Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Thanks Steve. No perms were changed, and I verified that they have read
permissions to the OU. I'll do the more in-depth testing that you
suggested, as well. I appreciate all the help.
-Zack-
On Wed, 28 Apr 2004 12:09:51 GMT, Steven L Umbach
<n9rou@nospam-comcast.net> wrote:
> Zack.
>
> If you changed any AD object permisions on the OU where the TS is, be
> sure users or
> the appropriate group has at least read permissions to the OU itself and
> try adding
> an individual [tests user] to read/apply for the GPO for that OU for the
> TS and for
> read to the OU container in case there is a problem with group nesting.
> The link
> below may be helpful in more advance Group Policy troubleshooting. ---
> Steve
>
>
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B250842
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> news:cDFjc.985$lz5.309272@attbi_s53...
>> No it should not matter as both are considered interactive logons but
>> what I was
>> suggesting was having test user logon to the TS from a network
>> workstation while
>> that account was in the TS OU to see if the policy still applies and
>> troubleshoot from there depending on the results. --- Steve
>>
>>
>> "Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
>> news
pr65cccnmdydenw@elrapidovivo.zaxxon.local...
>> > I have logged them on to that machine while their user account was in
>> the
>> > OU, and the policy applied successfully. Verified that loopback is
>> > enabled for that GPO. Tried dozens of logons by now.
>> >
>> > It shouldn't matter that the user is logging on via RDP rather than
>> at the
>> > console, correct?
>> >
>> > Thanks,
>> >
>> > -Zack- >> The lowly MCSA still getting comfortable with advanced Group
>> > Policy.
>> >
>> >
>> >
>> >
>> > On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
>> > <n9rou@nospam-comcast.net> wrote:
>> >
>> > > Try logging the test user on from a workstation where you are
>> > > experiencing problem
>> > > with the policy not applying via loopback. Have them logon with
>> their
>> > > user account in
>> > > the OU and then not in the OU [you may have done all this already]
>> after
>> > > doing a
>> > > refresh using secedit for machine and user to see what happens with
>> > > policy not being
>> > > applied. Just trying to verify that it is not a machine problem.
>> Again
>> > > verify first
>> > > that loopback processing is enabled for that GPO that the TS server
>> > > resides in under
>> > > computer configuration/administrative templates/system/Group
>> Policy. For
>> > > XP machines,
>> > > it may take a couple of logons for user policy to process. Running
>> out
>> > > of ideas on
>> > > this end and can understand you being flummoxed. --- Steve
>> > >
>> > > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > > news
pr640qpd2vj2ktn@zschielxp.blueco.com...
>> > >> Thanks for the continued help!
>> > >>
>> > >> Yes, read/apply are given to the correct users; moving a test user
>> into
>> > >> the OU and logging in as them does apply the policy. User config
>> is
>> > >> enabled. There is more than one GPO in this OU, however they
>> modify
>> > >> completely different settings, this is top priority, and none have
>> 'no
>> > >> override' or 'block policy inheritance' enabled.
>> > >>
>> > >> -Zack-
>> > >>
>> > >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
>> > >> <n9rou@nospam-comcast.net> wrote:
>> > >>
>> > >> > The GPO that you created for the OU that the TS is in, does the
>> proper
>> > >> > group have
>> > >> > read/apply permissions to the GPO in properties/security and is
>> user
>> > >> > configuration
>> > >> > portion of that GPO enabled? If you put a test user into that OU
>> and
>> > >> > then logon as
>> > >> > them, do they then get the desired settings and gpresult show the
>> > >> policy
>> > >> > is applied
>> > >> > to them? Is there more than one GPO in the TS OU? --- Steve
>> > >> >
>> > >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > >> > news
pr64vnqcbvj2ktn@zschielxp.blueco.com...
>> > >> >> The GPO is being applied to the computer (ie 'This computer
>> received
>> > >> >> settings from...'), but not to the user.
>> > >> >>
>> > >> >> -Zack-
>> > >> >>
>> > >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
>> > >> >> <n9rou@nospam-comcast.net> wrote:
>> > >> >>
>> > >> >> > When you ran gpresult while logged onto that server, does it
>> show
>> > >> that
>> > >> >> > the GPO for
>> > >> >> > the OU has been applied to the TS computer successfully and
>> > >> recently?
>> > >> >> If
>> > >> >> > it has not,
>> > >> >> > what is the message if any? Running netdiag is always a good
>> idea
>> > >> >> when
>> > >> >> > you are
>> > >> >> > having problems looking for failed tests/errors/warning
>> > >> particularly
>> > >> >> > relating to
>> > >> >> > domain membership, dns, and dclist. --- Steve
>> > >> >> >
>> > >> >> >
>> > >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > >> >> > news
pr64ak1ggvj2ktn@zschielxp.blueco.com...
>> > >> >> >> Hey all,
>> > >> >> >>
>> > >> >> >> We're having a rather frustrating issue, and I'm not certain
>> > >> whether
>> > >> >> >> we're
>> > >> >> >> just doing something incorrectly or there's a problem here.
>> > >> >> >>
>> > >> >> >> We have a terminal server that we're trying to lock down via
>> group
>> > >> >> >> policy.
>> > >> >> >> We have the server in its own OU, with a GPO applied to it.
>> In
>> > >> this
>> > >> >> GPO,
>> > >> >> >> we're applying user settings, to be applied to any user that
>> logs
>> > >> >> onto
>> > >> >> >> the
>> > >> >> >> machine via loopback processing mode. Except users aren't
>> getting
>> > >> the
>> > >> >> >> policy at all--gpresult.exe doesn't even mention the policy
>> for
>> > >> the
>> > >> >> >> user.
>> > >> >> >> According to Microsoft here
>> > >> >> >>
>> > >> >>
>> > >>
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
>> > >> >> >> - Method 2), I believe that we're doing it right. Any ideas?
>> We've
>> > >> >> tried
>> > >> >> >> manually updating the server's GP via secedit /refreshpolicy,
>> > >> tried
>> > >> >> >> waiting out the full 90 minutes just in case, checked
>> permissions,
>> > >> >> the
>> > >> >> >> whole nine yards. Nothing seems to work.
>> > >> >> >>
>> > >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
>> > >> Windows
>> > >> >> >> 2000
>> > >> >> >> native functional level.
>> > >> >> >>
>> > >> >> >> Thanks for any ideas,
>> > >> >> >>
>> > >> >> >> -Zack-
>> > >> >> >>
>> > >> >> >> --
>> > >> >> >> Using M2, Opera's revolutionary e-mail client:
>> > >> >> http://www.opera.com/m2/
>> > >> >> >
>> > >> >> >
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> Using M2, Opera's revolutionary e-mail client:
>> > >> http://www.opera.com/m2/
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>> > >
>> > >
>> >
>> >
>> >
>> > --
>> > Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>>
>>
>
>
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/