Re: Applying user configuration settings to an OU containing only computer objects

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/28/04 

Date: Wed, 28 Apr 2004 12:09:51 GMT

Zack.

If you changed any AD object permisions on the OU where the TS is, be sure users or
the appropriate group has at least read permissions to the OU itself and try adding
an individual [tests user] to read/apply for the GPO for that OU for the TS and for
read to the OU container in case there is a problem with group nesting. The link
below may be helpful in more advance Group Policy troubleshooting. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B250842

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:cDFjc.985$lz5.309272@attbi_s53...
> No it should not matter as both are considered interactive logons but what I was
> suggesting was having test user logon to the TS from a network workstation while
> that account was in the TS OU to see if the policy still applies and
> troubleshoot from there depending on the results. --- Steve
>
>
> "Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
> news:opr65cccnmdydenw@elrapidovivo.zaxxon.local...
> > I have logged them on to that machine while their user account was in the
> > OU, and the policy applied successfully. Verified that loopback is
> > enabled for that GPO. Tried dozens of logons by now. :)
> >
> > It shouldn't matter that the user is logging on via RDP rather than at the
> > console, correct?
> >
> > Thanks,
> >
> > -Zack- >> The lowly MCSA still getting comfortable with advanced Group
> > Policy. ;)
> >
> >
> >
> >
> > On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
> > <n9rou@nospam-comcast.net> wrote:
> >
> > > Try logging the test user on from a workstation where you are
> > > experiencing problem
> > > with the policy not applying via loopback. Have them logon with their
> > > user account in
> > > the OU and then not in the OU [you may have done all this already] after
> > > doing a
> > > refresh using secedit for machine and user to see what happens with
> > > policy not being
> > > applied. Just trying to verify that it is not a machine problem. Again
> > > verify first
> > > that loopback processing is enabled for that GPO that the TS server
> > > resides in under
> > > computer configuration/administrative templates/system/Group Policy. For
> > > XP machines,
> > > it may take a couple of logons for user policy to process. Running out
> > > of ideas on
> > > this end and can understand you being flummoxed. --- Steve
> > >
> > > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > > news:opr640qpd2vj2ktn@zschielxp.blueco.com...
> > >> Thanks for the continued help!
> > >>
> > >> Yes, read/apply are given to the correct users; moving a test user into
> > >> the OU and logging in as them does apply the policy. User config is
> > >> enabled. There is more than one GPO in this OU, however they modify
> > >> completely different settings, this is top priority, and none have 'no
> > >> override' or 'block policy inheritance' enabled.
> > >>
> > >> -Zack-
> > >>
> > >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
> > >> <n9rou@nospam-comcast.net> wrote:
> > >>
> > >> > The GPO that you created for the OU that the TS is in, does the proper
> > >> > group have
> > >> > read/apply permissions to the GPO in properties/security and is user
> > >> > configuration
> > >> > portion of that GPO enabled? If you put a test user into that OU and
> > >> > then logon as
> > >> > them, do they then get the desired settings and gpresult show the
> > >> policy
> > >> > is applied
> > >> > to them? Is there more than one GPO in the TS OU? --- Steve
> > >> >
> > >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > >> > news:opr64vnqcbvj2ktn@zschielxp.blueco.com...
> > >> >> The GPO is being applied to the computer (ie 'This computer received
> > >> >> settings from...'), but not to the user.
> > >> >>
> > >> >> -Zack-
> > >> >>
> > >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> > >> >> <n9rou@nospam-comcast.net> wrote:
> > >> >>
> > >> >> > When you ran gpresult while logged onto that server, does it show
> > >> that
> > >> >> > the GPO for
> > >> >> > the OU has been applied to the TS computer successfully and
> > >> recently?
> > >> >> If
> > >> >> > it has not,
> > >> >> > what is the message if any? Running netdiag is always a good idea
> > >> >> when
> > >> >> > you are
> > >> >> > having problems looking for failed tests/errors/warning
> > >> particularly
> > >> >> > relating to
> > >> >> > domain membership, dns, and dclist. --- Steve
> > >> >> >
> > >> >> >
> > >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > >> >> > news:opr64ak1ggvj2ktn@zschielxp.blueco.com...
> > >> >> >> Hey all,
> > >> >> >>
> > >> >> >> We're having a rather frustrating issue, and I'm not certain
> > >> whether
> > >> >> >> we're
> > >> >> >> just doing something incorrectly or there's a problem here.
> > >> >> >>
> > >> >> >> We have a terminal server that we're trying to lock down via group
> > >> >> >> policy.
> > >> >> >> We have the server in its own OU, with a GPO applied to it. In
> > >> this
> > >> >> GPO,
> > >> >> >> we're applying user settings, to be applied to any user that logs
> > >> >> onto
> > >> >> >> the
> > >> >> >> machine via loopback processing mode. Except users aren't getting
> > >> the
> > >> >> >> policy at all--gpresult.exe doesn't even mention the policy for
> > >> the
> > >> >> >> user.
> > >> >> >> According to Microsoft here
> > >> >> >>
> > >> >>
> > >>
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> > >> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
> > >> >> tried
> > >> >> >> manually updating the server's GP via secedit /refreshpolicy,
> > >> tried
> > >> >> >> waiting out the full 90 minutes just in case, checked permissions,
> > >> >> the
> > >> >> >> whole nine yards. Nothing seems to work.
> > >> >> >>
> > >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
> > >> Windows
> > >> >> >> 2000
> > >> >> >> native functional level.
> > >> >> >>
> > >> >> >> Thanks for any ideas,
> > >> >> >>
> > >> >> >> -Zack-
> > >> >> >>
> > >> >> >> --
> > >> >> >> Using M2, Opera's revolutionary e-mail client:
> > >> >> http://www.opera.com/m2/
> > >> >> >
> > >> >> >
> > >> >>
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Using M2, Opera's revolutionary e-mail client:
> > >> http://www.opera.com/m2/
> > >> >
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> > >
> > >
> >
> >
> >
> > --
> > Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>