# cannot save policy settings in gpedit



## joshua_wong (Jun 1, 2010)

Hi 
I have a Windows 2003 server which is part of a domain. When I tried to change its local settings using gpedit.msc, the settings do not get saved and get reverted to Not Configured. 

I checked the domain policies/higher level policies and those settings were not set, so there is no override problems here and I am logged in as domain administrator 
Can someone advise on this? Tried googling but does not get much answers


----------



## digitalsatori (Apr 28, 2010)

Hi there!

Are you getting any sort of error message or events in the event viewer? Do the settings revert when you close out of gpedit.msc or do they occur after a logout/reboot?

When you say the settings "were not set", were the GPOs at the domain level set to "Not Configured" or are you saying they are not applying to the OU your server is in? If you haven't already, I would recommend creating a Servers OU and configure that OU to block inheritance and place all of your servers in there - that way you can be assured no GPOs are being applied unless they're linked to/created in your OU.

Is there anything configured in your Default Domain Policy? If so, any settings configured in the Default Domain Policy would override any local policies.


----------



## joshua_wong (Jun 1, 2010)

Hi

Thanks for helping!

To answer your questions, here goes...

"Are you getting any sort of error message or events in the event viewer?"
Nope, no error in event viewer. I even saw a SceCli event 1704 saying Group Policy was successfully applied, but that is referring to the domain policy

"Do the settings revert when you close out of gpedit.msc or do they occur after a logout/reboot?"
The settings revert when I close gpedit, not logout/reboot

"When you say the settings "were not set", were the GPOs at the domain level set to "Not Configured" or are you saying they are not applying to the OU your server is in?"
The settings were Not Configured in domain level. Actually, that member server is not even in an OU yet, it is still in the default Computers folder, so I don't think any OU policies would have affected it

"Is there anything configured in your Default Domain Policy? If so, any settings configured in the Default Domain Policy would override any local policies."
Nope, none of those settings are configured in Default Domain Policy


----------



## joshua_wong (Jun 1, 2010)

Hi
I found something weird too... it seems that this problem might be for only some policy settings
If I tried to edit some other settings (say "allow undock without having to log on" in Security Options), the setting get saved


----------



## digitalsatori (Apr 28, 2010)

Try running *gpresult* from a command prompt to see the results. This will show what policies (both User and Computer) are being applied to the server. Check under the "Applied Group Policy Objects" header.

The behavior is similar to what would occur if you had domain policies in place that were overriding the local policies, which is by design. GPOs pulled from your domain will always take precedence over local GPOs which would revert the policies back to their domain settings (it never actually changes the policy, which might be why gpedit.msc shows them reverted when you reopen it).


----------



## joshua_wong (Jun 1, 2010)

Hi

I ran the gpresult on that server and I saw

Computer Settings

Applied Group Policy Objects (Default Domain Policy)
Local Group Policy (Filtering: Not Applied (Empty))

User Settings

Applied Group Policy Objects (Default Domain Policy)
Local Group Policy (Filtering: Not Applied (Empty))

so it looked like no settings were set in local policy? But it does not make sense as I can see all the settings configured when I opened gpedit.

Still, I tried other ways too. I applied the same problematic setting in the default domain policy, ran a gpupdate /force from the member server, ran a RSoP and checked that I can see the correct parameter set for the problematic setting.

Then I opened gpedit. I can see that the icon next to the problematic setting has changed to two computers meaning that it knew this setting was to be taken from domain, but the parameter shown is not the correct one


----------



## digitalsatori (Apr 28, 2010)

Well, based on the gpresult results (gotta love that!), it appears the only policy that is being applied is the Default Domain Policy. Do you have anything configured in your Default Domain Policy at all?

Also, I noticed the Local Group Policy isn't being applied because its empty? Check to make sure your local policies are enabled on the member server. Run gpedit.msc, right-click on Local Computer Policy and click Properties. Ensure both "Disable Computer Configuration Settings" and "Disable User Configuration settings" are *un*checked.

If not, what about disjoining the server from the domain, log in locally and see if the problem with saving GPO settings persists when not on a domain? If it does, you may want to expand the gpedit.dll file from the original CD; perhaps something was corrupted.


----------



## joshua_wong (Jun 1, 2010)

Hi

I have checked that the Local Policy in gpedit has both "Disable Computer Configuration settings" and "Disable User Configuration settings" unchecked, so they should be enabled.

The server does not belong to me, so I can't disjoin and test the local policy. I have tried looking at other troubleshooting methods and these are what I found

Again, I configured the same setting in Default Domain Policy using GPMC (in my DC), ran a gpupdate /force on the member server and ran the Group Policy Results Wizard (on my DC) for that particular server

As mentioned earlier, even though domain policy may have configured the setting, the local gpedit still shows the wrong setting. However, in my Group Policy Results (ran from DC), it showed that for the particular setting, the Default Domain Policy is the Winning GPO and under the Applied GPO setting in the Summary tab, Default Domain Policy is applied and Local Policy is Denied because it is empty

Does this mean that actually my settings were correctly pushed down but it is not correctly displayed in the gpedit of the member server?


----------

