Repost: GP is ignored, users settings vanish

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Fred_B (FredB_at_discussions.microsoft.com)
Date: 02/16/05 

Date: Wed, 16 Feb 2005 11:35:03 -0800

Hi,
Two problems here I think...

To cut to the chase I've created a new OU for certain users who already
exist in the default Users group. The users are both domain
admins and domain users. They do not need to be domain admins.
I have created a new OU for them, which has a group policy applied to it to
prevent them switching off screensaver passwords etc nothing overly
restrictive.
All users use roaming profiles.

In a test, I've moved test users to the new OU, and at the same time removed
them from the domain admin group.

When the test users logon, Windows treats them as if they've never logged on
before. Personal settings such as mapped drives, shortcuts etc are gone, the
connect to
the internet icon pops onto the desktop along with the welcome to windows
dialog and all of the default shortcuts on the start menu.
Also the group policy doesn't apply...
If I leave them in the new OU but make the user a domain admin again, the
personalized settings come back and the group policy applies OK.
Their settings come back if I move them back to the original users
container, obviously GP doesn't apply here.

In the group policy, authenticated users and domain users are both set to
read and apply group policy.
In my previous post, I was directed to what permissions were on the roaming
profiles directory. Domain users have full control.

This making any sense to anyone?

Fred (Confused)

Relevant Pages

  • Re: I need Ideas on securing a remote Win2k machine
    ... > * You can set security filtering on a group policy object. ... > * You can set a policy to run an application at logon (your kiosk app, ... Create a new Organizational Unit for the kiosk computers and move ... suggests that I need to get the domain admin to do a lot of this. ...
    (microsoft.public.win2000.security)
  • RE: SCW --> GPO
    ... we need the rights of Domain Admin or Group Policy Creator Owner ... check app event log & system event log to see if there is any GPO related ... Command completed with error. ...
    (microsoft.public.windows.group_policy)
  • Re: Security Breach in AD! Help!
    ... For example suppose an attacker knew that a domain admin used a particular ... compromise it he could put a simple script such as a logon script or logoff ... > I found the solution to the group policy refresh interval thing...sort of. ...
    (microsoft.public.win2000.security)
  • Re: Security Filtering does not work correctly in GPO
    ... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to edit Group Policy Objects,
    ... Uninstalling Director will fix the problem, installing it bound only to the ... > Make sure the client has "read" permissions so that the group policy can ... use a domain admin or ...
    (microsoft.public.windows.server.active_directory)