Sign in with
Sign up | Sign in
Your question

Need help with multiple GPOs

Last response: in Windows 2000/NT
Share
Anonymous
January 7, 2005 4:00:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi we have several OUs with computer objects in each OU.
Top---OU#1--GPO#1
---OU
---OU---OU#2--GPO#2---OU#3---GPO#3
When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
For this we set GPO loopback processing mode to 'merge'
Farther down the tree branches we have another OU with computer objects
which we would like to override the GPO#1 with GPO#2.
It seems GPO#1 likes to take affect even on OU#2.
I've tried setting GPO#2 loopback processing to 'replace' but still not
working.
The users log into either OU's so user placement is in the default 'Users'
OU.
What's strange is that it did seem to work a while back, but now it's not.
GPO#3 seems ok.
Unfortunately things are locked down a bit and access to the cmd prompt by
user is blocked by GPO.
Any ideas?
Thanks, Graham

More about : multiple gpos

Anonymous
January 7, 2005 6:48:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> It seems GPO#1 likes to take affect even on OU#2.

Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
is weird that the Group Policies are applied like they are. I use the
Loopback mode with some computers however I haven’t had a problem.
Most of my user settings are User Based.

Cheers,

Lara

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-help-mult...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=755831
Anonymous
January 7, 2005 7:51:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The system was set up for applying a GPO to a terminal server in OU1
and
applying a different GPO when the user logs onto a w/s in OU3
However, my gpresult is telling me that my wanted GPO is 'denied'
Filtering: Denied (security)
Do you know why this is happening?
Graham

"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41def5ae$1_1@alt.athenanews.com...
> > It seems GPO#1 likes to take affect even on OU#2.
>
> Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
> is weird that the Group Policies are applied like they are. I use the
> Loopback mode with some computers however I haven't had a problem.
> Most of my user settings are User Based.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.WindowsForumz.com/ interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.WindowsForumz.com/Active-Directory-help-mult...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.WindowsForumz.com/eform.php?p=755831
Related resources
Anonymous
January 7, 2005 10:45:31 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The first thing to ascertain is what policies are winning in the application
stakes. By default, unless no override is configured on a higher linked
GPO.

If you have some XP boxes, run the Resultant Set of Policy tool either as
the logged on user, or if things are tied down too much, logon as
administrator and run the RSoP and select the user you want.

You need to see both the user and computer policy, especially when utilising
loopback processing.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Graham Prentice" <gprentice_@_oakville.ca> wrote in message
news:o FzQQLO9EHA.2016@TK2MSFTNGP15.phx.gbl...
Hi we have several OUs with computer objects in each OU.
Top---OU#1--GPO#1
---OU
---OU---OU#2--GPO#2---OU#3---GPO#3
When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
For this we set GPO loopback processing mode to 'merge'
Farther down the tree branches we have another OU with computer objects
which we would like to override the GPO#1 with GPO#2.
It seems GPO#1 likes to take affect even on OU#2.
I've tried setting GPO#2 loopback processing to 'replace' but still not
working.
The users log into either OU's so user placement is in the default 'Users'
OU.
What's strange is that it did seem to work a while back, but now it's not.
GPO#3 seems ok.
Unfortunately things are locked down a bit and access to the cmd prompt by
user is blocked by GPO.
Any ideas?
Thanks, Graham
Anonymous
January 7, 2005 10:45:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

OK, I've been playing a bit more with it and discovered something a bit
different.

top of tree
--OU1 has GPO1---OU2 has GPO2 (user object is here)
--OU3 has GPO3--OU4 has computer object (w/s user is logged into)

GPO1 has loopback processing=merge
GPO3 has loopback processing=replace

When user logs into w/s under OU4, it seems he gets GPO1.
I tried unlinking GPO1 and running gpupdate then gpresult on the w/s.
It says "The following GPOs were not applied because they were filtered out"
Well my wanted GPO is in the list. How is it filtered out? I've clicked
'Allow' for Domain Users' and authenticated users.
Any ideas?
Graham

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:u2KFzFP9EHA.2680@TK2MSFTNGP09.phx.gbl...
> The first thing to ascertain is what policies are winning in the
> application
> stakes. By default, unless no override is configured on a higher linked
> GPO.
>
> If you have some XP boxes, run the Resultant Set of Policy tool either as
> the logged on user, or if things are tied down too much, logon as
> administrator and run the RSoP and select the user you want.
>
> You need to see both the user and computer policy, especially when
> utilising
> loopback processing.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Graham Prentice" <gprentice_@_oakville.ca> wrote in message
> news:o FzQQLO9EHA.2016@TK2MSFTNGP15.phx.gbl...
> Hi we have several OUs with computer objects in each OU.
> Top---OU#1--GPO#1
> ---OU
> ---OU---OU#2--GPO#2---OU#3---GPO#3
> When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
> For this we set GPO loopback processing mode to 'merge'
> Farther down the tree branches we have another OU with computer objects
> which we would like to override the GPO#1 with GPO#2.
> It seems GPO#1 likes to take affect even on OU#2.
> I've tried setting GPO#2 loopback processing to 'replace' but still not
> working.
> The users log into either OU's so user placement is in the default 'Users'
> OU.
> What's strange is that it did seem to work a while back, but now it's not.
> GPO#3 seems ok.
> Unfortunately things are locked down a bit and access to the cmd prompt by
> user is blocked by GPO.
> Any ideas?
> Thanks, Graham
>
>
>
Anonymous
January 8, 2005 1:09:31 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Another question:

We are using mandetory profiles for these users.

If the user that was used to create the mandetory profile was a domain admin
at the time of the profile creation, does the new user that gets the
mandetory profile pickup any 'domain admin' rights? - even though they
normally don't have these rights? (domain user member)

Our GPOs have a security filter 'deny' for domain admins - perhaps some of
this is spilling over because of the mandetory profiles?

Thoughts?
Graham

"Graham Prentice" <gprentice_@_oakville.ca> wrote in message
news:o frxHMQ9EHA.2196@TK2MSFTNGP14.phx.gbl...
> The system was set up for applying a GPO to a terminal server in OU1
> and
> applying a different GPO when the user logs onto a w/s in OU3
> However, my gpresult is telling me that my wanted GPO is 'denied'
> Filtering: Denied (security)
> Do you know why this is happening?
> Graham
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:41def5ae$1_1@alt.athenanews.com...
>> > It seems GPO#1 likes to take affect even on OU#2.
>>
>> Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
>> is weird that the Group Policies are applied like they are. I use the
>> Loopback mode with some computers however I haven't had a problem.
>> Most of my user settings are User Based.
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the http://www.WindowsForumz.com/ interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.WindowsForumz.com/Active-Directory-help-mult...
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.WindowsForumz.com/eform.php?p=755831
>
>
Anonymous
January 8, 2005 11:37:40 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Answers inline...

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Graham Prentice" <gprentice_@_rocketmail.com> wrote in message
news:%238my49S9EHA.2112@TK2MSFTNGP14.phx.gbl...
Another question:

We are using mandetory profiles for these users.

If the user that was used to create the mandetory profile was a domain admin
at the time of the profile creation, does the new user that gets the
mandetory profile pickup any 'domain admin' rights? - even though they
normally don't have these rights? (domain user member)

Paul: Certainly not. The user account will have full control permissions
over the profile directory structure; they will not be granted any
permissions elsewhere or gain additional rights -that's all very separate.


Our GPOs have a security filter 'deny' for domain admins - perhaps some of
this is spilling over because of the mandetory profiles?

Paul: Nope. More than likely, some users haven't been removed from the
administrative group.

Going back to what you said though, I'd get rid of the added permissions of
Domain Users; just leave it at authenticated users and then deny to domain
admins.

You should check the permissions on all the GPOs. If one's being filtered
out, this's the answer.


Thoughts?
Graham

"Graham Prentice" <gprentice_@_oakville.ca> wrote in message
news:o frxHMQ9EHA.2196@TK2MSFTNGP14.phx.gbl...
> The system was set up for applying a GPO to a terminal server in OU1
> and
> applying a different GPO when the user logs onto a w/s in OU3
> However, my gpresult is telling me that my wanted GPO is 'denied'
> Filtering: Denied (security)
> Do you know why this is happening?
> Graham
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:41def5ae$1_1@alt.athenanews.com...
>> > It seems GPO#1 likes to take affect even on OU#2.
>>
>> Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
>> is weird that the Group Policies are applied like they are. I use the
>> Loopback mode with some computers however I haven't had a problem.
>> Most of my user settings are User Based.
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the http://www.WindowsForumz.com/ interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.WindowsForumz.com/Active-Directory-help-mult...
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.WindowsForumz.com/eform.php?p=755831
>
>
Anonymous
January 8, 2005 3:03:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for clearing that up.

It turns out the GPO was being denied because of builtin\Administrators
group had a deny in security filtering.

The computer object is a member of builtin\Administrators.
Once I removed Builtin\Administrators from the security filtering, it seemed
to work.

What's strange is that there are other GPOs with builtin\administrators
having a deny for the policy but they were taking affect on this
workstation?

Doesn't fully make sense to me but at least progress is happening and I'll
continue to test.

Thanks for all your replies.

Regards,
Graham

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:%23HmnQ1V9EHA.2192@TK2MSFTNGP14.phx.gbl...
> Answers inline...
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Graham Prentice" <gprentice_@_rocketmail.com> wrote in message
> news:%238my49S9EHA.2112@TK2MSFTNGP14.phx.gbl...
> Another question:
>
> We are using mandetory profiles for these users.
>
> If the user that was used to create the mandetory profile was a domain
> admin
> at the time of the profile creation, does the new user that gets the
> mandetory profile pickup any 'domain admin' rights? - even though they
> normally don't have these rights? (domain user member)
>
> Paul: Certainly not. The user account will have full control permissions
> over the profile directory structure; they will not be granted any
> permissions elsewhere or gain additional rights -that's all very separate.
>
>
> Our GPOs have a security filter 'deny' for domain admins - perhaps some of
> this is spilling over because of the mandetory profiles?
>
> Paul: Nope. More than likely, some users haven't been removed from the
> administrative group.
>
> Going back to what you said though, I'd get rid of the added permissions
> of
> Domain Users; just leave it at authenticated users and then deny to domain
> admins.
>
> You should check the permissions on all the GPOs. If one's being filtered
> out, this's the answer.
>
>
> Thoughts?
> Graham
>
> "Graham Prentice" <gprentice_@_oakville.ca> wrote in message
> news:o frxHMQ9EHA.2196@TK2MSFTNGP14.phx.gbl...
>> The system was set up for applying a GPO to a terminal server in OU1
>> and
>> applying a different GPO when the user logs onto a w/s in OU3
>> However, my gpresult is telling me that my wanted GPO is 'denied'
>> Filtering: Denied (security)
>> Do you know why this is happening?
>> Graham
>>
>> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
>> news:41def5ae$1_1@alt.athenanews.com...
>>> > It seems GPO#1 likes to take affect even on OU#2.
>>>
>>> Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
>>> is weird that the Group Policies are applied like they are. I use the
>>> Loopback mode with some computers however I haven't had a problem.
>>> Most of my user settings are User Based.
>>>
>>> Cheers,
>>>
>>> Lara
>>>
>>> --
>>> Posted using the http://www.WindowsForumz.com/ interface, at author's
>>> request
>>> Articles individually checked for conformance to usenet standards
>>> Topic URL:
>>> http://www.WindowsForumz.com/Active-Directory-help-mult...
>>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>>> http://www.WindowsForumz.com/eform.php?p=755831
>>
>>
>
>
>
!