Re: Mandatory Profile and GPO
- From: "chriss3 [MVP]" <nospam_christoffer@xxxxxxxx>
- Date: Fri, 9 Jun 2006 20:19:10 +0200
Hello,
What I can think off is that you got some registry settings in the mandatory profiles that overwrites the settings applied earlier by the group policy engine. Since they apply in the follow order: Policy Settings -> Profile Settings.
What happens if you run the follow command logged in as "est2": gpupdate.
Will the restrictions to the shutdown command take place then?
If so have the profile as mandatory again with that settings applied.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources
"Ken Lizotte" <KenLizotte@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3233EF98-8FA1-4FEB-9AB9-F3BC41B8A8DC@xxxxxxxxxxxxxxxx
I hope this is appropriate for this group.
I have a type of employee that I would like to give mandatory desktop and
security settings. I have Server 2003 on 1 DC (DC1) and several XP Pro
Workstations.
I created an OU called 'Estimators' and created a GPO called 'Estimator
Group Policy' for this OU. For testing, the only setting I Enabled was
'Remove and Prevent Access to the Shutdown Command'. I then created a shared
folder called 'Profiles' on DC1.
I created a user called est1 in 'Estimators' OU. I logged on a workstation
with user 'est1' and, for testing, added a desktop shortcut to calc.exe. I
restarted the workstation and logged in as administrator. From
system/Advanced/User Profiles settings, I copied est1 profile to
\\dc1\profiles\ManProfile and added est1 in 'permitted to use'.
On DC1, I went to \profiles\ManProfile and changed ntuser.dat to ntuser.man.
In Domain Users and Computers, I opened est1 and entered
'\\Dc1\Profiles\ManProfile' under user profile/profile path.
Mandatory profile is working. Now my objective is to add new users in the
'Estimators' OU and assign them the mandatory profile. I add user 'est2' in
the 'Estimators' OU, and enter '\\Dc1\Profiles\ManProfile' under user
profile/profile path. I give est2 full control to the ManProfile folder (same
as est1).
Here is problem: When I log in as est2, I get the shortcut to clac.exe, but
I also get the shutdown function. If I remove the profile path from 'est2',
then a log in creates a local profile and shutdown is not available. It
seems that any new user in the 'Estimators' OU that is directed to the
mandatory profile, loses the GPO for the OU.
I hope I was not too detailed, but wanted to portay an accurate step-by-step.
Any ideas?
Thanks,
Ken
.
- Follow-Ups:
- Re: Mandatory Profile and GPO
- From: Ken Lizotte
- Re: Mandatory Profile and GPO
- Prev by Date: Re: Remote Office Configuration
- Next by Date: Re: Windows XP Firewall on NIC
- Previous by thread: Re: policy only for windows xp
- Next by thread: Re: Mandatory Profile and GPO
- Index(es):
Relevant Pages
|
