Troubleshooting Group Policies, part 5
Take out insurance on your group policy! Group policies are a primary method for network managers to handle security in Windows 2000. In part five of this series, we describe what to do when existing group policies require repair.
In Part 4 of this article series, I discussed some reasons why an administrator may be unable to open a group policy or make changes to it. A more common problem however is that group policies may not be applied in the manner that you intended. A group policy may not be applied at all, or may not have the intended effect. Weve already covered some best practices for ensuring that group policies are implemented in a manner that allows them to work correctly. In this article, well discuss what to do if the group policies have already been implemented and are in need of repair.
Almost all of the problems that can cause group policies to not be applied result from either the way that they were implemented or because of network problems. Remember that except for local group policies, group policies reside in the Active Directory. Therefore, if a particular user cant access the Active Directory, then theres no way that group policies contained within it can be applied. To get around this potential problem, make sure that a problem users machine is set to authenticate into a domain, and has the correct DNS configuration. You should also double check the Active Directory to make sure that the users account is actually in a place where the policy would apply to it. For example, if the policy exists at the OU level, then make sure that the user is actually a part of that OU.
A good way of checking to see if network problems are to blame is to have a user whose group policies are working to log in at the problem users workstation. If the user is able to log in and their group policies are still applied correctly, then the network hardware is functional. There may still be an organizational problem in the Active Directory, but the hardware and software required for processing a group policy are functional.
If you do determine that an organizational issue is to blame then its important to remember the group policy hierarchy. If youve been applying group policy settings at the local level then that may be the problem. Local group policy objects represent the lowest possible level of the group policy hierarchy and are over ridden by higher level policies.
If you have been implementing group policy objects at the higher levels (such as at the domain or at the OU levels), then the trick is to make sure that the user whos having problems actually belongs to the domain or OU that the group policy object applies to. Youll also need to check to make sure that nothing is set to block a policys inheritance.