Applying Group Policies in Windows 2008 Server

peterattheboro · 20 May 2008 at 16:01

I currently have 2008 server running on a virtual machine and have successfully added my laptop to the domain.

Now i'm trying to set the homepage to the laptop from...

User Config > Administrative Templates > Windows Components > Internet Explorer > disable changing home page settings.

IE on the server is configured correctly and is how I want it but it still hasn't applied to the laptop.

I've also tried Windows Settings > Internet Explorer Mainentance, but i've had no joy.

What am I missing?

madman045 · 20 May 2008 at 16:42

What OS does your laptop have, XP, Vista Business or Vista Ultimate?

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html

Not sure if anything with in that may point you in the right direction.

peterattheboro · 20 May 2008 at 16:46

Sorry. It's Vista.

And cheers

redellion · 20 May 2008 at 16:50

make sure you have admin rights on the laptops C drive or the changes wont apply, might be worth adding the domains admin account to users on the laptop too.

epswat · 20 May 2008 at 17:11

Reboot the laptop and be patient are 2 words of advice.

Policies (at least on W23K) sometimes take a while to apply to clients.

Also try gpupdate /force on the laptop followed by a reboot.

peterattheboro · 20 May 2008 at 21:45

epswat said:
Reboot the laptop and be patient are 2 words of advice.

Policies (at least on W23K) sometimes take a while to apply to clients.

Also try gpupdate /force on the laptop followed by a reboot.

Believe me I was!

Our 2000 server running Exchange with 80 odd computers beat my 2008 server which only had a laptop connected to it!

I'll try everything that's been suggested tomorrow when i'm back in work.

Cheers!

Flareon · 21 May 2008 at 00:30

I assume you know that this is a per-user configuration, and applying it to the machine will do nothing!

Run a "gpresult" on the laptop. It'll pull the RSOP for the machine and currently logged on user. If your policy is applying it should be listed.

After that try running the full RSOP (Resultant Set Of Policy) snap in using "rsop.msc". That will show you the final policies as applied, and therefore the current configuration.

Felix · 21 May 2008 at 10:43

Flareon said:
I assume you know that this is a per-user configuration, and applying it to the machine will do nothing!

From his first post he appears to be applying it to the user section.

Flareon · 21 May 2008 at 20:21

Felix said:
From his first post he appears to be applying it to the user section.

Hm yeh how did I miss that

Stolly · 21 May 2008 at 20:24

redellion said:
make sure you have admin rights on the laptops C drive or the changes wont apply, might be worth adding the domains admin account to users on the laptop too.

ummm no users don't have to be domain admins to have policies applied to them.

Flareon · 22 May 2008 at 00:51

Stolly said:
ummm no users don't have to be domain admins to have policies applied to them.

Edit: why can't I put in the acronym for "quoted for truth"?

mr.bond · 24 May 2008 at 12:22

Stolly said:
ummm no users don't have to be domain admins to have policies applied to them.

Nor do the domain admins group need to be added to the local admins group on a workstation. They're added automatically when the machine is joined to the domain. (Unless it's changed in 2k8)

mr.bond · 24 May 2008 at 12:24

peterattheboro said:
I currently have 2008 server running on a virtual machine and have successfully added my laptop to the domain.

Now i'm trying to set the homepage to the laptop from...

User Config > Administrative Templates > Windows Components > Internet Explorer > disable changing home page settings.

IE on the server is configured correctly and is how I want it but it still hasn't applied to the laptop.

I've also tried Windows Settings > Internet Explorer Mainentance, but i've had no joy.

What am I missing?

Which GPO are you editing? Default Domain Policy, Default Domain Controller Policy, or one you've created yourself?

If you have created one yourself, where is the GPO linked to exactly?

Stolly · 24 May 2008 at 19:16

Never ever change the default domain policy.

Always create a new one.

tbz_ck · 27 May 2008 at 14:24

Stolly said:
Never ever change the default domain policy.

Always create a new one.

Why?

So I can't add proxy server details for IE on a default domain policy?

So I can't set password auditing and requirements on a default domain policy?

Whats your rationale for this. It seems like a throwaway comment tbh

Stolly · 27 May 2008 at 19:18

tbz_ck said:
Why?

So I can't add proxy server details for IE on a default domain policy?

So I can't set password auditing and requirements on a default domain policy?

Whats your rationale for this. It seems like a throwaway comment tbh

Best practice with policy settings is to limit their scope to the people / computers who you really want to manage, the default domain, security, and DC policies do not allow you to do this. With many policies rather than everything in one you can be more granular in your targetting, based on OU and group membership.

Twice i have been charged out to customers who have edited the default policies, change something that had an unexpected impact and were unable to fix them. Had they created specific policies they would have been able to fix or at least troubleshoot the issue. One was an easy fix, the other had locked out all the users including the administrator. Luckily it was a dev environment so no users were impacted, but the 2 week SMS proof of concept running in there was lost, putting a project back and costing thousands.

Also, from a management point of view it is much easier to work with seperate policies that are clearly named in relation to what they do, rather than run a report against one policy and finding its been buggered about with by a dozen people to do 50-odd different things.

Thats just my experience, ymmv.

Felix · 27 May 2008 at 22:50

I agree with stolly, obviously naming the policies with what they do helps too!

tbz_ck · 28 May 2008 at 13:21

Stolly said:
Best practice with policy settings is to limit their scope to the people / computers who you really want to manage, the default domain, security, and DC policies do not allow you to do this. With many policies rather than everything in one you can be more granular in your targetting, based on OU and group membership.

Twice i have been charged out to customers who have edited the default policies, change something that had an unexpected impact and were unable to fix them. Had they created specific policies they would have been able to fix or at least troubleshoot the issue. One was an easy fix, the other had locked out all the users including the administrator. Luckily it was a dev environment so no users were impacted, but the 2 week SMS proof of concept running in there was lost, putting a project back and costing thousands.

Also, from a management point of view it is much easier to work with seperate policies that are clearly named in relation to what they do, rather than run a report against one policy and finding its been buggered about with by a dozen people to do 50-odd different things.

Thats just my experience, ymmv.

I agree that where you need granularity you should create additional group policies. But where you need settings uniform across the entire domain (like in our case, Internet proxy settings, and password policies) I see no reason not to use the default domain policy.

Anything else I'd use separate policies (and frequently do!)

Not sure yet what 2008 brings to the table re: GP's but I'll be giving it a go later in the year.