply before winlogon allows you to logon.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks