1

Created a GPO for Logon Banner, isnt being pushed for some reason. Other GPOs are working fine, this is the only computer config GPO (others are user config). It is linked and enforced.

Server 2008 R2 Standard 64 bit, 12 Win 7 Pro clients, all 64bit

Computer Configuration> Policies> Windows Settings> Security Settings> Local Policies/Security Options> Interactive Logon
Both title and text are enabled and populated.

Delegation includes Everyone with read access, plus all of the computers with read access (I added the computers in because it was not originally working and I thought this being a computer policy, I needed to add them in.

I ran GPUpdate /force on both the server and a test machine, plus I rebooted a few machines, plus it has been over 72 hours since applied.

Running GPResult shows this GPO as denied, but the reason is “Empty”

Any suggestions what the heck I did wrong or forgot to do?

5 Spice ups
2

The reason code for gpresult /r is probably because CMD needs to be run as Administrator. Try doing the same thing as Admin and you should get another reason code.

1 Spice up
3

I am an admin, and ran it as admin:

    The following GPOs were not applied because they were filtered out
    ------------------------------------------------------------------
        PCI-DSS-Logon_Banner
            Filtering:  Not Applied (Empty)
4

did you add domain computers to the security filtering?

5

I added a handful of computers directly by name, let me try adding the domain computers group and I will check again.

6

Above you mentioned adding computers to the delegation. Domain computers should have been part of the delegation by default. Did you add the handful of computers to the delegation or to the security filtering or both?

7

Ahhhhhhhhh
I was just adding them to the Delegation tab, I forgot about the Scope tab filtering, took me a second to realize what you meant.
All added to Delegation tab, I will add to Scope tab security filtering and check it again. (Current security filtering just has Authenticated Users)

1 Spice up
8

No dice so far, did gpupdate /force from server and client, rebooted client, gpresult /r still shows filtered out, could be group policy’s weird way of updating, so I might need to wait a bit.

9

was the gpo applied to the OU that the computer objects are in?

10

The OU I am using contains the users and the computers combined

11

Here is the GPResult of my test machine:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/17/2014 at 10:31:22 AM
RSOP data for FLEXCORE\josh on THINGAMAJIG : Logging Mode
----------------------------------------------------------
OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Josh
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
    CN=THINGAMAJIG,CN=Computers,DC=flexcore,DC=local
    Last time Group Policy was applied: 2/17/2014 at 9:52:05 AM
    Group Policy was applied from:      Domain.flexcore.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        FLEXCORE
    Domain Type:                        Windows 2000
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        THINGAMAJIG$
        Domain Computers
        System Mandatory Level
        
USER SETTINGS
--------------
    CN=Joshua Obelenus,OU=FlexCoreUsers,DC=flexcore,DC=local
    Last time Group Policy was applied: 2/17/2014 at 9:52:21 AM
    Group Policy was applied from:      Domain.flexcore.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        FLEXCORE
    Domain Type:                        Windows 2000
    
    Applied Group Policy Objects
    -----------------------------
        UserFolderRedirectGPO
        PCI-DSS_Lockouts
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
        PCI-DSS-Logon_Banner
            Filtering:  Not Applied (Empty)
        Default Domain Policy
            Filtering:  Not Applied (Empty)
    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        Performance Log Users
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        2FactorPreAuth
        2Factor
        High Mandatory Level

Here are some pics of the GPO (User specific GPOs blocked out, those are for some users with “special” blocks like forcing a proxy for no internet)

2014-02-17_10h25_57.png
2014-02-17_10h26_13.png
2014-02-17_10h26_19.png

2014-02-17_10h26_28.png
2014-02-17_10h26_28.png1623×267 9.46 KB

2014-02-17_10h26_48.png
2014-02-17_10h26_48.png558×577 7.24 KB

Maxed out on pics per post, 1 sec for the last 3
12

Last 3:

2014-02-17_10h26_54.png

2014-02-17_10h27_05.png
2014-02-17_10h27_05.png1614×425 11.8 KB

2014-02-17_10h27_14.png
2014-02-17_10h27_14.png1251×296 11 KB
13

Can you create a single OU and put a test machine in that OU and apply the Computer Configuration to that OU and see if you get the same results. This will at least isolate the issue.

1 Spice up
14

Try disabling the User configuration portion of the GPO, since there are no settings in that section it is a good idea to disable it.

Edit: if you have more than one DC, you may want to force a replication to ensure all changes are replicated across the domain. wait for replication to finish then try a forced update.

15

Where do I disable the user portion?
And only 1 DC

16

Created an OU, moved a test PC to that OU, went back to GP, tried adding that OU to the Scope Security Filtering but it apparently cant be found or used in that way.

Added the computer by name to the security filtering, forced updates, rebooted test PC, and it worked.

Trying with a production PC now. (need to move PC from Computers OU to FlexCoreComputers OU, then in GP add that PC by name to the Scope)

1 Spice up
17

Thank you all!

I moved all PCs to the new OU, then added the PCs to the scope, I forced GPUpdate on the server and a few of the clients and they are working now, The rest of the clients should update after tonight’s reboot.

Thank you again!