Re: Path Rules - Enabled Paths sometime are restricted

Check to see if SRP are configured on any other Group Policy including locally
on the computer in question. Keep in mind that SRP can be configured for user or
computer configuration so you will have to check both places in each GPO.I have
never seen what you describe and the only thing I can think of is that SRP is
configured in more than one Group Policy and for some reason the policy
application is not inconsistent. When you run RSOP again and if you see that the
line is missing check to see if it shows what Group Policy applied the SRP
settings. The support tool gpresult will also show all the current Group
Policies that apply to a computer/user and that info may also help. Gpotool is
also helpful in checking consistency of Group Policy replication and for
mismatches between sysvol and AD. --- Steve



"Kirk Miller" <UCanSendemailtothefollowing-kirk@xxxxxxxxx> wrote in message
news:9D55A3FB-2376-4A5E-BAEA-11A685EF4CCA@xxxxxxxxxxxxxxxx
> Thanks for the info! We had the problem crop up again today on a users
> machine I ran netdiag and dcdiag. Both showed no problems on the network and
> all DC were as expected and DNS records were good. We manage our own DNS and
> run all XP SP2 with Microsoft Update installed on a 2003 native network.
>
> We ran rsop on the client machine and the following path exception was
> missing:
>
> C:\Program Files\Quest Technologies\QuestSuite Professional
>
> The exact order of the path rules on the server include the following
>
> C:\Program Files\QuarkXPress Passport
> C:\Program Files\Quest Technologies\QuestSuite Professional
> c:\Program Files\QUICKEN
>
> The path in front and behind were both present on the client.
>
> According to gpresult, the proper policy was applied and came from our
> domain controler named SKIP. I looked on Skip and all three lines above are
> in the policy and it was added to the policy on aug 25. This path was
> working this morning at 8 am.
>
> The user said he worked in the program most of the day and closed it. When
> he re-opened it, he received the denied error.
>
> What else can I check? Why would this one path be left out of the policy?
> Does XP store the path rules that are currently being used... and when the
> policy gets refreshed (we refresh once per hour) it conflicts? Any thoughts
> or other ideas we should check?
>
> Machine is
>
>
>
>
>
> "Steven L Umbach" wrote:
>
> > Next time that it happens try running the Resultant Set of Policy mmc snapin
> > on that computer and check to see if the rules for SRP are coming from the
> > GPO you expect. You also could use the support tool gpresult to do much of
> > the same and it will also show the last time that GP was applied and from
> > what domain controller. Also look in Event Viewer system and application
> > logs to see if anything helpful is reported there and run the support tool
> > netdiag to see if any problems are found with dns, dc discovery, or
> > trust/secure channel. Since you are experiencing problems with inconsistent
> > application of Group Policy I would also run netdiag, dcdiag, and gpotool on
> > your domain controllers and verify that dns is correct for your domain per
> > the link below. Make sure that you NEVER list an ISP dns server as a
> > preferred dns server for any domain computer. The support tools are on the
> > install disk in the support/tools folder where you run the setup program
> > there to install them as a group. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- DNS
> > FAQ for Active Directory
> >
> > "Kirk Miller" <UCanSendemailtothefollowing-kirk@xxxxxxxxx> wrote in message
> > news:1F9210A5-286A-4716-8DBA-ABE8EA4949BB@xxxxxxxxxxxxxxxx
> > >I have a problem where programs which are enabled via Path rules sometimes
> > > will still be blocked. The paths are correct and work 80% of the time,
> > > but
> > > sometimes you will click and receive the restricted message. Somtimes it
> > > happens to IE, sometimes to an FTP program, sometimes something else.
> > > Doing
> > > a GPUpdate/force/reboot solves the problem.... but it might crop up later.
> > >
> > > I have seen this problem on both 16 bit and 32 bit applicatiosns. What
> > > should I look for?
> > >
> > > Thanks!
> >
> >
> >


.

Relevant Pages

  • Re: Do Not Execute Group Policy for Admins Group
    ... The intent of policy loopback is to replace or merge user configuration ... The computer configuration settings from this list are applied to the ... > so that the group policy will only apply to a certain group of users ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Question
    ... If you only have the computer account in the OU, the User Configuration half ... of the policy won't apply. ... OU heirarchy below) to which the GPO is linked for it to apply. ... > Group Policy was applied from: ...
    (microsoft.public.win2000.group_policy)
  • Re: Why Win 2003 group policy can not apply to client
    ... First you need to decide do you want to have your policy settings configured ... or computer accounts in this OU and then link appropriate GPO to this OU. ... computers (computer configuration part) in OU with GPO linked. ... have configured not shown in "Applied Group Policy Objects". ...
    (microsoft.public.windows.group_policy)
  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)