No Group Policy Objects Are Applied

A user managed by Group Policy logs on, but does not receive Group Policy. Other computers and users are successfully receiving Group Policy.

Possible Causes:

• The user is using a non-Windows 2000 system.

• Migration problems occur because the user logs on to a Windows NT 4.0 domain

• The network is down.

• DNS does not work or is not configured.

• There is no available domain controller.

• The available domain controller has replication problems.

• Security group membership causes Group Policy objects to be ignored. This amounts to inadvertent use of the Group Policy scope-filtering mechanism.

• Loopback is in effect, so that user Group Policy is replaced by computer Group Policy.

• Disk quotas are enforced on a user, and there is not enough disk space allocated for the user to carry out the application of Group Policy or some extension of it. In particular, Software Installation not only places the application in the user's disk quota, but it also creates temporary files that require some of the user's quota; so the quota must be large enough to allow for the user to carry out the application of Group Policy.

Diagnostic Tests:

Confirm that the client is running Windows 2000. Group Policy does not apply to Windows NT 4.0 and Windows 95 and Windows 98 computers even if they are Active Directory clients.

Verify that the user and computer accounts are managed by Windows 2000 domain controllers or by Windows NT 4.0 domain controllers.

For Group Policy settings under the User Configuration node to be applied, the user account object must be in Active Directory — that is, it must be handled by a Windows 2000 domain controller, not a Windows NT 4.0 domain controller.

For Group Policy settings under the Computer Configuration node to be applied, the computer account object must be in Active Directory, that is, it must be handled by a Windows 2000 domain controller, not a Windows NT 4.0 domain controller.

If the user and computer accounts are both handled by a Windows 2000 domain controller, then the Windows 2000 client computer receives Group Policy computer settings at startup, and the user receives Group Policy settings at logon.

During migration from Windows NT 4.0 to Windows 2000, Windows 2000 domain controllers and Windows NT 4.0 domain controllers can coexist. For details on the Group Policy behavior of such a mixed environment, see "Group Policy" in this book.

Check client network connectivity and confirm that DNS is working and configured. Netdiag.exe can assist in determining this.

Run Gpresult.exe to confirm that no Group Policy objects were applied to the client computer.

Check to see if the user is subject to excessively rigid disk quotas.

To check that the client computer has access to an available domain controller using Gpotool.exe

1. Confirm (by running Gpotool.exe) that the Group Policy objects that you want to apply actually exist on your domain controllers.

2. If running in a multiple Group Policy object environment, confirm that all Active Directory and Sysvol information has replicated successfully on the domain controllers.

To confirm that Group Membership does not cause the Group Policy objects to not apply because of a filter

1. Run Gpresult.exe to find security group membership for the user who you are troubleshooting.

2. Check the property sheet of the Group Policy object that did not apply, to confirm that the correct security groups are configured to have Group Policy apply. The user must have Apply Group Policy and Read permissions for the Group Policy object on the basis of his or her membership in Windows 2000 security groups.

3. Verify that loopback is enabled.

Enable verbose Userenv.log logging to check for any other errors.