Sign in with
Sign up | Sign in
Your question

Applying user configuration settings to an OU containing o..

Last response: in Windows 2000/NT
Share
April 27, 2004 12:32:51 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hey all,

We're having a rather frustrating issue, and I'm not certain whether we're
just doing something incorrectly or there's a problem here.

We have a terminal server that we're trying to lock down via group policy.
We have the server in its own OU, with a GPO applied to it. In this GPO,
we're applying user settings, to be applied to any user that logs onto the
machine via loopback processing mode. Except users aren't getting the
policy at all--gpresult.exe doesn't even mention the policy for the user.
According to Microsoft here
(http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
- Method 2), I believe that we're doing it right. Any ideas? We've tried
manually updating the server's GP via secedit /refreshpolicy, tried
waiting out the full 90 minutes just in case, checked permissions, the
whole nine yards. Nothing seems to work.

Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows 2000
native functional level.

Thanks for any ideas,

-Zack-

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 12:11:02 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

When you ran gpresult while logged onto that server, does it show that the GPO for
the OU has been applied to the TS computer successfully and recently? If it has not,
what is the message if any? Running netdiag is always a good idea when you are
having problems looking for failed tests/errors/warning particularly relating to
domain membership, dns, and dclist. --- Steve


"Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> Hey all,
>
> We're having a rather frustrating issue, and I'm not certain whether we're
> just doing something incorrectly or there's a problem here.
>
> We have a terminal server that we're trying to lock down via group policy.
> We have the server in its own OU, with a GPO applied to it. In this GPO,
> we're applying user settings, to be applied to any user that logs onto the
> machine via loopback processing mode. Except users aren't getting the
> policy at all--gpresult.exe doesn't even mention the policy for the user.
> According to Microsoft here
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> - Method 2), I believe that we're doing it right. Any ideas? We've tried
> manually updating the server's GP via secedit /refreshpolicy, tried
> waiting out the full 90 minutes just in case, checked permissions, the
> whole nine yards. Nothing seems to work.
>
> Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows 2000
> native functional level.
>
> Thanks for any ideas,
>
> -Zack-
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
April 28, 2004 12:11:03 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

The GPO is being applied to the computer (ie 'This computer received
settings from...'), but not to the user.

-Zack-

On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
<n9rou@nospam-comcast.net> wrote:

> When you ran gpresult while logged onto that server, does it show that
> the GPO for
> the OU has been applied to the TS computer successfully and recently? If
> it has not,
> what is the message if any? Running netdiag is always a good idea when
> you are
> having problems looking for failed tests/errors/warning particularly
> relating to
> domain membership, dns, and dclist. --- Steve
>
>
> "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
>> Hey all,
>>
>> We're having a rather frustrating issue, and I'm not certain whether
>> we're
>> just doing something incorrectly or there's a problem here.
>>
>> We have a terminal server that we're trying to lock down via group
>> policy.
>> We have the server in its own OU, with a GPO applied to it. In this GPO,
>> we're applying user settings, to be applied to any user that logs onto
>> the
>> machine via loopback processing mode. Except users aren't getting the
>> policy at all--gpresult.exe doesn't even mention the policy for the
>> user.
>> According to Microsoft here
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
>> - Method 2), I believe that we're doing it right. Any ideas? We've tried
>> manually updating the server's GP via secedit /refreshpolicy, tried
>> waiting out the full 90 minutes just in case, checked permissions, the
>> whole nine yards. Nothing seems to work.
>>
>> Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows
>> 2000
>> native functional level.
>>
>> Thanks for any ideas,
>>
>> -Zack-
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Related resources
Anonymous
April 28, 2004 1:44:06 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

The GPO that you created for the OU that the TS is in, does the proper group have
read/apply permissions to the GPO in properties/security and is user configuration
portion of that GPO enabled? If you put a test user into that OU and then logon as
them, do they then get the desired settings and gpresult show the policy is applied
to them? Is there more than one GPO in the TS OU? --- Steve

"Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
> The GPO is being applied to the computer (ie 'This computer received
> settings from...'), but not to the user.
>
> -Zack-
>
> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> <n9rou@nospam-comcast.net> wrote:
>
> > When you ran gpresult while logged onto that server, does it show that
> > the GPO for
> > the OU has been applied to the TS computer successfully and recently? If
> > it has not,
> > what is the message if any? Running netdiag is always a good idea when
> > you are
> > having problems looking for failed tests/errors/warning particularly
> > relating to
> > domain membership, dns, and dclist. --- Steve
> >
> >
> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> >> Hey all,
> >>
> >> We're having a rather frustrating issue, and I'm not certain whether
> >> we're
> >> just doing something incorrectly or there's a problem here.
> >>
> >> We have a terminal server that we're trying to lock down via group
> >> policy.
> >> We have the server in its own OU, with a GPO applied to it. In this GPO,
> >> we're applying user settings, to be applied to any user that logs onto
> >> the
> >> machine via loopback processing mode. Except users aren't getting the
> >> policy at all--gpresult.exe doesn't even mention the policy for the
> >> user.
> >> According to Microsoft here
> >> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> >> - Method 2), I believe that we're doing it right. Any ideas? We've tried
> >> manually updating the server's GP via secedit /refreshpolicy, tried
> >> waiting out the full 90 minutes just in case, checked permissions, the
> >> whole nine yards. Nothing seems to work.
> >>
> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows
> >> 2000
> >> native functional level.
> >>
> >> Thanks for any ideas,
> >>
> >> -Zack-
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
April 28, 2004 1:44:07 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for the continued help!

Yes, read/apply are given to the correct users; moving a test user into
the OU and logging in as them does apply the policy. User config is
enabled. There is more than one GPO in this OU, however they modify
completely different settings, this is top priority, and none have 'no
override' or 'block policy inheritance' enabled.

-Zack-

On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
<n9rou@nospam-comcast.net> wrote:

> The GPO that you created for the OU that the TS is in, does the proper
> group have
> read/apply permissions to the GPO in properties/security and is user
> configuration
> portion of that GPO enabled? If you put a test user into that OU and
> then logon as
> them, do they then get the desired settings and gpresult show the policy
> is applied
> to them? Is there more than one GPO in the TS OU? --- Steve
>
> "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
>> The GPO is being applied to the computer (ie 'This computer received
>> settings from...'), but not to the user.
>>
>> -Zack-
>>
>> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
>> <n9rou@nospam-comcast.net> wrote:
>>
>> > When you ran gpresult while logged onto that server, does it show that
>> > the GPO for
>> > the OU has been applied to the TS computer successfully and recently?
>> If
>> > it has not,
>> > what is the message if any? Running netdiag is always a good idea
>> when
>> > you are
>> > having problems looking for failed tests/errors/warning particularly
>> > relating to
>> > domain membership, dns, and dclist. --- Steve
>> >
>> >
>> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
>> >> Hey all,
>> >>
>> >> We're having a rather frustrating issue, and I'm not certain whether
>> >> we're
>> >> just doing something incorrectly or there's a problem here.
>> >>
>> >> We have a terminal server that we're trying to lock down via group
>> >> policy.
>> >> We have the server in its own OU, with a GPO applied to it. In this
>> GPO,
>> >> we're applying user settings, to be applied to any user that logs
>> onto
>> >> the
>> >> machine via loopback processing mode. Except users aren't getting the
>> >> policy at all--gpresult.exe doesn't even mention the policy for the
>> >> user.
>> >> According to Microsoft here
>> >>
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
>> >> - Method 2), I believe that we're doing it right. Any ideas? We've
>> tried
>> >> manually updating the server's GP via secedit /refreshpolicy, tried
>> >> waiting out the full 90 minutes just in case, checked permissions,
>> the
>> >> whole nine yards. Nothing seems to work.
>> >>
>> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows
>> >> 2000
>> >> native functional level.
>> >>
>> >> Thanks for any ideas,
>> >>
>> >> -Zack-
>> >>
>> >> --
>> >> Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>> >
>> >
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 4:32:11 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Try logging the test user on from a workstation where you are experiencing problem
with the policy not applying via loopback. Have them logon with their user account in
the OU and then not in the OU [you may have done all this already] after doing a
refresh using secedit for machine and user to see what happens with policy not being
applied. Just trying to verify that it is not a machine problem. Again verify first
that loopback processing is enabled for that GPO that the TS server resides in under
computer configuration/administrative templates/system/Group Policy. For XP machines,
it may take a couple of logons for user policy to process. Running out of ideas on
this end and can understand you being flummoxed. --- Steve

"Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
> Thanks for the continued help!
>
> Yes, read/apply are given to the correct users; moving a test user into
> the OU and logging in as them does apply the policy. User config is
> enabled. There is more than one GPO in this OU, however they modify
> completely different settings, this is top priority, and none have 'no
> override' or 'block policy inheritance' enabled.
>
> -Zack-
>
> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
> <n9rou@nospam-comcast.net> wrote:
>
> > The GPO that you created for the OU that the TS is in, does the proper
> > group have
> > read/apply permissions to the GPO in properties/security and is user
> > configuration
> > portion of that GPO enabled? If you put a test user into that OU and
> > then logon as
> > them, do they then get the desired settings and gpresult show the policy
> > is applied
> > to them? Is there more than one GPO in the TS OU? --- Steve
> >
> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
> >> The GPO is being applied to the computer (ie 'This computer received
> >> settings from...'), but not to the user.
> >>
> >> -Zack-
> >>
> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> >> <n9rou@nospam-comcast.net> wrote:
> >>
> >> > When you ran gpresult while logged onto that server, does it show that
> >> > the GPO for
> >> > the OU has been applied to the TS computer successfully and recently?
> >> If
> >> > it has not,
> >> > what is the message if any? Running netdiag is always a good idea
> >> when
> >> > you are
> >> > having problems looking for failed tests/errors/warning particularly
> >> > relating to
> >> > domain membership, dns, and dclist. --- Steve
> >> >
> >> >
> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> >> >> Hey all,
> >> >>
> >> >> We're having a rather frustrating issue, and I'm not certain whether
> >> >> we're
> >> >> just doing something incorrectly or there's a problem here.
> >> >>
> >> >> We have a terminal server that we're trying to lock down via group
> >> >> policy.
> >> >> We have the server in its own OU, with a GPO applied to it. In this
> >> GPO,
> >> >> we're applying user settings, to be applied to any user that logs
> >> onto
> >> >> the
> >> >> machine via loopback processing mode. Except users aren't getting the
> >> >> policy at all--gpresult.exe doesn't even mention the policy for the
> >> >> user.
> >> >> According to Microsoft here
> >> >>
> >> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
> >> tried
> >> >> manually updating the server's GP via secedit /refreshpolicy, tried
> >> >> waiting out the full 90 minutes just in case, checked permissions,
> >> the
> >> >> whole nine yards. Nothing seems to work.
> >> >>
> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is Windows
> >> >> 2000
> >> >> native functional level.
> >> >>
> >> >> Thanks for any ideas,
> >> >>
> >> >> -Zack-
> >> >>
> >> >> --
> >> >> Using M2, Opera's revolutionary e-mail client:
> >> http://www.opera.com/m2/
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 4:32:12 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have logged them on to that machine while their user account was in the
OU, and the policy applied successfully. Verified that loopback is
enabled for that GPO. Tried dozens of logons by now. :) 

It shouldn't matter that the user is logging on via RDP rather than at the
console, correct?

Thanks,

-Zack- >> The lowly MCSA still getting comfortable with advanced Group
Policy. ;) 




On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
<n9rou@nospam-comcast.net> wrote:

> Try logging the test user on from a workstation where you are
> experiencing problem
> with the policy not applying via loopback. Have them logon with their
> user account in
> the OU and then not in the OU [you may have done all this already] after
> doing a
> refresh using secedit for machine and user to see what happens with
> policy not being
> applied. Just trying to verify that it is not a machine problem. Again
> verify first
> that loopback processing is enabled for that GPO that the TS server
> resides in under
> computer configuration/administrative templates/system/Group Policy. For
> XP machines,
> it may take a couple of logons for user policy to process. Running out
> of ideas on
> this end and can understand you being flummoxed. --- Steve
>
> "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
>> Thanks for the continued help!
>>
>> Yes, read/apply are given to the correct users; moving a test user into
>> the OU and logging in as them does apply the policy. User config is
>> enabled. There is more than one GPO in this OU, however they modify
>> completely different settings, this is top priority, and none have 'no
>> override' or 'block policy inheritance' enabled.
>>
>> -Zack-
>>
>> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
>> <n9rou@nospam-comcast.net> wrote:
>>
>> > The GPO that you created for the OU that the TS is in, does the proper
>> > group have
>> > read/apply permissions to the GPO in properties/security and is user
>> > configuration
>> > portion of that GPO enabled? If you put a test user into that OU and
>> > then logon as
>> > them, do they then get the desired settings and gpresult show the
>> policy
>> > is applied
>> > to them? Is there more than one GPO in the TS OU? --- Steve
>> >
>> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
>> >> The GPO is being applied to the computer (ie 'This computer received
>> >> settings from...'), but not to the user.
>> >>
>> >> -Zack-
>> >>
>> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
>> >> <n9rou@nospam-comcast.net> wrote:
>> >>
>> >> > When you ran gpresult while logged onto that server, does it show
>> that
>> >> > the GPO for
>> >> > the OU has been applied to the TS computer successfully and
>> recently?
>> >> If
>> >> > it has not,
>> >> > what is the message if any? Running netdiag is always a good idea
>> >> when
>> >> > you are
>> >> > having problems looking for failed tests/errors/warning
>> particularly
>> >> > relating to
>> >> > domain membership, dns, and dclist. --- Steve
>> >> >
>> >> >
>> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
>> >> >> Hey all,
>> >> >>
>> >> >> We're having a rather frustrating issue, and I'm not certain
>> whether
>> >> >> we're
>> >> >> just doing something incorrectly or there's a problem here.
>> >> >>
>> >> >> We have a terminal server that we're trying to lock down via group
>> >> >> policy.
>> >> >> We have the server in its own OU, with a GPO applied to it. In
>> this
>> >> GPO,
>> >> >> we're applying user settings, to be applied to any user that logs
>> >> onto
>> >> >> the
>> >> >> machine via loopback processing mode. Except users aren't getting
>> the
>> >> >> policy at all--gpresult.exe doesn't even mention the policy for
>> the
>> >> >> user.
>> >> >> According to Microsoft here
>> >> >>
>> >>
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
>> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
>> >> tried
>> >> >> manually updating the server's GP via secedit /refreshpolicy,
>> tried
>> >> >> waiting out the full 90 minutes just in case, checked permissions,
>> >> the
>> >> >> whole nine yards. Nothing seems to work.
>> >> >>
>> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
>> Windows
>> >> >> 2000
>> >> >> native functional level.
>> >> >>
>> >> >> Thanks for any ideas,
>> >> >>
>> >> >> -Zack-
>> >> >>
>> >> >> --
>> >> >> Using M2, Opera's revolutionary e-mail client:
>> >> http://www.opera.com/m2/
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>> >
>> >
>>
>>
>>
>> --
>> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 7:26:10 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
news:o pr65cccnmdydenw@elrapidovivo.zaxxon.local...
> I have logged them on to that machine while their user account was in the
> OU, and the policy applied successfully. Verified that loopback is
> enabled for that GPO. Tried dozens of logons by now. :) 
>
> It shouldn't matter that the user is logging on via RDP rather than at the
> console, correct?
>
> Thanks,
>
> -Zack- >> The lowly MCSA still getting comfortable with advanced Group
> Policy. ;) 
>
>
>
>
> On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
> <n9rou@nospam-comcast.net> wrote:
>
> > Try logging the test user on from a workstation where you are
> > experiencing problem
> > with the policy not applying via loopback. Have them logon with their
> > user account in
> > the OU and then not in the OU [you may have done all this already] after
> > doing a
> > refresh using secedit for machine and user to see what happens with
> > policy not being
> > applied. Just trying to verify that it is not a machine problem. Again
> > verify first
> > that loopback processing is enabled for that GPO that the TS server
> > resides in under
> > computer configuration/administrative templates/system/Group Policy. For
> > XP machines,
> > it may take a couple of logons for user policy to process. Running out
> > of ideas on
> > this end and can understand you being flummoxed. --- Steve
> >
> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
> >> Thanks for the continued help!
> >>
> >> Yes, read/apply are given to the correct users; moving a test user into
> >> the OU and logging in as them does apply the policy. User config is
> >> enabled. There is more than one GPO in this OU, however they modify
> >> completely different settings, this is top priority, and none have 'no
> >> override' or 'block policy inheritance' enabled.
> >>
> >> -Zack-
> >>
> >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
> >> <n9rou@nospam-comcast.net> wrote:
> >>
> >> > The GPO that you created for the OU that the TS is in, does the proper
> >> > group have
> >> > read/apply permissions to the GPO in properties/security and is user
> >> > configuration
> >> > portion of that GPO enabled? If you put a test user into that OU and
> >> > then logon as
> >> > them, do they then get the desired settings and gpresult show the
> >> policy
> >> > is applied
> >> > to them? Is there more than one GPO in the TS OU? --- Steve
> >> >
> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> >> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
> >> >> The GPO is being applied to the computer (ie 'This computer received
> >> >> settings from...'), but not to the user.
> >> >>
> >> >> -Zack-
> >> >>
> >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> >> >> <n9rou@nospam-comcast.net> wrote:
> >> >>
> >> >> > When you ran gpresult while logged onto that server, does it show
> >> that
> >> >> > the GPO for
> >> >> > the OU has been applied to the TS computer successfully and
> >> recently?
> >> >> If
> >> >> > it has not,
> >> >> > what is the message if any? Running netdiag is always a good idea
> >> >> when
> >> >> > you are
> >> >> > having problems looking for failed tests/errors/warning
> >> particularly
> >> >> > relating to
> >> >> > domain membership, dns, and dclist. --- Steve
> >> >> >
> >> >> >
> >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> >> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> >> >> >> Hey all,
> >> >> >>
> >> >> >> We're having a rather frustrating issue, and I'm not certain
> >> whether
> >> >> >> we're
> >> >> >> just doing something incorrectly or there's a problem here.
> >> >> >>
> >> >> >> We have a terminal server that we're trying to lock down via group
> >> >> >> policy.
> >> >> >> We have the server in its own OU, with a GPO applied to it. In
> >> this
> >> >> GPO,
> >> >> >> we're applying user settings, to be applied to any user that logs
> >> >> onto
> >> >> >> the
> >> >> >> machine via loopback processing mode. Except users aren't getting
> >> the
> >> >> >> policy at all--gpresult.exe doesn't even mention the policy for
> >> the
> >> >> >> user.
> >> >> >> According to Microsoft here
> >> >> >>
> >> >>
> >>
(http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> >> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
> >> >> tried
> >> >> >> manually updating the server's GP via secedit /refreshpolicy,
> >> tried
> >> >> >> waiting out the full 90 minutes just in case, checked permissions,
> >> >> the
> >> >> >> whole nine yards. Nothing seems to work.
> >> >> >>
> >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
> >> Windows
> >> >> >> 2000
> >> >> >> native functional level.
> >> >> >>
> >> >> >> Thanks for any ideas,
> >> >> >>
> >> >> >> -Zack-
> >> >> >>
> >> >> >> --
> >> >> >> Using M2, Opera's revolutionary e-mail client:
> >> >> http://www.opera.com/m2/
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Using M2, Opera's revolutionary e-mail client:
> >> http://www.opera.com/m2/
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 7:34:32 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

No it should not matter as both are considered interactive logons but what I was
suggesting was having test user logon to the TS from a network workstation while
that account was in the TS OU to see if the policy still applies and
troubleshoot from there depending on the results. --- Steve


"Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
news:o pr65cccnmdydenw@elrapidovivo.zaxxon.local...
> I have logged them on to that machine while their user account was in the
> OU, and the policy applied successfully. Verified that loopback is
> enabled for that GPO. Tried dozens of logons by now. :) 
>
> It shouldn't matter that the user is logging on via RDP rather than at the
> console, correct?
>
> Thanks,
>
> -Zack- >> The lowly MCSA still getting comfortable with advanced Group
> Policy. ;) 
>
>
>
>
> On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
> <n9rou@nospam-comcast.net> wrote:
>
> > Try logging the test user on from a workstation where you are
> > experiencing problem
> > with the policy not applying via loopback. Have them logon with their
> > user account in
> > the OU and then not in the OU [you may have done all this already] after
> > doing a
> > refresh using secedit for machine and user to see what happens with
> > policy not being
> > applied. Just trying to verify that it is not a machine problem. Again
> > verify first
> > that loopback processing is enabled for that GPO that the TS server
> > resides in under
> > computer configuration/administrative templates/system/Group Policy. For
> > XP machines,
> > it may take a couple of logons for user policy to process. Running out
> > of ideas on
> > this end and can understand you being flummoxed. --- Steve
> >
> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
> >> Thanks for the continued help!
> >>
> >> Yes, read/apply are given to the correct users; moving a test user into
> >> the OU and logging in as them does apply the policy. User config is
> >> enabled. There is more than one GPO in this OU, however they modify
> >> completely different settings, this is top priority, and none have 'no
> >> override' or 'block policy inheritance' enabled.
> >>
> >> -Zack-
> >>
> >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
> >> <n9rou@nospam-comcast.net> wrote:
> >>
> >> > The GPO that you created for the OU that the TS is in, does the proper
> >> > group have
> >> > read/apply permissions to the GPO in properties/security and is user
> >> > configuration
> >> > portion of that GPO enabled? If you put a test user into that OU and
> >> > then logon as
> >> > them, do they then get the desired settings and gpresult show the
> >> policy
> >> > is applied
> >> > to them? Is there more than one GPO in the TS OU? --- Steve
> >> >
> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> >> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
> >> >> The GPO is being applied to the computer (ie 'This computer received
> >> >> settings from...'), but not to the user.
> >> >>
> >> >> -Zack-
> >> >>
> >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> >> >> <n9rou@nospam-comcast.net> wrote:
> >> >>
> >> >> > When you ran gpresult while logged onto that server, does it show
> >> that
> >> >> > the GPO for
> >> >> > the OU has been applied to the TS computer successfully and
> >> recently?
> >> >> If
> >> >> > it has not,
> >> >> > what is the message if any? Running netdiag is always a good idea
> >> >> when
> >> >> > you are
> >> >> > having problems looking for failed tests/errors/warning
> >> particularly
> >> >> > relating to
> >> >> > domain membership, dns, and dclist. --- Steve
> >> >> >
> >> >> >
> >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> >> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> >> >> >> Hey all,
> >> >> >>
> >> >> >> We're having a rather frustrating issue, and I'm not certain
> >> whether
> >> >> >> we're
> >> >> >> just doing something incorrectly or there's a problem here.
> >> >> >>
> >> >> >> We have a terminal server that we're trying to lock down via group
> >> >> >> policy.
> >> >> >> We have the server in its own OU, with a GPO applied to it. In
> >> this
> >> >> GPO,
> >> >> >> we're applying user settings, to be applied to any user that logs
> >> >> onto
> >> >> >> the
> >> >> >> machine via loopback processing mode. Except users aren't getting
> >> the
> >> >> >> policy at all--gpresult.exe doesn't even mention the policy for
> >> the
> >> >> >> user.
> >> >> >> According to Microsoft here
> >> >> >>
> >> >>
> >>
(http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> >> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
> >> >> tried
> >> >> >> manually updating the server's GP via secedit /refreshpolicy,
> >> tried
> >> >> >> waiting out the full 90 minutes just in case, checked permissions,
> >> >> the
> >> >> >> whole nine yards. Nothing seems to work.
> >> >> >>
> >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
> >> Windows
> >> >> >> 2000
> >> >> >> native functional level.
> >> >> >>
> >> >> >> Thanks for any ideas,
> >> >> >>
> >> >> >> -Zack-
> >> >> >>
> >> >> >> --
> >> >> >> Using M2, Opera's revolutionary e-mail client:
> >> >> http://www.opera.com/m2/
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Using M2, Opera's revolutionary e-mail client:
> >> http://www.opera.com/m2/
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Anonymous
April 28, 2004 4:09:51 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Zack.

If you changed any AD object permisions on the OU where the TS is, be sure users or
the appropriate group has at least read permissions to the OU itself and try adding
an individual [tests user] to read/apply for the GPO for that OU for the TS and for
read to the OU container in case there is a problem with group nesting. The link
below may be helpful in more advance Group Policy troubleshooting. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:cDFjc.985$lz5.309272@attbi_s53...
> No it should not matter as both are considered interactive logons but what I was
> suggesting was having test user logon to the TS from a network workstation while
> that account was in the TS OU to see if the policy still applies and
> troubleshoot from there depending on the results. --- Steve
>
>
> "Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
> news:o pr65cccnmdydenw@elrapidovivo.zaxxon.local...
> > I have logged them on to that machine while their user account was in the
> > OU, and the policy applied successfully. Verified that loopback is
> > enabled for that GPO. Tried dozens of logons by now. :) 
> >
> > It shouldn't matter that the user is logging on via RDP rather than at the
> > console, correct?
> >
> > Thanks,
> >
> > -Zack- >> The lowly MCSA still getting comfortable with advanced Group
> > Policy. ;) 
> >
> >
> >
> >
> > On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
> > <n9rou@nospam-comcast.net> wrote:
> >
> > > Try logging the test user on from a workstation where you are
> > > experiencing problem
> > > with the policy not applying via loopback. Have them logon with their
> > > user account in
> > > the OU and then not in the OU [you may have done all this already] after
> > > doing a
> > > refresh using secedit for machine and user to see what happens with
> > > policy not being
> > > applied. Just trying to verify that it is not a machine problem. Again
> > > verify first
> > > that loopback processing is enabled for that GPO that the TS server
> > > resides in under
> > > computer configuration/administrative templates/system/Group Policy. For
> > > XP machines,
> > > it may take a couple of logons for user policy to process. Running out
> > > of ideas on
> > > this end and can understand you being flummoxed. --- Steve
> > >
> > > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > > news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
> > >> Thanks for the continued help!
> > >>
> > >> Yes, read/apply are given to the correct users; moving a test user into
> > >> the OU and logging in as them does apply the policy. User config is
> > >> enabled. There is more than one GPO in this OU, however they modify
> > >> completely different settings, this is top priority, and none have 'no
> > >> override' or 'block policy inheritance' enabled.
> > >>
> > >> -Zack-
> > >>
> > >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
> > >> <n9rou@nospam-comcast.net> wrote:
> > >>
> > >> > The GPO that you created for the OU that the TS is in, does the proper
> > >> > group have
> > >> > read/apply permissions to the GPO in properties/security and is user
> > >> > configuration
> > >> > portion of that GPO enabled? If you put a test user into that OU and
> > >> > then logon as
> > >> > them, do they then get the desired settings and gpresult show the
> > >> policy
> > >> > is applied
> > >> > to them? Is there more than one GPO in the TS OU? --- Steve
> > >> >
> > >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > >> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
> > >> >> The GPO is being applied to the computer (ie 'This computer received
> > >> >> settings from...'), but not to the user.
> > >> >>
> > >> >> -Zack-
> > >> >>
> > >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
> > >> >> <n9rou@nospam-comcast.net> wrote:
> > >> >>
> > >> >> > When you ran gpresult while logged onto that server, does it show
> > >> that
> > >> >> > the GPO for
> > >> >> > the OU has been applied to the TS computer successfully and
> > >> recently?
> > >> >> If
> > >> >> > it has not,
> > >> >> > what is the message if any? Running netdiag is always a good idea
> > >> >> when
> > >> >> > you are
> > >> >> > having problems looking for failed tests/errors/warning
> > >> particularly
> > >> >> > relating to
> > >> >> > domain membership, dns, and dclist. --- Steve
> > >> >> >
> > >> >> >
> > >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
> > >> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
> > >> >> >> Hey all,
> > >> >> >>
> > >> >> >> We're having a rather frustrating issue, and I'm not certain
> > >> whether
> > >> >> >> we're
> > >> >> >> just doing something incorrectly or there's a problem here.
> > >> >> >>
> > >> >> >> We have a terminal server that we're trying to lock down via group
> > >> >> >> policy.
> > >> >> >> We have the server in its own OU, with a GPO applied to it. In
> > >> this
> > >> >> GPO,
> > >> >> >> we're applying user settings, to be applied to any user that logs
> > >> >> onto
> > >> >> >> the
> > >> >> >> machine via loopback processing mode. Except users aren't getting
> > >> the
> > >> >> >> policy at all--gpresult.exe doesn't even mention the policy for
> > >> the
> > >> >> >> user.
> > >> >> >> According to Microsoft here
> > >> >> >>
> > >> >>
> > >>
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
> > >> >> >> - Method 2), I believe that we're doing it right. Any ideas? We've
> > >> >> tried
> > >> >> >> manually updating the server's GP via secedit /refreshpolicy,
> > >> tried
> > >> >> >> waiting out the full 90 minutes just in case, checked permissions,
> > >> >> the
> > >> >> >> whole nine yards. Nothing seems to work.
> > >> >> >>
> > >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
> > >> Windows
> > >> >> >> 2000
> > >> >> >> native functional level.
> > >> >> >>
> > >> >> >> Thanks for any ideas,
> > >> >> >>
> > >> >> >> -Zack-
> > >> >> >>
> > >> >> >> --
> > >> >> >> Using M2, Opera's revolutionary e-mail client:
> > >> >> http://www.opera.com/m2/
> > >> >> >
> > >> >> >
> > >> >>
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Using M2, Opera's revolutionary e-mail client:
> > >> http://www.opera.com/m2/
> > >> >
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> > >
> > >
> >
> >
> >
> > --
> > Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>
April 28, 2004 4:09:52 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Steve. No perms were changed, and I verified that they have read
permissions to the OU. I'll do the more in-depth testing that you
suggested, as well. I appreciate all the help.

-Zack-

On Wed, 28 Apr 2004 12:09:51 GMT, Steven L Umbach
<n9rou@nospam-comcast.net> wrote:

> Zack.
>
> If you changed any AD object permisions on the OU where the TS is, be
> sure users or
> the appropriate group has at least read permissions to the OU itself and
> try adding
> an individual [tests user] to read/apply for the GPO for that OU for the
> TS and for
> read to the OU container in case there is a problem with group nesting.
> The link
> below may be helpful in more advance Group Policy troubleshooting. ---
> Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> news:cDFjc.985$lz5.309272@attbi_s53...
>> No it should not matter as both are considered interactive logons but
>> what I was
>> suggesting was having test user logon to the TS from a network
>> workstation while
>> that account was in the TS OU to see if the policy still applies and
>> troubleshoot from there depending on the results. --- Steve
>>
>>
>> "Zack Schiel" <zaxxon(@at@)stratosgroup(.dot.)com> wrote in message
>> news:o pr65cccnmdydenw@elrapidovivo.zaxxon.local...
>> > I have logged them on to that machine while their user account was in
>> the
>> > OU, and the policy applied successfully. Verified that loopback is
>> > enabled for that GPO. Tried dozens of logons by now. :) 
>> >
>> > It shouldn't matter that the user is logging on via RDP rather than
>> at the
>> > console, correct?
>> >
>> > Thanks,
>> >
>> > -Zack- >> The lowly MCSA still getting comfortable with advanced Group
>> > Policy. ;) 
>> >
>> >
>> >
>> >
>> > On Wed, 28 Apr 2004 00:32:11 GMT, Steven L Umbach
>> > <n9rou@nospam-comcast.net> wrote:
>> >
>> > > Try logging the test user on from a workstation where you are
>> > > experiencing problem
>> > > with the policy not applying via loopback. Have them logon with
>> their
>> > > user account in
>> > > the OU and then not in the OU [you may have done all this already]
>> after
>> > > doing a
>> > > refresh using secedit for machine and user to see what happens with
>> > > policy not being
>> > > applied. Just trying to verify that it is not a machine problem.
>> Again
>> > > verify first
>> > > that loopback processing is enabled for that GPO that the TS server
>> > > resides in under
>> > > computer configuration/administrative templates/system/Group
>> Policy. For
>> > > XP machines,
>> > > it may take a couple of logons for user policy to process. Running
>> out
>> > > of ideas on
>> > > this end and can understand you being flummoxed. --- Steve
>> > >
>> > > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > > news:o pr640qpd2vj2ktn@zschielxp.blueco.com...
>> > >> Thanks for the continued help!
>> > >>
>> > >> Yes, read/apply are given to the correct users; moving a test user
>> into
>> > >> the OU and logging in as them does apply the policy. User config
>> is
>> > >> enabled. There is more than one GPO in this OU, however they
>> modify
>> > >> completely different settings, this is top priority, and none have
>> 'no
>> > >> override' or 'block policy inheritance' enabled.
>> > >>
>> > >> -Zack-
>> > >>
>> > >> On Tue, 27 Apr 2004 21:44:06 GMT, Steven L Umbach
>> > >> <n9rou@nospam-comcast.net> wrote:
>> > >>
>> > >> > The GPO that you created for the OU that the TS is in, does the
>> proper
>> > >> > group have
>> > >> > read/apply permissions to the GPO in properties/security and is
>> user
>> > >> > configuration
>> > >> > portion of that GPO enabled? If you put a test user into that OU
>> and
>> > >> > then logon as
>> > >> > them, do they then get the desired settings and gpresult show the
>> > >> policy
>> > >> > is applied
>> > >> > to them? Is there more than one GPO in the TS OU? --- Steve
>> > >> >
>> > >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > >> > news:o pr64vnqcbvj2ktn@zschielxp.blueco.com...
>> > >> >> The GPO is being applied to the computer (ie 'This computer
>> received
>> > >> >> settings from...'), but not to the user.
>> > >> >>
>> > >> >> -Zack-
>> > >> >>
>> > >> >> On Tue, 27 Apr 2004 20:11:02 GMT, Steven L Umbach
>> > >> >> <n9rou@nospam-comcast.net> wrote:
>> > >> >>
>> > >> >> > When you ran gpresult while logged onto that server, does it
>> show
>> > >> that
>> > >> >> > the GPO for
>> > >> >> > the OU has been applied to the TS computer successfully and
>> > >> recently?
>> > >> >> If
>> > >> >> > it has not,
>> > >> >> > what is the message if any? Running netdiag is always a good
>> idea
>> > >> >> when
>> > >> >> > you are
>> > >> >> > having problems looking for failed tests/errors/warning
>> > >> particularly
>> > >> >> > relating to
>> > >> >> > domain membership, dns, and dclist. --- Steve
>> > >> >> >
>> > >> >> >
>> > >> >> > "Zack" <zschiel(@at@)blueandco(.dot.)com> wrote in message
>> > >> >> > news:o pr64ak1ggvj2ktn@zschielxp.blueco.com...
>> > >> >> >> Hey all,
>> > >> >> >>
>> > >> >> >> We're having a rather frustrating issue, and I'm not certain
>> > >> whether
>> > >> >> >> we're
>> > >> >> >> just doing something incorrectly or there's a problem here.
>> > >> >> >>
>> > >> >> >> We have a terminal server that we're trying to lock down via
>> group
>> > >> >> >> policy.
>> > >> >> >> We have the server in its own OU, with a GPO applied to it.
>> In
>> > >> this
>> > >> >> GPO,
>> > >> >> >> we're applying user settings, to be applied to any user that
>> logs
>> > >> >> onto
>> > >> >> >> the
>> > >> >> >> machine via loopback processing mode. Except users aren't
>> getting
>> > >> the
>> > >> >> >> policy at all--gpresult.exe doesn't even mention the policy
>> for
>> > >> the
>> > >> >> >> user.
>> > >> >> >> According to Microsoft here
>> > >> >> >>
>> > >> >>
>> > >>
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&Product=win2000
>> > >> >> >> - Method 2), I believe that we're doing it right. Any ideas?
>> We've
>> > >> >> tried
>> > >> >> >> manually updating the server's GP via secedit /refreshpolicy,
>> > >> tried
>> > >> >> >> waiting out the full 90 minutes just in case, checked
>> permissions,
>> > >> >> the
>> > >> >> >> whole nine yards. Nothing seems to work.
>> > >> >> >>
>> > >> >> >> Server is Windows 2000 Server w/Citrix Metaframe, domain is
>> > >> Windows
>> > >> >> >> 2000
>> > >> >> >> native functional level.
>> > >> >> >>
>> > >> >> >> Thanks for any ideas,
>> > >> >> >>
>> > >> >> >> -Zack-
>> > >> >> >>
>> > >> >> >> --
>> > >> >> >> Using M2, Opera's revolutionary e-mail client:
>> > >> >> http://www.opera.com/m2/
>> > >> >> >
>> > >> >> >
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> Using M2, Opera's revolutionary e-mail client:
>> > >> http://www.opera.com/m2/
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>> > >
>> > >
>> >
>> >
>> >
>> > --
>> > Using M2, Opera's revolutionary e-mail client:
>> http://www.opera.com/m2/
>>
>>
>
>



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
!