GPO Anomaly.. Or not?
Hi
I have an issue with Group policy which hopefully someone can help or explain. I am setting a GPO at OU level to a number of users.
User>windows settings>Internet Explorer maintenance>URL's>Important URLS "Homepage"
The Local Group policy that is set on some of the machines conflicts with the domain GPO I am setting and is taking precedence.
This defies all logic I have read that the ou policy should take precedence over the local policy as the ou policy is last applied.
Hope someone can explain! [:)]
I have an issue with Group policy which hopefully someone can help or explain. I am setting a GPO at OU level to a number of users.
User>windows settings>Internet Explorer maintenance>URL's>Important URLS "Homepage"
The Local Group policy that is set on some of the machines conflicts with the domain GPO I am setting and is taking precedence.
This defies all logic I have read that the ou policy should take precedence over the local policy as the ou policy is last applied.
Hope someone can explain! [:)]
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
jcarri06
15 years ago
The domain GPO should overwrite the local GPO. Are you sure your machines/users are getting the updated GPO? Do a "gpupdate /force" to make sure the GPO is brought down. Also, run an "rsop.msc" to see the what the GPO result set is on the machine. There it will tell you which policy is doing what.
- J
- J
Posted by:
pheonixman27
15 years ago
ORIGINAL: jcarri06
The domain GPO should overwrite the local GPO. Are you sure your machines/users are getting the updated GPO? Do a "gpupdate /force" to make sure the GPO is brought down. Also, run an "rsop.msc" to see the what the GPO result set is on the machine. There it will tell you which policy is doing what.
- J
Hi
Thanks for the quick response, yes they are getting the policy and when I run RSOP on the machines the Local Policy is top in precedence order and then the ou policy is next!
I have even tried creating a new GPO with the IE setting and that also shows in RSOP but below the Local in order of precedence.
I know what you are saying and I tested the theory on my test vm setup and it works as expected with the OU taking precedence over local, I am at my wits end with this one and have combed the internet without success.
Posted by:
jcarri06
15 years ago
Have you tried removing/adding the machine back to the domain (just to test)? Also, any chance that setting is being applied through any other means? Lastly, have you tried overriding any other setting of the LGPO with the OU GPO? I'm curious if this is the only setting that the OU GPO is not able to override which could lead to the IE settings being implemented through some other means (direct registry modifications) rather than the LGPO (smoke and mirrors).
Just some food for thought :).
- J
Just some food for thought :).
- J
Posted by:
revizor
15 years ago
Not 100% LGPO will have much bearing on a domain user account in your situation.
However, try deleting the profile out of Documents and Settings (if on W2k3/ XP). Make sure no roaming/flex profiles apply. Log on and see if IE branding runs. Test then.
Also, to eliminate the unknowns, modify the homepage to something "unique" in LGPO and see if the change reflects. Or remove completely LGPO setting.
In addition, go over registry HKCU settings for IE and see what you get in both Policy and regular IE start page settings.
And, just to make clear, you set your settings as "Policy", and not "Preferences" for IE, correct?
Logs are generally helpful in troubleshooting GPOs - do you get any errors in the Event Log, or the GPO logs in:
C:\WINDOWS\Debug\UserMode
%userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer
We did have similar sporadic issue with the setting you described in our AD 2+ years ago that made us resort to a logon script to set the start page. If I recall it right, the explanation had something to do with either the version of AD or the adm templates, or permissions on a file inside SYSVOL policy component file.
However, try deleting the profile out of Documents and Settings (if on W2k3/ XP). Make sure no roaming/flex profiles apply. Log on and see if IE branding runs. Test then.
Also, to eliminate the unknowns, modify the homepage to something "unique" in LGPO and see if the change reflects. Or remove completely LGPO setting.
In addition, go over registry HKCU settings for IE and see what you get in both Policy and regular IE start page settings.
And, just to make clear, you set your settings as "Policy", and not "Preferences" for IE, correct?
Logs are generally helpful in troubleshooting GPOs - do you get any errors in the Event Log, or the GPO logs in:
C:\WINDOWS\Debug\UserMode
%userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer
We did have similar sporadic issue with the setting you described in our AD 2+ years ago that made us resort to a logon script to set the start page. If I recall it right, the explanation had something to do with either the version of AD or the adm templates, or permissions on a file inside SYSVOL policy component file.
Posted by:
pheonixman27
15 years ago
Hi quick update on what I have tried so far.
I have created a new Group policy and assigned this to another ou and moved a test user account into that ou and still get the same result on the xp client with Local presedence higher than the ou policy. The strange thing I have noticed when I run RSOP and look at presedence it shows two for both like this.
Domain Policy (Disabled)
Local Policy
Ou Policy
Local Policy
Ou Policy
I tried to make more changes in the ou policy to see if it was just internet explorer, like disable the run and search from the start menu and counter this by enabling with the Local policy and Local is still winning.
I am currently building an XP Client from scratch and will try to see if I get the same result?
I have created a new Group policy and assigned this to another ou and moved a test user account into that ou and still get the same result on the xp client with Local presedence higher than the ou policy. The strange thing I have noticed when I run RSOP and look at presedence it shows two for both like this.
Domain Policy (Disabled)
Local Policy
Ou Policy
Local Policy
Ou Policy
I tried to make more changes in the ou policy to see if it was just internet explorer, like disable the run and search from the start menu and counter this by enabling with the Local policy and Local is still winning.
I am currently building an XP Client from scratch and will try to see if I get the same result?
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.