Microsoft KB Archive/885009

= Group Policy settings that you configure by using the Group Policy Management Console are not applied to client computers =

Article ID: 885009

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





SYMPTOMS
When you use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO), the Group Policy settings that you configure are not applied to client computers.



CAUSE
This problem occurs if you create a GPO by using the script that is named Creategpo.wsf. In this scenario, the GPO that you create does not work until you manually modify it by using the Group Policy Object Editor snap-in Gpedit.msc.

When you programmatically create the GPO by using the Creategpo.wsf script, the script does not set the gPCMachineExtensionNames attribute in the Active Directory directory service. This attribute must be set in the following location in Active Directory:

CN={ },CN=Policies,CN=System,DC= ,DC=

The gPCMachineExtensionNames attribute stores the GUID of the client-side extension that processes the GPO, and this attribute is set by Gpedit.msc. Depending on the settings that are configured by the GPO, Gpedit.msc determines the correct extension DLL to process the GPO. Then, Gpedit.msc populates the gPCMachineExtensionNames attribute accordingly.



WORKAROUND
To work around this problem, manually set the gPCMachineExtensionNames attribute in the script that creates the GPO. For example, a GPO that modifies restricted groups would have the gPCMachineExtensionNames attribute set to the following GUID:

[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]

The following example script creates a GPO, links that GPO to an organizational unit, sets the gPCMachineExtensionNames attribute to the correct value, and then populates the GPO. In this example, the GPO sets the content of a restricted group. The corresponding data is stored in a file that is named GptTmpl.inf. The GptTmpl.inf file is copied to the Sysvol share when the GPO is created.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. Example script to create a GPO '//////////////////////////////////////////////////////////////////////////// ' Copyright (c) Microsoft Corporation. All rights reserved ' ' Title:   createGPO.wsf ' Author:  emmanud@microsoft.com ' Created: 11/08/2004 ' ' Purpose: Create a GPO, link it, and set the gPCMachineExtensionNames attribute. '      It also creates the directory structure in the Sysvol. '////////////////////////////////////////////////////////////////////////////

'Define variables. '-

Const ForWriting = 2 const ForReading = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2 Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = &H4 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H8

' ' Define variables. ' - 'Determine the domain. strDomainDNSName = &quot;domb.com&quot; strDC = &quot;dcdomb&quot; strGPODisplayName = &quot;Sample GPO&quot; strDomainDN = &quot;dc=mydomain,dc=com&quot; strOU = &quot;OU=testOU&quot; & &quot;,&quot; & strDomainDN strDC = strDC & &quot;.&quot; & strDomainDNSName

intLinkPos = -1 'GPO appended at end of link strGPT = &quot;c:\temp\GptTmpl.inf&quot;

' ============================================================================================== ' Main script ' ============================================================================================== ' 'Create the GPO in Active Directory. '--- Set objGPM = CreateObject(&quot;GPMgmt.GPM&quot;) Set objGPMConstants = objGPM.GetConstants

' Initialize the domain object. Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,&quot;&quot;,objGPMConstants.UseAnyDC)

' Create the GPO. Set objGPO = objGPMDomain.CreateGPO objGPO.DisplayName = strGPODisplayName strGPOGUID = cstr(objGPO.ID) strGPOPath = cstr(objGPO.path)

' -- ' Link the GPO to the OU. ' -- Set objGPM = CreateObject(&quot;GPMgmt.GPM&quot;) Set objGPMConstants = objGPM.GetConstants

' Initialize the domain object. Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,&quot;&quot;,objGPMConstants.UseAnyDC)

' Find the specified OU. Set objSOM = objGPMDomain.GetSOM(strOU) If IsNull(objSOM) Then WScript.Echo &quot;Did not find OU: &quot; & strOU WScript.Echo &quot;Exiting&quot; WScript.Quit Else WScript.Echo &quot;Found OU: &quot; & strOU End If

Set objGPMGPO = objGPMDomain.GetGPO (strGPOGUID) If IsNull(objGPMGPO) Then WScript.Echo &quot;Could not get GPO &quot; & strGPOGUID WScript.Echo &quot;Exiting&quot; WScript.Quit End If

Set objGPMGPOLink = objSOM.CreateGPOLink(intLinkPos, objGPMGPO) If IsNull(objGPMGPOLink) Then WScript.Echo &quot;Could not link GPO &quot; & strGPOGUID WScript.Echo &quot;Exiting&quot; WScript.Quit

Else wscript.Echo &quot;Group Policy Successfully Linked to OU&quot; End If wscript.sleep 5000 'waiting 5 seconds before continuing

'--- 'Populate the GPO. '--- ' ' In this sample, we copy a security template into the secedit folder. ' ' First create the directory structure. strPath = &quot;\\&quot; & strDC & &quot;\SYSVOL\&quot; & strDomainDNSName & &quot;\Policies\&quot; & strGPOGUID & &quot;\Machine&quot; WScript.Echo &quot;SYSVOL Path:&quot; & strPath Set objFolder = objFSO.GetFolder(strPath) Set objFolder = objfso.createFolder(strPath & &quot;\scripts&quot;) Set objFolder = objfso.createFolder(strPath & &quot;\scripts\startup&quot;) Set objFolder = objfso.createFolder(strPath & &quot;\scripts\shutdown&quot;) Set objFolder = objfso.createFolder(strPath & &quot;\microsoft&quot;) Set objFolder = objfso.createFolder(strPath & &quot;\microsoft\Windows NT&quot;) Set objFolder = objfso.createFolder(strPath & &quot;\microsoft\Windows NT\Secedit&quot;)

' Copy the Security Template file to the Sysvol. Set objFSO = CreateObject(&quot;Scripting.FileSystemObject&quot;) set WKS = objFSO.getfile(strGPT)

If IsNull(WKS) Then WScript.Echo &quot;Could not open &quot; & strGPT WScript.Echo &quot;Exiting.&quot; WScript.Quit

Else WKS.copy(strPath & &quot;\microsoft\Windows NT\Secedit\GptTmpl.inf&quot;) end If

' Update the Gpt.ini file. '- Set GPTF = objFSO.OpenTextFile(&quot;\\&quot; &strDC& &quot;\SYSVOL\&quot; &strDomainDNSName& &quot;\policies\&quot; &strGPOGUID& &quot;\GPT.INI&quot;,ForWriting,

True) If IsNull(GPTF) Then   msgbox &quot;Error occurred when the GPT.ini file was created&quot;,,&quot;Check Sysvol&quot;       WScript.Quit Else GPTF.WriteLine &quot;[General]&quot; GPTF.WriteLine &quot;Version=2&quot; GPTF.WriteLine &quot;displayName=&quot; & strGPO wscript.Echo &quot;GPT.INI updated&quot; GPTF.Close end If

'Update AD. '-- strGPO = strGPOPath Set objGPO = GetObject(&quot;LDAP://&quot; & strGPO & &quot;&quot;) 'connect to GPO objGPO.versionNumber = 2 objGPO.Put &quot;gPCMachineExtensionNames&quot;, &quot;[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]&quot; objGPO.setinfo



STATUS
Microsoft has confirmed that this is a problem in the Group Policy Management Console.



MORE INFORMATION
For additional information about how to obtain and use the Group Policy Management Console, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

For additional information about how to manage Group Policy, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx

Additional query words: Win2K3

Keywords: kbtshoot kbenv kbprb kbpending KB885009

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.