Re: Authentication issue preventing Group Policy from applying to
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 25 Jan 2006 16:41:48 -0600
>> Then it is NOT authentication but more likely something like
>>permissions or having the GPO linked in the 'wrong' place.
>
> Can you be more specific?
Linking a GPO to a container other than the one where the
user accounts are located. People have linked GPOs to the
one with the "Groups" (which are irrelevant for LINKING)
or the one for the Computer when the policy was for Users
(or vice versa.)
Permissions are just that -- make sure the "Groups" to which
you want to apply the policy have READ and APPLY_POLICY
Standard mistake there is to think that only (wrong) APPLY
is necessary.
>>Right? How did that get in there?
>>'Rights' are NOT "group membership" nor even "permissions".
>
> Could you not infer that I meant remove them from the Domain Admin Group?
I can guess many things but when you have a weird
problem it is very important to make sure that we are
VERY EXPLICIT.
Being explicit is the heart of troubleshooting at an
advanced level.
The more obscure the problem the more we must focus
on removing assumptions and clearly stating all issues.
>>What are the permissions on the GPOs?
>
>>They should be READ and APPLY POLICY for "everyone" or
>>whoever is to be affected.
>
>>You need both permissions, not just APPLY POLICY as one
>>might naively guess.
>
> The permissions were "Authenticated Users": Read and Apply Policy
> (unlike one who guesses naively)
Good. The other is a common mistake.
> and the policy is set to apply to Authenticated Users.
I don't understand the difference in the last two items unless you
were just saying the same thing twice. It worries me because the
second line doesn't mention "read".
> However just to check I also added 'Everyone': Read and Apply Policy but
> that didn't do any good either.
Shouldn't be necessary so that makes sense (that it didn't help).
Authenticated User and Everyone are the same under this context
since they would have to be Authenticated to get this far.
>>Now, that is weird, since they GET LOGGED ON, but you are claiming
>>it says they don't EXIST?
>
> Yes Herb, I agree, that is wierd, which brings me to here...still seeking
> answers.
Just out of curiosity, can you run GPResult (preferably from XP)
on one of the problem client machines and see what the results for
these users is.
I don't expect it to solve the problem but it removes the extra
complications of RSoP and running over the network...
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- References:
- Prev by Date: Re: DNS - A and PTR records
- Next by Date: Re: scepol.log
- Previous by thread: Re: Authentication issue preventing Group Policy from applying to
- Next by thread: Re: Authentication issue preventing Group Policy from applying to
- Index(es):
Relevant Pages
|
