Sign in with
Sign up | Sign in
Your question

Groop Policy Loosing its marbles...

Last response: in Windows 2000/NT
Share
Anonymous
January 19, 2005 4:16:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

All,
I am stumped here..
I have 7 computers in a Training OU that are for student use. 5 in our lab
and 2 at our counter.
I have three policies defined for that OU and I have Block Inheritance
turned on, which all three set to be enforced and having the training user
below added to read them implicitly along with
authenticated users.

1) Rename Administrator (Computer Policy) <- Renames Administrator
2) Automatic Logon (Computer Policy) <- Automatically logs onto the PC with
a user called kent\training, which I created under our REGISTRARS OU
3) Training Machine Policy (User Policy) <- Lock the machine down for web
access only, no drive access, etc...

This was previously working fine, however something has changed and I am not
sure what. because only 1 and 2 are applying.
When I run a Resultant Set of Policy on the training PC's, under the
computer properties, I see all three listed, however
under user properties, none of the three are listed, and instead I see the
ones from the OU one level above (Which is also where the training user
resides), which
include a Firewall setting, Folder redirection and others.

I have block inheritance on, and it seems to work with the computer
settings, but it is not working with the user settings? (Allowing upper
Policies (none non blocking) to apply).
Any idea how I can get the third policy to reapply itself?

Thanks,
Nathan
Anonymous
January 19, 2005 7:08:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The user is in the parent OU and so does not fall under the scope of the
user policy applied to the child OU. You should be able to move that user
to the child OU and get the user policies to apply. Try that to test -- do
a secedit to refresh the policy.

The user policy is applying to the computers... it just doesn't do anything
to the computer object.

I would suggest moving the user object OR moving the GPO to the parent
folder and doing GPO filtering to make it apply only to that user.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Nathan Truhan" <ntruhan@nospam.nospam> wrote in message
news:11EE60D6-5234-4B65-91C7-0B0DAF6E0FA0@microsoft.com...
> All,
> I am stumped here..
> I have 7 computers in a Training OU that are for student use. 5 in our
lab
> and 2 at our counter.
> I have three policies defined for that OU and I have Block Inheritance
> turned on, which all three set to be enforced and having the training user
> below added to read them implicitly along with
> authenticated users.
>
> 1) Rename Administrator (Computer Policy) <- Renames Administrator
> 2) Automatic Logon (Computer Policy) <- Automatically logs onto the PC
with
> a user called kent\training, which I created under our REGISTRARS OU
> 3) Training Machine Policy (User Policy) <- Lock the machine down for web
> access only, no drive access, etc...
>
> This was previously working fine, however something has changed and I am
not
> sure what. because only 1 and 2 are applying.
> When I run a Resultant Set of Policy on the training PC's, under the
> computer properties, I see all three listed, however
> under user properties, none of the three are listed, and instead I see the
> ones from the OU one level above (Which is also where the training user
> resides), which
> include a Firewall setting, Folder redirection and others.
>
> I have block inheritance on, and it seems to work with the computer
> settings, but it is not working with the user settings? (Allowing upper
> Policies (none non blocking) to apply).
> Any idea how I can get the third policy to reapply itself?
>
> Thanks,
> Nathan
Anonymous
January 19, 2005 11:52:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Looks like Ryan is going to address the issues that you are having with the
current setup. I might have an alternative suggestion on how you could do
things.

Have you thought about using a lockdown GPO? Most likely in Replace
mode....

You would simply put the computer account objects in the test OU and link
the GPO to that OU. This way it does not matter who logs on to those
computers - they will be in lockdown mode. Naturally, you would set it up
so that the Domain Admins ( or whatever ) would not be affected buy this
lockdown GPO!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Nathan Truhan" <ntruhan@nospam.nospam> wrote in message
news:11EE60D6-5234-4B65-91C7-0B0DAF6E0FA0@microsoft.com...
> All,
> I am stumped here..
> I have 7 computers in a Training OU that are for student use. 5 in our
> lab
> and 2 at our counter.
> I have three policies defined for that OU and I have Block Inheritance
> turned on, which all three set to be enforced and having the training user
> below added to read them implicitly along with
> authenticated users.
>
> 1) Rename Administrator (Computer Policy) <- Renames Administrator
> 2) Automatic Logon (Computer Policy) <- Automatically logs onto the PC
> with
> a user called kent\training, which I created under our REGISTRARS OU
> 3) Training Machine Policy (User Policy) <- Lock the machine down for web
> access only, no drive access, etc...
>
> This was previously working fine, however something has changed and I am
> not
> sure what. because only 1 and 2 are applying.
> When I run a Resultant Set of Policy on the training PC's, under the
> computer properties, I see all three listed, however
> under user properties, none of the three are listed, and instead I see the
> ones from the OU one level above (Which is also where the training user
> resides), which
> include a Firewall setting, Folder redirection and others.
>
> I have block inheritance on, and it seems to work with the computer
> settings, but it is not working with the user settings? (Allowing upper
> Policies (none non blocking) to apply).
> Any idea how I can get the third policy to reapply itself?
>
> Thanks,
> Nathan
Anonymous
January 20, 2005 12:01:43 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Can not seem to spell tonight..

That should have been 'would not be affected by this lockdown GPO!'.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o RZ91Kp$EHA.3988@TK2MSFTNGP11.phx.gbl...
> Looks like Ryan is going to address the issues that you are having with
> the current setup. I might have an alternative suggestion on how you
> could do things.
>
> Have you thought about using a lockdown GPO? Most likely in Replace
> mode....
>
> You would simply put the computer account objects in the test OU and link
> the GPO to that OU. This way it does not matter who logs on to those
> computers - they will be in lockdown mode. Naturally, you would set it up
> so that the Domain Admins ( or whatever ) would not be affected buy this
> lockdown GPO!
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Nathan Truhan" <ntruhan@nospam.nospam> wrote in message
> news:11EE60D6-5234-4B65-91C7-0B0DAF6E0FA0@microsoft.com...
>> All,
>> I am stumped here..
>> I have 7 computers in a Training OU that are for student use. 5 in our
>> lab
>> and 2 at our counter.
>> I have three policies defined for that OU and I have Block Inheritance
>> turned on, which all three set to be enforced and having the training
>> user
>> below added to read them implicitly along with
>> authenticated users.
>>
>> 1) Rename Administrator (Computer Policy) <- Renames Administrator
>> 2) Automatic Logon (Computer Policy) <- Automatically logs onto the PC
>> with
>> a user called kent\training, which I created under our REGISTRARS OU
>> 3) Training Machine Policy (User Policy) <- Lock the machine down for web
>> access only, no drive access, etc...
>>
>> This was previously working fine, however something has changed and I am
>> not
>> sure what. because only 1 and 2 are applying.
>> When I run a Resultant Set of Policy on the training PC's, under the
>> computer properties, I see all three listed, however
>> under user properties, none of the three are listed, and instead I see
>> the
>> ones from the OU one level above (Which is also where the training user
>> resides), which
>> include a Firewall setting, Folder redirection and others.
>>
>> I have block inheritance on, and it seems to work with the computer
>> settings, but it is not working with the user settings? (Allowing upper
>> Policies (none non blocking) to apply).
>> Any idea how I can get the third policy to reapply itself?
>>
>> Thanks,
>> Nathan
>
>
!