Denied means that security filtering on the GPO is preventing the user or computer from processing that GPO. _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Victor W. Sent: Tuesday, November 14, 2006 2:49 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty? Thanks for that Alan, that cleared things up. Do you know why the GPO is being displayed as a Denied GPO in GPResult, when I run GPResult from withing GPMC on the DC? Victor _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: maandag 13 november 2006 21:30 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO not being applied - custom ADM - Empty? Hi Victor, I think you are misunderstanding what an ADM file does. It does not contain the Policy settings, it just enables you to see the settings. When you add an ADM file from within GPEdit it takes a copy to the ADM directory within the SYSVOL\Policies\GUID\ADM directory (where GUID is a unique identifier for that Policy. This then makes the settings available within GPEDIT under the Computer Configuration\Administrative Templates or User Configuration\Administrative Templates branches. That is where you activate the policies. Activitating the policies then creates entries in the Machine\ Registry.POL file and User\ Registry.POL files. After that, you can actually remove the ADM files and the settings will not be visible in GPEDIT, but the settings will still stay applied, since they exist in the Registry.POL file. Put the templates back and they reappear again. One thing that may have confused you was that by default it only displays "Tattooed" policies (i.e. those in the "Software/Policies" or "Software/Microsoft/Current Version/Policies" keys). On a Windows 2000 workstation, to see non-tattooed policies you must select "Administrative Templates" in the left panel, then Unclick "View/Show Policies Only". Note: The Sysvol\Scripts directory is not used for Policies. It is normally just used for holding Logon Scripts Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml . _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Victor W. Sent: Tuesday, 14 November 2006 6:17 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] GPO not being applied - custom ADM - Empty? Some time ago I posted something here about a custom adm I made. I didnt have the time to really implement it untill today but I ran into some problems. The GPO is not being applied. GPresult tells me that the GPO is being denied because it is empty. I checked into this and this would be the case if no settings were defined in the adm. The adm has surely got settings defined, so there must be something else what is causing the error. I managed to get it working after some time after doing the following: When I first started to implement it, I logged on to the DC (we only have 2 by the way) and I created the GPO from within the GPMC. In GPedit.msc I added the adm file which I had saved in C:\temp. Whatever I did, I could not get it to apply. I then copied the custom adm file to the SYSVOL\Scripts folder and removed it within GPedit.msc and readded it again, but now I browsed to the SYSVOL\Scripts folder to add it and not to C:\temp where the other copy was. Now the GPO worked. This was strange I thought, because even before I had saved the adm file into the SYSVOL\Scripts folder, it already was in the SYSVOL\Policies folder in the folder with the corresponding GUID. Anyway, the issue was then solved I thought. I then build another GPO for which I needed the oulk11.adm file (we were'nt yet using this adm file). I downloaded this adm file and saved it to the SYSVOL\Scripts folder and added the outlk11.adm from within GPedit.msc. From that point on that GPO worked but the GPO with the custom settings as described above, stopped working. Perhaps this is all a coincedence, it probably is. But I have the following two questions: Does it matter from where the adm is added in the first place, I mean when browsing to the adm file from within GPedit.msc does it need to be in the SYSVOL folder to start with? Why is the GPO being displayed as a Denied GPO described as empty within GRresult. Cheers, Victor