Re: GPO testing

Hi, Scott!

Group policy actually has (almost) nothing to do with groups. GPO will NOT
work if user (or computer) account is not in OU where GPO is linked? Do you
have your test users in TestOU or not? This si one million $ question now?

Toni

"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:%23nkEC868GHA.4808@xxxxxxxxxxxxxxxxxxxxxxx

Hi Toni,

I put the users into a security group under the OU. So my test user is
domain -> Test OU -> Test Group -> testuser where Test OU is the
organizational unit, Test Group is the security group and testuser is the
user. Is that wrong?

Thanks,
Scott

T. Uranjek wrote:
Hi!

I don't see one crucial step? Put user accounts in test OU?

Toni


"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:%23zayVu68GHA.2120@xxxxxxxxxxxxxxxxxxxxxxx
Florian,

Here are the steps I used to create and link the GPO :
- In Active Directory Users and Computers created an OU under the domain
called Test OU
- In Active Directory Users and Comptuers created a security group under
Test OU called Test Group.
- Placed two users in the security group Test Group.
- In GPMC snap-in went to Group Policy Objects, right clicked and
selected New.
- Right clicked on the new policy called "test" and selected edit.
- Went into the User Configuration -> Administrative Templates ->
Control Panel and set "Prohibit access to the Control Panel" to enabled.
- In GPMC right clicked on Test OU and selected "Link an existing GPO.."
and selected "test".
- test now shows up as linked to Test OU in the GPMC.
- Went to the server and ran secedit /refreshpolicy [machine &&
policy]_policy /enforce (two seperate commands written in compact form)
- Went to the XP workstation and ran gpupdate /force
- Went to GPMC and right clicked on Group Policy Results and selected
Group Policy Result Wizard and set it to give a RSoP for both users in
Test Group on my XP workstation.
- Now under User configuration -> Group Policy Objects -> Applied GPOs
the only policy listed is "Default Domain Policy" and under User
configuration -> Group Policy Objects -> Denied GPOs the only policy
listed is Local Group Policy which has a Link Location = Local and
Reason Denied = Empty
- Under "Security Group Membership when Group Policy was applied" there
is a list of security groups but my Test Group is not in the list.
Moreover one of the security groups is old and the user has not been a
member of that group for at least a couple of days.

Also, took Toni's advice and downloaded FAZAM 2000. Ran the analysis.
In FAZAM 2000 :
Right clicked on the domain and selected Perform analysis
Set the user to testuser (one of my users in Test Group)
Set the machine to my XP workstation
Performed What-if analysis with the scenario where testuser is moved to
the OU called Test OU (which my test GPO is linked to) and the result is
a success!?! When I click on the User Hierarchy -> Test OU the test
GPO comes up and the Order of Precendence = 1. Under Machine Hierarchy
the Test OU is not present probabably because there are no machines in
the security group.

Looked at your website and went through the list and I cannot figure
out where I am going wrong.

Cheers,
Scott


Florian Frommherz wrote:
Howdie Scott!

Scott wrote:
Installed the Microsoft User Profile Hive Cleanup Service as you
suggested and restarted the XP workstation. Did a secedit
/REFRESHPOLICY [machine && user]_policy /ENFORCE on the server. Did a
gpupdate /FORCE on the workstation. Then used the RSoP snap-in for
the mmc to test to see if the GPO was applied. It wasn't applied and
even worse I removed one of my users from a different security group
and that was not updated. Under "Security Group Membership when Group
Policy was applied." the user is still a member of the security group
I removed it from a couple days ago. This is why I have no idea what
is going on with this processing of the GPOs and the updating of the
policy.
The more I read about your issue, the more complex it might get and the
more confused I get. I don't get the thing you write about your
security group? Have you changed anything with the NTFS permissions of
the Group Policy? Or put a security group into the OU? Group Policies
will not work on groups as only users and machines can be a target for
Group Policies.

If you have the time, I'd be nice if you could write down the steps you
take to create a policy. Do these errors exist with every policy you
create or just a particular one?

cheers,

Florian


.

Relevant Pages

  • Re: AD error in Group policy
    ... This problem occurs because older versions of the Group Policy editor cannot ... the problem occurs when you try to view or modify a GPO that has ... been viewed by a different workstation, ... > explorer security for binary behaviours. ...
    (microsoft.public.win2000.advanced_server)
  • Re: TS Security settings
    ... Essentially you are using GPO Loopback Processing in replace mode. ... Authenticated Users from the security and replace it with a security group ... > Why do you have the Terminal Server in the group policy? ...
    (microsoft.public.windows.terminal_services)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... Terminal Server than on their workstation. ... but we use a GPO to remove the ... >> TerminalServerLoopback GPO was linked to the TerminalServerOU and nothing ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Re: GPO testing
    ... I put the users into a security group under the OU. ... Here are the steps I used to create and link the GPO: ... Went to GPMC and right clicked on Group Policy Results and selected ... Test Group on my XP workstation. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO doesnt apply to workstations, please help
    ... The user name I used to logon is rec1. ... that it still uses local group policy instead of the policy from the server. ... Then, I created a GPO ... >> logon in a workstation ...
    (microsoft.public.win2000.active_directory)