Hello,



I am running W2K servers sp4, I created a new GPO for a machine OU on a XP

pro box in user configuration. The new GPO shows up in AD under the right OU

but I receive the below message, what could be causing the  Lockdown GPO

Filtering:  Not Applied (Empty)??



Any insight would be great!

Ted



COMPUTER SETTINGS

------------------

CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu

Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

Group Policy was applied from:      mastertn.Testnet.edu

Group Policy slow link threshold:   500 kbps



Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy



The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Lockdown GPO

Filtering:  Not Applied (Empty)



The computer is a part of the following security groups:

--------------------------------------------------------

BUILTIN\Administrators

Everyone

BUILTIN\Users

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

OCC38034$

Domain Computers





USER SETTINGS

--------------

CN=Administrator,CN=Users,DC=Testnet,DC=edu

Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

Group Policy was applied from:      mastertn.Testnet.edu

Group Policy slow link threshold:   500 kbps



Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy



The user is a part of the following security groups:

----------------------------------------------------

Domain Users

Everyone

BUILTIN\Users

BUILTIN\Administrators

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

LOCAL

Group Policy Creator Owners

Exchange Domain Servers

Domain Admins

Schema Admins

Enterprise Admins

Exchange Enterprise Servers

Actually I don't quite understand about "created a new GPO for a machine OU

on a XP pro box in user configuration".



If you mean you set the GPO settings in the User Configuration and you apply

the GPO to an OU containing the machine account only, then this is the where

the problem is. You need to place the user account into the OU which you

apply the GPO.



BR,

Denis



"Ted" wrote:



> Hello,

>

> I am running W2K servers sp4, I created a new GPO for a machine OU on a XP

> pro box in user configuration. The new GPO shows up in AD under the right OU

> but I receive the below message, what could be causing the  Lockdown GPO

>      Filtering:  Not Applied (Empty)??

>

> Any insight would be great!

> Ted

>

> COMPUTER SETTINGS

> ------------------

>     CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu

>     Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

>     Group Policy was applied from:      mastertn.Testnet.edu

>     Group Policy slow link threshold:   500 kbps

>

>     Applied Group Policy Objects

>     -----------------------------

>         Default Domain Policy

>         Local Group Policy

>

>     The following GPOs were not applied because they were filtered out

>     -------------------------------------------------------------------

>         Lockdown GPO

>             Filtering:  Not Applied (Empty)

>

>     The computer is a part of the following security groups:

>     --------------------------------------------------------

>         BUILTIN\Administrators

>         Everyone

>         BUILTIN\Users

>         NT AUTHORITY\NETWORK

>         NT AUTHORITY\Authenticated Users

>         OCC38034$

>         Domain Computers

>

>

> USER SETTINGS

> --------------

>     CN=Administrator,CN=Users,DC=Testnet,DC=edu

>     Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

>     Group Policy was applied from:      mastertn.Testnet.edu

>     Group Policy slow link threshold:   500 kbps

>

>     Applied Group Policy Objects

>     -----------------------------

>         Default Domain Policy

>         Local Group Policy

>

>     The user is a part of the following security groups:

>     ----------------------------------------------------

>         Domain Users

>         Everyone

>         BUILTIN\Users

>         BUILTIN\Administrators

>         NT AUTHORITY\INTERACTIVE

>         NT AUTHORITY\Authenticated Users

>         LOCAL

>         Group Policy Creator Owners

>         Exchange Domain Servers

>         Domain Admins

>         Schema Admins

>         Enterprise Admins

>         Exchange Enterprise Servers

To add to what Dennis said, the results in COMPUTER SETTINGS tell you that

the GPO called LockDown GPO applies to the computer account, but that there

are no settings in the Computer Configuration part of the GPO, so there was

nothing to apply.



Further down under "USER SETTINGS", the LockDown GPO is not listed, so that

GPO has not been linked to the OU containing the user's account.



--

Bruce Sanderson MVP Printing



It is perfectly useless to know the right answer to the wrong question.







"Ted" <Ted@discussions.microsoft.com> wrote in message

news:0865FA1A-87DD-42A2-B4AA-BB9274F40135@microsoft.com...

> Hello,

>

> I am running W2K servers sp4, I created a new GPO for a machine OU on a XP

> pro box in user configuration. The new GPO shows up in AD under the right

> OU

> but I receive the below message, what could be causing the  Lockdown GPO

>     Filtering:  Not Applied (Empty)??

>

> Any insight would be great!

> Ted

>

> COMPUTER SETTINGS

> ------------------

>    CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu

>    Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

>    Group Policy was applied from:      mastertn.Testnet.edu

>    Group Policy slow link threshold:   500 kbps

>

>    Applied Group Policy Objects

>    -----------------------------

>        Default Domain Policy

>        Local Group Policy

>

>    The following GPOs were not applied because they were filtered out

>    -------------------------------------------------------------------

>        Lockdown GPO

>            Filtering:  Not Applied (Empty)

>

>    The computer is a part of the following security groups:

>    --------------------------------------------------------

>        BUILTIN\Administrators

>        Everyone

>        BUILTIN\Users

>        NT AUTHORITY\NETWORK

>        NT AUTHORITY\Authenticated Users

>        OCC38034$

>        Domain Computers

>

>

> USER SETTINGS

> --------------

>    CN=Administrator,CN=Users,DC=Testnet,DC=edu

>    Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

>    Group Policy was applied from:      mastertn.Testnet.edu

>    Group Policy slow link threshold:   500 kbps

>

>    Applied Group Policy Objects

>    -----------------------------

>        Default Domain Policy

>        Local Group Policy

>

>    The user is a part of the following security groups:

>    ----------------------------------------------------

>        Domain Users

>        Everyone

>        BUILTIN\Users

>        BUILTIN\Administrators

>        NT AUTHORITY\INTERACTIVE

>        NT AUTHORITY\Authenticated Users

>        LOCAL

>        Group Policy Creator Owners

>        Exchange Domain Servers

>        Domain Admins

>        Schema Admins

>        Enterprise Admins

>        Exchange Enterprise Servers

I'm having the same problem. I have basically the same settings. The only weird thing is that on the GPO, I have a password policy and the SUS ADM file configuration. I get the same as stated before. The only thing is that the SUS configuration doesn't work, but the password policy works. 



I only have one OU with one policy.












	
Quote:
	

	

		

			
				Originally posted by Ted 

Hello,



I am running W2K servers sp4, I created a new GPO for a machine OU on a XP

pro box in user configuration. The new GPO shows up in AD under the right OU

but I receive the below message, what could be causing the  Lockdown GPO

Filtering:  Not Applied (Empty)??



Any insight would be great!

Ted



COMPUTER SETTINGS

------------------

CN=OCC38034,OU=Nursing Test GP,OU=Labs,DC=Testnet,DC=edu

Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

Group Policy was applied from:      mastertn.Testnet.edu

Group Policy slow link threshold:   500 kbps



Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy



The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Lockdown GPO

Filtering:  Not Applied (Empty)



The computer is a part of the following security groups:

--------------------------------------------------------

BUILTIN\Administrators

Everyone

BUILTIN\Users

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

OCC38034$

Domain Computers





USER SETTINGS

--------------

CN=Administrator,CN=Users,DC=Testnet,DC=edu

Last time Group Policy was applied: 11/17/2004 at 4:13:52 PM

Group Policy was applied from:      mastertn.Testnet.edu

Group Policy slow link threshold:   500 kbps



Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy



The user is a part of the following security groups:

----------------------------------------------------

Domain Users

Everyone

BUILTIN\Users

BUILTIN\Administrators

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

LOCAL

Group Policy Creator Owners

Exchange Domain Servers

Domain Admins

Schema Admins

Enterprise Admins

Exchange Enterprise Servers 
			
		
	
	

Settings in the User Configuration part of a GPO are ONLY applied to USER

ACCOUNTS that are present in the OU to which the GPO is linked.  If that OU

only has COMPUTER ACCOUNTS, the User Configuration part of the GPO will be

ignored.



If a GPO that ONLY has User Configuration settings is applied to an OU that

has Computer Accounts, RSOP will report that GPO as Empty in the Computer

Configuration part of its report.



That's what the report you posted is saying.



a. The GPO called  "Lockdown GPO" is linked to the OU called "Nursing Test

GP" that has the Computer Account for the computer called "OCC38034", but

there are no settings in the Computer Configuration part of that GPO (thus

the GPO is Empty in that sense).



b. The User Account called "Administrator" is in the OU called "Users" and

the only GPO that applies to that OU is the Default Domain Policy (which

does have some User Configuration settings).



So, to get the settings in the Lockdown GPO applied, link it to the OU

containing the Administrator user account (e.g. Users).



However, exercise caution.  If you apply this GPO to the Users GPO and all

of your accounts, including Administrator are in there, you could end up

"locking down" the Administrator account so that it is useless!  This is

called "shooting yourself in the foot via GPO".



Better to try out the GPO on an OU that has a less important user account in

it first!



The settings in the User Configuration part of a GPO are applied to the User

whose User Account is in an OU to which the GPO is linked (or inherited)

when that user logs on at any computer.



The settings in the Computer Configuration part of a GPO are applied to the

computer whose Computer Account is in an OU to which the GPO is linked (or

inherited) when that computer starts and periodically thereafter.



(Note that you can use the gpupdate command to get changes to Group Policies

applied immediately (use the command gpupdate /? to see the options

available)).



This is a fundamental, but not necessarily obvious, concept with Group

Policies.  For this reason, to keep my life simple, I have established for

myself, these simple rules:



1. do not mix user accounts and computer accounts in the same OU.

2. do not mix User Configuration settings and Computer Configuration

settings in the same GPO

3. link GPOs with User Configuration settings only to OUs with User Accounts

and link GPOs with Computer Configuration Settings only to OUs with Computer

Accounts



Link all simple rules, there are some situations where setting them aside

makes sense, but there must be a good, rational reason for doing so.  One

such reason is when "loopback processing" is used, but that's a story for

another day.



End of Lecture!



Hope this helps!

--

Bruce Sanderson  MVP



It is perfectly useless to know the right answer to the wrong question.





"jesusq" <jesusq.1gz0a7@mail.mcse.ms> wrote in message

news:jesusq.1gz0a7@mail.mcse.ms...

>

> I'm having the same problem. I have basically the same settings. The

> only weird thing is that on the GPO, I have a password policy and the

> SUS ADM file configuration. I get the same as stated before. The only

> thing is that the SUS configuration doesn't work, but the password

> policy works.

>

> I only have one OU with one policy.

>

>

>

>

>

> Ted wrote: 

>

>

>

> --

> jesusq

> ------------------------------------------------------------------------

> Posted via http://www.mcse.ms

> ------------------------------------------------------------------------

> View this thread: http://www.mcse.ms/message1230242.html

>