Re: GPO testing

Hi!

I don't see one crucial step? Put user accounts in test OU?

Toni


"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:%23zayVu68GHA.2120@xxxxxxxxxxxxxxxxxxxxxxx

Florian,

Here are the steps I used to create and link the GPO :
- In Active Directory Users and Computers created an OU under the domain
called Test OU
- In Active Directory Users and Comptuers created a security group under
Test OU called Test Group.
- Placed two users in the security group Test Group.
- In GPMC snap-in went to Group Policy Objects, right clicked and
selected New.
- Right clicked on the new policy called "test" and selected edit.
- Went into the User Configuration -> Administrative Templates ->
Control Panel and set "Prohibit access to the Control Panel" to enabled.
- In GPMC right clicked on Test OU and selected "Link an existing GPO.."
and selected "test".
- test now shows up as linked to Test OU in the GPMC.
- Went to the server and ran secedit /refreshpolicy [machine &&
policy]_policy /enforce (two seperate commands written in compact form)
- Went to the XP workstation and ran gpupdate /force
- Went to GPMC and right clicked on Group Policy Results and selected
Group Policy Result Wizard and set it to give a RSoP for both users in
Test Group on my XP workstation.
- Now under User configuration -> Group Policy Objects -> Applied GPOs
the only policy listed is "Default Domain Policy" and under User
configuration -> Group Policy Objects -> Denied GPOs the only policy
listed is Local Group Policy which has a Link Location = Local and
Reason Denied = Empty
- Under "Security Group Membership when Group Policy was applied" there
is a list of security groups but my Test Group is not in the list.
Moreover one of the security groups is old and the user has not been a
member of that group for at least a couple of days.

Also, took Toni's advice and downloaded FAZAM 2000. Ran the analysis.
In FAZAM 2000 :
Right clicked on the domain and selected Perform analysis
Set the user to testuser (one of my users in Test Group)
Set the machine to my XP workstation
Performed What-if analysis with the scenario where testuser is moved to
the OU called Test OU (which my test GPO is linked to) and the result is
a success!?! When I click on the User Hierarchy -> Test OU the test
GPO comes up and the Order of Precendence = 1. Under Machine Hierarchy
the Test OU is not present probabably because there are no machines in
the security group.

Looked at your website and went through the list and I cannot figure
out where I am going wrong.

Cheers,
Scott


Florian Frommherz wrote:
Howdie Scott!

Scott wrote:
Installed the Microsoft User Profile Hive Cleanup Service as you
suggested and restarted the XP workstation. Did a secedit
/REFRESHPOLICY [machine && user]_policy /ENFORCE on the server. Did a
gpupdate /FORCE on the workstation. Then used the RSoP snap-in for the
mmc to test to see if the GPO was applied. It wasn't applied and even
worse I removed one of my users from a different security group and that
was not updated. Under "Security Group Membership when Group Policy was
applied." the user is still a member of the security group I removed it
from a couple days ago. This is why I have no idea what is going on
with this processing of the GPOs and the updating of the policy.

The more I read about your issue, the more complex it might get and the
more confused I get. I don't get the thing you write about your security
group? Have you changed anything with the NTFS permissions of the Group
Policy? Or put a security group into the OU? Group Policies will not work
on groups as only users and machines can be a target for Group Policies.

If you have the time, I'd be nice if you could write down the steps you
take to create a policy. Do these errors exist with every policy you
create or just a particular one?

cheers,

Florian


.

Relevant Pages

  • Re: Preventing logon to local accounts
    ... Just to go over it from the beginning, you have created a new gpo with the ... you have created a security group and added the ... this works because RDP is enabled and greyed out on the remote tab is system ... then, add another workstation to the domain, don’t add this workstation in to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Publishing/Assigning Applications
    ... > default domain policy. ... you are not creating the GPO there AT the OU. ... Authenticated Users security group is given both the READ and APPLY GROUP ...
    (microsoft.public.win2000.group_policy)
  • Re: Local Group Policy is assigning only to user with admin rights !!???
    ... Typically one would put the computer account object in an OU by itself (or ... and then create a GPO using Loopback linked to ... care to remove the 'Authenticated Users' security group from the security ... this group the READ and APPLY GROUP POLICY rights and away you go. ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy Wont Apply Unless User is a Member of Domain Admin. Why?
    ... I'd go to the workstation where the policy is not applying and do Start -> ... a different GPO applying policies there? ... gpo will only apply if the test user (uTest) is a member of theDomain> ...
    (microsoft.public.windows.server.sbs)
  • deny software install based on security
    ... are members of 'acrobat7_install' security group. ... Installing the software ... The policy tries to install the software, ... It was installed by GPO and removed by GPO. ...
    (microsoft.public.windows.group_policy)