RE: My Documents GPO Conflict?

Hi Charles,

Many thanks for your help in this matter. Please find attached the RSOP for
the user who is a test account for the lockdown policy. This applies to all
users in this OU.

I hope this is sufficient for you, and if not i will post other information
as required.

Thanks again Charles,

fieldy

Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px;
border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal;
word-wrap:break-word; } .head { font-weight:bold; font-size:160%;
font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9;
border:1px solid #5582D2; padding-left:8px; height:24px; } .path {
margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info {
padding-left:10px;width:100%; } table { font-size:100%; width:100%;
border:1px solid #999999; } th { border-bottom:1px solid #999999;
text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF;
padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn {
width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold;
border:1px solid #999999; text-align:left; padding-top: 4px;
padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy {
width:100%; height:182px; display:block; overflow:scroll; z-index:2;
background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px;
border:1px solid #999999; } button { width:6.9em; height:2.1em;
font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print {
..bdy { display:block; overflow:visible; } button { display:none; } .head {
color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
Print
Close
No explanation is available for this setting.
Supported On:
Not available
Group Policy Modeling
FELLOWSHIPHOUSE\Tester on FellowshipHouseMinistries.local/MyBusiness/FHM
Users
Data collected on: 6/2/2005 12:15:11 PM hide all

Summaryhide
Computer Configuration Summaryhide
Generalhide
Computer container FellowshipHouseMinistries.local/MyBusiness/FHM Users
Domain FellowshipHouseMinistries.local
Site (None)
Slowlink processing No

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
Lockdown FellowshipHouseMinistries.local/MyBusiness/FHM Users AD (110),
Sysvol (110)
Default Domain Policy FellowshipHouseMinistries.local AD (88), Sysvol (88)

Denied GPOshide
Name Link Location Reason Denied
None

Simulated security group membershiphide
Everyone
NT AUTHORITY\Authenticated Users
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status
Group Policy Infrastructure Success
EFS recovery Success (no data)
Microsoft Disk Quota Success (no data)
Registry Success
Scripts Success
Security Success

User Configuration Summaryhide
Generalhide
User name FELLOWSHIPHOUSE\Tester
User container FellowshipHouseMinistries.local/MyBusiness/FHM Users
Domain FellowshipHouseMinistries.local
Slowlink processing No
Loopback processing No

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
Lockdown FellowshipHouseMinistries.local/MyBusiness/FHM Users AD (238),
Sysvol (238)
Default Domain Policy FellowshipHouseMinistries.local AD (52), Sysvol (52)

Denied GPOshide
Name Link Location Reason Denied
None

Simulated security group membershiphide
FELLOWSHIPHOUSE\Tester
BUILTIN\Administrators
BUILTIN\Users
FELLOWSHIPHOUSE\Domain Users
Everyone
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
FELLOWSHIPHOUSE\Web Workplace Users
FELLOWSHIPHOUSE\SBS Mobile Users
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status
Group Policy Infrastructure Success
Folder Redirection Success
Internet Explorer Branding Success
Registry Success

Computer Configurationhide
Windows Settingshide
Scriptshide
Startuphide
Name Parameters Last Run Winning GPO
\\fhmserver1\software\staff share.vbs Default Domain Policy

Security Settingshide
Account Policies/Password Policyhide
Policy Setting Winning GPO
Enforce password history 3 passwords remembered Default Domain Policy
Maximum password age 120 days Default Domain Policy
Minimum password age 1 days Default Domain Policy
Minimum password length 5 characters Default Domain Policy
Password must meet complexity requirements Disabled Default Domain Policy
Store passwords using reversible encryption Disabled Default Domain Policy

Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 30 minutes Default Domain Policy
Account lockout threshold 10 invalid logon attempts Default Domain Policy
Reset account lockout counter after 30 minutes Default Domain Policy

Account Policies/Kerberos Policyhide
Policy Setting Winning GPO
Enforce user logon restrictions Enabled Default Domain Policy
Maximum lifetime for service ticket 600 minutes Default Domain Policy
Maximum lifetime for user ticket 10 hours Default Domain Policy
Maximum lifetime for user ticket renewal 7 days Default Domain Policy
Maximum tolerance for computer clock synchronization 5 minutes Default
Domain Policy

Local Policies/User Rights Assignmenthide
Policy Setting Winning GPO
Allow log on locally admin, Administrators, domain users,
FELLOWSHIPHOUSE\admin, FELLOWSHIPHOUSE\Administrator Tmpl,
FELLOWSHIPHOUSE\Domain Computers, FELLOWSHIPHOUSE\fieldy Default Domain
Policy
Allow log on through Terminal Services Server Operators,
FELLOWSHIPHOUSE\fieldy, FELLOWSHIPHOUSE\Domain Computers,
FELLOWSHIPHOUSE\admin, domain users, Administrators Default Domain Policy
Deny log on through Terminal Services
S-1-5-21-875473619-380876173-2996324415-2257 Lockdown
Force shutdown from a remote system administrator, Administrators,
FELLOWSHIPHOUSE\fieldy Default Domain Policy
Shut down the system Administrators, FELLOWSHIPHOUSE\admin,
FELLOWSHIPHOUSE\fieldy Default Domain Policy
Take ownership of files or other objects Administrators,
FELLOWSHIPHOUSE\admin, FELLOWSHIPHOUSE\fieldy Default Domain Policy

Local Policies/Security Optionshide
Accountshide
Policy Setting Winning GPO
Accounts: Rename administrator account admin Default Domain Policy

Network Securityhide
Policy Setting Winning GPO
Network security: Force logoff when logon hours expire Disabled Default
Domain Policy

Public Key Policies/Autoenrollment Settingshide
Policy Setting Winning GPO
Enroll certificates automatically Enabled [Default setting]
Renew expired certificates, update pending certificates, and remove revoked
certificates Disabled
Update certificates that use certificate templates Disabled


Public Key Policies/Encrypting File Systemhide
Propertieshide
Winning GPO [Default setting]
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificateshide
Issued To Issued By Expiration Date Intended Purposes Winning GPO
administrator administrator 6/23/2007 1:35:32 PM File Recovery Default
Domain Policy

For additional information about individual settings, launch Group Policy
Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Winning GPO [Default setting]
Policy Setting
Allow users to select new root certification authorities (CAs) to trust
Enabled
Client computers can trust the following certificate stores Third-Party Root
Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must
meet the following criteria Registered in Active Directory only

Software Restriction Policieshide
Winning GPO Lockdown
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries
(such as DLLs)
Apply software restriction policies to the following users All users

Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST InstallShield Developer project file
OCX ActiveX Control
PCD PCD File
PIF Shortcut to Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB VB File
WSC Windows Script Component

Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the
certificate is revoked None


Software Restriction Policies/Security Levelshide
Policy Setting Winning GPO
Default Security Level Unrestricted Lockdown

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description
Date last modified 3/19/2005 4:11:55 PM
Winning GPO Lockdown

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\*.exe
Security Level Unrestricted
Description
Date last modified 3/19/2005 4:11:55 PM
Winning GPO Lockdown

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\System32\*.exe
Security Level Unrestricted
Description
Date last modified 3/19/2005 4:11:55 PM
Winning GPO Lockdown

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description
Date last modified 3/19/2005 4:11:55 PM
Winning GPO Lockdown


Administrative Templateshide
An error has occurred while collecting data for Administrative Templates.

The following errors were encountered:
The .adm file "C:\WINDOWS\inf\wuau.adm" is not in a valid format and must be
replaced. Details: A string is expected at line 0.

User Configurationhide
Windows Settingshide
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting Winning GPO
Enroll certificates automatically Enabled [Default setting]
Renew expired certificates, update pending certificates, and remove revoked
certificates Disabled
Update certificates that use certificate templates Disabled


Internet Explorer Maintenancehide
Browser User Interface/Customized Title Barhide
Title Bar Text Winning GPO
Fellowship House Ministries Default Domain Policy

Connection/Automatic Browser Configurationhide
Policy Setting Winning GPO
Automatically detect configuration settings Enabled Lockdown
Automatic Browser Configuration Not configured N/A


Connection/Connection Settingshide
The policy configuration contains connection settings deployed by this GPO.
Lockdown

Connection/Proxy Settingshide
Winning GPO Lockdown
Enable proxy settings
Protocol Server Port
HTTP
Secure
FTP
Gopher
Socks

Exceptions: Do not use proxy server for addresses beginning with
Do not use proxy server for local (intranet) addresses Enabled

URLs/Important URLshide
Name URL Winning GPO
Home page URL http://www.fellowshiphouseministries.org Default Domain Policy
Search bar URL http://www.google.com Default Domain Policy
Online support page URL Not configured N/A


URLs/Favorites and Linkshide
Policy Setting Winning GPO
Place favorites and links at the top of the list in the order specified
below Enabled Default Domain Policy
Delete existing Favorites and Links, if present Enabled Lockdown
Only delete the favorites created by the administrator Disabled Default
Domain Policy

Delete existing channels, if present Not configured N/A
Favorites
Name URL Winning GPO
Outlook Web Access http://fhmmail.dyndns.org/exchange Default Domain Policy
FellowshipHouse Website http://www.fellowshiphouseministries.org Default
Domain Policy
Search Engine http://www.google.com Default Domain Policy
Cortrac Online https://secure.cortrac.com/conline/ Default Domain Policy
Fellowship House Website http://www.fellowshiphouseministries.org Lockdown
Outlook Web Access http://fhmmail.dyndns.org/exchange Lockdown
new http://www.google.com Lockdown
CT Department of Labor http://www.ctdol.state.ct.us/ Lockdown
CT Department of Motor Vehicles http://www.ct.gov/dmv/site/default.asp
Lockdown
CT Alcoholics Anon http://www.ct-al-anon.org/ Lockdown


Security/Security Zones and Content Ratingshide
Content Ratingshide
The policy configuration contains Content Ratings settings deployed by this
GPO. Lockdown

Administrative Templateshide
An error has occurred while collecting data for Administrative Templates.

The following errors were encountered:
The .adm file "C:\WINDOWS\inf\wuau.adm" is not in a valid format and must be
replaced. Details: A string is expected at line 0.


""Charles Yang [MSFT]"" wrote:

> Hi Fieldy,
>
> Thanks for posting in this newsgroup.
>
> According to your description, after you applied a locked down GPO, you can
> not access the "My document" on the desktop.
>
> Before we go any further, could you tell us what is your locked down GPO
> setting? Can I assume that you have set some restriction for some users?
> Please also tell us what kinds of restriction you set in the lock down GPO;
> if possible can you paste the Group policy reports to newsgroup.
>
> Generally speaking, the issue might be caused by the GPO interruption. In
> order to isolate the issue, please help gather the information below:
>
> 1. Please follow the steps below to create a GP reports and paste the
> information to the newsgroup.
>
>
> Gather the Group Policy report of the SBS 2003 box
> A. Navigate to the problematic user, right click it choose RSOP.
> B. In the wizard, click "Next"-->Select "This Computer"-->Select "Display
> policy settings for" "Current User"-->"Next"-->"Next"-->"Finish"
> C. You will find a new report in "Group Policy Results". Right-click the
> new report, click "Save report". Save the report as a HTML file.
> 2. Does it occur to all user account or only to some special user?
>
> I appreciate your understanding and paste your results as your convenience;
> I am here waiting for your updates.
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
.