1. Make sure an administrator other than your self did not setup a deny
group. True if you setup a policy to apply to all systems within an OU, the
should get it, but if there is a group of servers within the OU you are
applying to that you want to not get the server, common practice is to put
these into a group and deny apply policy to them.
2. Sorry if this is too simple, but I have had this happen before. You
apply the policy to Authenticated Users instead of Domain Computers or to
the specific group of computer objects.
-----Original Message-----
From: Burak Bayoglu [mailto:bayoglu (at) uekae.tubitak.gov (dot) tr [email concealed]]
Sent: Friday, December 10, 2004 5:46 AM
To: laurarobinson (at) verizon (dot) net [email concealed]; 'Peter Rodger'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Group policy help needed!!!
It is *technically* true that any server in the corresponding OU should
receive the group policy but I saw many many examples where some group
policy settings are not successfully applied *for some reason* altough it
should. It is certain that if everything is OK group policy is successfully
applied to all servers but it may be interrupted by a plenty of technical
reasons that we mostly meet in large enterprise systems.( replication
problems, time synchronzation, DNS problems, connectivity etc.) As Laura
says, " Any server that is **supposed** to receive a policy should receive
the policy.". Unfortunately we can only
**suppose** that all the servers will apply the policy in the time interval
we expect in a large and distributed domain.
B.B.
-----Original Message-----
From: Laura A. Robinson [mailto:laurarobinson (at) verizon (dot) net [email concealed]]
Sent: Friday, December 10, 2004 5:21 AM
To: bayoglu (at) uekae.tubitak.gov (dot) tr [email concealed]; 'Peter Rodger'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Group policy help needed!!!
> It is an expected result that not all the servers in the
> domain successfully apply the policy in a w2k active
> directory domain.
No, it isn't. Any server that is supposed to receive a policy
*should* receive the policy.
1. Make sure an administrator other than your self did not setup a deny
group. True if you setup a policy to apply to all systems within an OU, the
should get it, but if there is a group of servers within the OU you are
applying to that you want to not get the server, common practice is to put
these into a group and deny apply policy to them.
2. Sorry if this is too simple, but I have had this happen before. You
apply the policy to Authenticated Users instead of Domain Computers or to
the specific group of computer objects.
-----Original Message-----
From: Burak Bayoglu [mailto:bayoglu (at) uekae.tubitak.gov (dot) tr [email concealed]]
Sent: Friday, December 10, 2004 5:46 AM
To: laurarobinson (at) verizon (dot) net [email concealed]; 'Peter Rodger'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Group policy help needed!!!
It is *technically* true that any server in the corresponding OU should
receive the group policy but I saw many many examples where some group
policy settings are not successfully applied *for some reason* altough it
should. It is certain that if everything is OK group policy is successfully
applied to all servers but it may be interrupted by a plenty of technical
reasons that we mostly meet in large enterprise systems.( replication
problems, time synchronzation, DNS problems, connectivity etc.) As Laura
says, " Any server that is **supposed** to receive a policy should receive
the policy.". Unfortunately we can only
**suppose** that all the servers will apply the policy in the time interval
we expect in a large and distributed domain.
B.B.
-----Original Message-----
From: Laura A. Robinson [mailto:laurarobinson (at) verizon (dot) net [email concealed]]
Sent: Friday, December 10, 2004 5:21 AM
To: bayoglu (at) uekae.tubitak.gov (dot) tr [email concealed]; 'Peter Rodger'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Group policy help needed!!!
> It is an expected result that not all the servers in the
> domain successfully apply the policy in a w2k active
> directory domain.
No, it isn't. Any server that is supposed to receive a policy
*should* receive the policy.
Laura
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]