Re: GPO testing
- From: "T. Uranjek" <toniuranjek@xxxxxxxxxxx>
- Date: Thu, 19 Oct 2006 22:49:29 +0200
Hi!
Right click user, select Move and choose Test OU.
Toni
"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:u9$6x678GHA.3396@xxxxxxxxxxxxxxxxxxxxxxx
Hi Toni,
How do I add users directly to an Organizational Unit? As I said, I
created a group inside the OU and put the users in that. How do I add and
existing user to an OU? If I go into Active Directory Users and
Computers -> Users and right click on a user and then go to "Add to
group.." it considers an OU a location not a group. Is there another way
to do it?
Thanks,
Scott
T. Uranjek wrote:
Hi, Scott!
Group policy actually has (almost) nothing to do with groups. GPO will
NOT work if user (or computer) account is not in OU where GPO is linked?
Do you have your test users in TestOU or not? This si one million $
question now?
Toni
"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:%23nkEC868GHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
Hi Toni,
I put the users into a security group under the OU. So my test user is
domain -> Test OU -> Test Group -> testuser where Test OU is the
organizational unit, Test Group is the security group and testuser is
the user. Is that wrong?
Thanks,
Scott
T. Uranjek wrote:
Hi!
I don't see one crucial step? Put user accounts in test OU?
Toni
"Scott" <scotts@xxxxxxxxxxxxxx> wrote in message
news:%23zayVu68GHA.2120@xxxxxxxxxxxxxxxxxxxxxxx
Florian,
Here are the steps I used to create and link the GPO :
- In Active Directory Users and Computers created an OU under the
domain
called Test OU
- In Active Directory Users and Comptuers created a security group
under
Test OU called Test Group.
- Placed two users in the security group Test Group.
- In GPMC snap-in went to Group Policy Objects, right clicked and
selected New.
- Right clicked on the new policy called "test" and selected edit.
- Went into the User Configuration -> Administrative Templates ->
Control Panel and set "Prohibit access to the Control Panel" to
enabled.
- In GPMC right clicked on Test OU and selected "Link an existing
GPO.."
and selected "test".
- test now shows up as linked to Test OU in the GPMC.
- Went to the server and ran secedit /refreshpolicy [machine &&
policy]_policy /enforce (two seperate commands written in compact
form)
- Went to the XP workstation and ran gpupdate /force
- Went to GPMC and right clicked on Group Policy Results and selected
Group Policy Result Wizard and set it to give a RSoP for both users in
Test Group on my XP workstation.
- Now under User configuration -> Group Policy Objects -> Applied GPOs
the only policy listed is "Default Domain Policy" and under User
configuration -> Group Policy Objects -> Denied GPOs the only policy
listed is Local Group Policy which has a Link Location = Local and
Reason Denied = Empty
- Under "Security Group Membership when Group Policy was applied"
there
is a list of security groups but my Test Group is not in the list.
Moreover one of the security groups is old and the user has not been a
member of that group for at least a couple of days.
Also, took Toni's advice and downloaded FAZAM 2000. Ran the analysis.
In FAZAM 2000 :
Right clicked on the domain and selected Perform analysis
Set the user to testuser (one of my users in Test Group)
Set the machine to my XP workstation
Performed What-if analysis with the scenario where testuser is moved
to
the OU called Test OU (which my test GPO is linked to) and the result
is
a success!?! When I click on the User Hierarchy -> Test OU the test
GPO comes up and the Order of Precendence = 1. Under Machine
Hierarchy
the Test OU is not present probabably because there are no machines in
the security group.
Looked at your website and went through the list and I cannot figure
out where I am going wrong.
Cheers,
Scott
Florian Frommherz wrote:
Howdie Scott!
Scott wrote:
Installed the Microsoft User Profile Hive Cleanup Service as youThe more I read about your issue, the more complex it might get and
suggested and restarted the XP workstation. Did a secedit
/REFRESHPOLICY [machine && user]_policy /ENFORCE on the server. Did
a gpupdate /FORCE on the workstation. Then used the RSoP snap-in
for the mmc to test to see if the GPO was applied. It wasn't
applied and even worse I removed one of my users from a different
security group and that was not updated. Under "Security Group
Membership when Group Policy was applied." the user is still a
member of the security group I removed it from a couple days ago.
This is why I have no idea what is going on with this processing of
the GPOs and the updating of the policy.
the more confused I get. I don't get the thing you write about your
security group? Have you changed anything with the NTFS permissions
of the Group Policy? Or put a security group into the OU? Group
Policies will not work on groups as only users and machines can be a
target for Group Policies.
If you have the time, I'd be nice if you could write down the steps
you take to create a policy. Do these errors exist with every policy
you create or just a particular one?
cheers,
Florian
.
- References:
- GPO testing
- From: Scott
- Re: GPO testing
- From: Florian Frommherz
- Re: GPO testing
- From: Scott
- Re: GPO testing
- From: Florian Frommherz
- Re: GPO testing
- From: Scott
- Re: GPO testing
- From: Florian Frommherz
- Re: GPO testing
- From: Scott
- Re: GPO testing
- From: T. Uranjek
- Re: GPO testing
- From: Scott
- Re: GPO testing
- From: T. Uranjek
- Re: GPO testing
- From: Scott
- GPO testing
- Prev by Date: Re: GPO testing
- Next by Date: Re: GPO testing
- Previous by thread: Re: GPO testing
- Next by thread: Re: GPO testing
- Index(es):
Relevant Pages
|
