Group Policy settings that you configure by using the Group Policy Management Console are not applied to client computers (885009)

The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition


When you use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO), the Group Policy settings that you configure are not applied to client computers.


This problem occurs if you create a GPO by using the script that is named Creategpo.wsf. In this scenario, the GPO that you create does not work until you manually modify it by using the Group Policy Object Editor snap-in Gpedit.msc.

When you programmatically create the GPO by using the Creategpo.wsf script, the script does not set the gPCMachineExtensionNames attribute in the Active Directory directory service. This attribute must be set in the following location in Active Directory:


The gPCMachineExtensionNames attribute stores the GUID of the client-side extension that processes the GPO, and this attribute is set by Gpedit.msc. Depending on the settings that are configured by the GPO, Gpedit.msc determines the correct extension DLL to process the GPO. Then, Gpedit.msc populates the gPCMachineExtensionNames attribute accordingly.


To work around this problem, manually set the gPCMachineExtensionNames attribute in the script that creates the GPO. For example, a GPO that modifies restricted groups would have the gPCMachineExtensionNames attribute set to the following GUID:


The following example script creates a GPO, links that GPO to an organizational unit, sets the gPCMachineExtensionNames attribute to the correct value, and then populates the GPO. In this example, the GPO sets the content of a restricted group. The corresponding data is stored in a file that is named GptTmpl.inf. The GptTmpl.inf file is copied to the Sysvol share when the GPO is created.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. Example script to create a GPO
' Copyright (c) Microsoft Corporation.  All rights reserved
' Title:	createGPO.wsf
' Author:
' Created:	11/08/2004
' Purpose:	Create a GPO, link it, and set the gPCMachineExtensionNames attribute.
'		It also creates the directory structure in the Sysvol.

'Define variables.

Const ForWriting = 2
const ForReading = 1

' ------------------------------------------------------------------------
' Define variables.
' -------------------------------------------------------------------------
'Determine the domain.
strDomainDNSName = ""
strDC = "dcdomb"
strGPODisplayName = "Sample GPO" 
strDomainDN = "dc=mydomain,dc=com"
strOU = "OU=testOU" & "," & strDomainDN
strDC = strDC & "." & strDomainDNSName

intLinkPos = -1 'GPO appended at end of link
strGPT = "c:\temp\GptTmpl.inf"

' ==============================================================================================
' Main script
' ==============================================================================================
'Create the GPO in Active Directory.
Set objGPM = CreateObject("GPMgmt.GPM")
Set objGPMConstants = objGPM.GetConstants()

' Initialize the domain object.
Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,"",objGPMConstants.UseAnyDC)

' Create the GPO.
Set objGPO = objGPMDomain.CreateGPO()
objGPO.DisplayName = strGPODisplayName
strGPOGUID = cstr(objGPO.ID)
strGPOPath = cstr(objGPO.path)

' --------------------------
' Link the GPO to the OU.
' --------------------------
Set objGPM = CreateObject("GPMgmt.GPM")
Set objGPMConstants = objGPM.GetConstants()

' Initialize the domain object.
Set objGPMDomain = objGPM.GetDomain(strDomainDNSName,"",objGPMConstants.UseAnyDC)

' Find the specified OU.
Set objSOM = objGPMDomain.GetSOM(strOU)
If IsNull(objSOM) Then
	WScript.Echo "Did not find OU: " & strOU
	WScript.Echo "Exiting"
	WScript.Echo "Found OU: " & strOU
End If

Set objGPMGPO = objGPMDomain.GetGPO (strGPOGUID)
If IsNull(objGPMGPO) Then
	WScript.Echo "Could not get GPO " & strGPOGUID
	WScript.Echo "Exiting"
End If

Set objGPMGPOLink = objSOM.CreateGPOLink(intLinkPos, objGPMGPO)
If IsNull(objGPMGPOLink) Then
	WScript.Echo "Could not link GPO " & strGPOGUID
	WScript.Echo "Exiting"

	wscript.Echo "Group Policy Successfully Linked to OU"
End If
wscript.sleep 5000 'waiting 5 seconds before continuing

'Populate the GPO.
' In this sample, we copy a security template into the secedit folder.
' First create the directory structure.
strPath = "\\" & strDC & "\SYSVOL\" & strDomainDNSName & "\Policies\" & strGPOGUID & "\Machine"
WScript.Echo "SYSVOL Path:" & strPath
Set objFolder = objFSO.GetFolder(strPath)
Set objFolder = objfso.createFolder(strPath & "\scripts")
Set objFolder = objfso.createFolder(strPath & "\scripts\startup")
Set objFolder = objfso.createFolder(strPath & "\scripts\shutdown")
Set objFolder = objfso.createFolder(strPath & "\microsoft")
Set objFolder = objfso.createFolder(strPath & "\microsoft\Windows NT")
Set objFolder = objfso.createFolder(strPath & "\microsoft\Windows NT\Secedit")

' Copy the Security Template file to the Sysvol.
Set objFSO = CreateObject("Scripting.FileSystemObject")
set WKS = objFSO.getfile(strGPT)

If IsNull(WKS) Then
	WScript.Echo "Could not open " & strGPT
	WScript.Echo "Exiting."

	WKS.copy(strPath & "\microsoft\Windows NT\Secedit\GptTmpl.inf")	
end If

' Update the Gpt.ini file.
Set GPTF = objFSO.OpenTextFile("\\" &strDC& "\SYSVOL\" &strDomainDNSName& "\policies\" &strGPOGUID& "\GPT.INI",ForWriting, 

If IsNull(GPTF) Then
	msgbox "Error occurred when the GPT.ini file was created",,"Check Sysvol"	
GPTF.WriteLine "[General]"
GPTF.WriteLine "Version=2"
GPTF.WriteLine "displayName=" & strGPO
wscript.Echo "GPT.INI updated"
end If

'Update AD.
strGPO = strGPOPath
Set objGPO = GetObject("LDAP://" & strGPO & "") 'connect to GPO
objGPO.versionNumber = 2
objGPO.Put "gPCMachineExtensionNames" , "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"


Microsoft has confirmed that this is a problem in the Group Policy Management Console.


For additional information about how to obtain and use the Group Policy Management Console, visit the following Microsoft Web site:For additional information about how to manage Group Policy, visit the following Microsoft Web site:

Modification Type:MajorLast Reviewed:3/3/2006
Keywords:kbenv kbtshoot kbpending kbprb KB885009 kbAudDeveloper kbAudITPRO