Group Policy applies to some users, but not others

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have recently moved from one AD domain to a new one in a separate forest.
We used the 'adduser' utility from the resource kit to export the users from
the old domain and then import them into the new.

This all worked fine. Unfortunately it didn't bring the OU details with it.
Perhaps that was our mistake, perhaps that's just how it works, I don't know.
Anway, once we'd completed the import we manually sat and sorted out the OU
membership.

However, when we apply Group Policy to the users, be it at the domain level
or OU level we are finding some very strange inconsistencies where some users
are having the policy assigned, others are not.

The desktop operating system we are using is Windows XP SP1.

As a test yesterday, I assigned a GP to an OU to remove Run from the Start
Menu. I then logged on as a user in that OU and the Run command was still
there. So I created a new user in the OU, logged on as that user and the Run
command was missing as it should be. Since the new user was defaults only, I
looked at the differences between it and the existing user. So I took a few
long shots just in case. I removed the existing user's roaming profile. I
removed the logon script. I removed the mapped home directory. None of these
made any difference.

And yet some of the users created using 'addusers' have GP applied.
Bizarrely some seem to have only part of it applied, for example the run
command will be there, but access to the network properties will be denied.

In short, it is quite baffling and inconsistent. Any help would be greatly
appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This may be a result of inconsistent group membership and permissions on
GPOs.

How are the permissions on the GPOs assigned? One idea would be to check
the permissions on the GPO which is not applying to a particular user, and
then verify that the account (or a group the account is a member of) is
listed in the GPO permissions/access control list.

Please repost and let us know if this helps.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"Tek Response" <Tek Response@discussions.microsoft.com> wrote in message
news:274AFD7F-12E4-4DAC-A418-529B2387DBF2@microsoft.com...
> We have recently moved from one AD domain to a new one in a separate
> forest.
> We used the 'adduser' utility from the resource kit to export the users
> from
> the old domain and then import them into the new.
>
> This all worked fine. Unfortunately it didn't bring the OU details with
> it.
> Perhaps that was our mistake, perhaps that's just how it works, I don't
> know.
> Anway, once we'd completed the import we manually sat and sorted out the
> OU
> membership.
>
> However, when we apply Group Policy to the users, be it at the domain
> level
> or OU level we are finding some very strange inconsistencies where some
> users
> are having the policy assigned, others are not.
>
> The desktop operating system we are using is Windows XP SP1.
>
> As a test yesterday, I assigned a GP to an OU to remove Run from the Start
> Menu. I then logged on as a user in that OU and the Run command was still
> there. So I created a new user in the OU, logged on as that user and the
> Run
> command was missing as it should be. Since the new user was defaults only,
> I
> looked at the differences between it and the existing user. So I took a
> few
> long shots just in case. I removed the existing user's roaming profile. I
> removed the logon script. I removed the mapped home directory. None of
> these
> made any difference.
>
> And yet some of the users created using 'addusers' have GP applied.
> Bizarrely some seem to have only part of it applied, for example the run
> command will be there, but access to the network properties will be
> denied.
>
> In short, it is quite baffling and inconsistent. Any help would be greatly
> appreciated.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Tim,

Thanks for the feedback. The GPO was just assigned the the default
permission, so the 'Authenticated Users' group should get the policy applied.
Just for good measure, the permissions are as follows:
Authenticated users: Read and Apply Policy
CREATOR OWNER: Nothing
Domain admins, Enterprise Admins and System: Read, Write, Create Children,
Delete Children.

We have repeated the test from the other day and logged on as a new user in
the same OU as a user where the GPO isn't working. We then ran gpresult /z
against both of the users logged onto the same machine. An extract from those
is as follows:

Working user:

USER SETTINGS
--------------
CN=pupiltest,OU=00,OU=Pupils,DC=tgs,DC=local
Last time Group Policy was applied: 9/9/2004 at 9:42:19 AM
Group Policy was applied from: curriculum1.tgs.local
Group Policy slow link threshold: 500 kbps

Non-Working User:

USER SETTINGS
--------------
CN=pupil00,OU=00,OU=Pupils,DC=tgs,DC=local
Last time Group Policy was applied: N/A
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps

Apart from that the outputs are identical except for the Administrative
Templates section. These have all of the same entires, but in a different
order. Is the order significant at all? I could include that section, but
it's a bit big to include if it isn't helpful. Let me know if it is worth a
look and I'll post it.

Is any of that helpful at all? I am grateful for any advice you can give me.

Cheers,

Neil

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

>-----Original Message-----
>Tim,
>
>Thanks for the feedback. The GPO was just assigned the
the default
>permission, so the 'Authenticated Users' group should get
the policy applied.
>Just for good measure, the permissions are as follows:
>Authenticated users: Read and Apply Policy
>CREATOR OWNER: Nothing
>Domain admins, Enterprise Admins and System: Read, Write,
Create Children,
>Delete Children.
>
>We have repeated the test from the other day and logged
on as a new user in
>the same OU as a user where the GPO isn't working. We
then ran gpresult /z
>against both of the users logged onto the same machine.
An extract from those
>is as follows:
>
>Working user:
>
>USER SETTINGS
>--------------
> CN=pupiltest,OU=00,OU=Pupils,DC=tgs,DC=local
> Last time Group Policy was applied: 9/9/2004 at
9:42:19 AM
> Group Policy was applied from:
curriculum1.tgs.local
> Group Policy slow link threshold: 500 kbps
>
>Non-Working User:
>
>USER SETTINGS
>--------------
> CN=pupil00,OU=00,OU=Pupils,DC=tgs,DC=local
> Last time Group Policy was applied: N/A
> Group Policy was applied from: N/A
> Group Policy slow link threshold: 500 kbps
>
>Apart from that the outputs are identical except for the
Administrative
>Templates section. These have all of the same entires,
but in a different
>order. Is the order significant at all? I could include
that section, but
>it's a bit big to include if it isn't helpful. Let me
know if it is worth a
>look and I'll post it.
>
>Is any of that helpful at all? I am grateful for any
advice you can give me.
>
>Cheers,
>
>Neil
>.
>I have faced the same problem in past then i got a
solution through my research. Open your active directory
and then computers.... check if the computer name for
which you are applying the policies exists or not.. If
computer Name Doesnot exists in the directory then add the
same name manually then change the membership with the
same name... Wish You good Luck Man

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

It's interesting that the GPRESULTS showed this : "Group Policy was applied
from: N/A". It could suggest that the logon was a local one as opposed
to domain.

We could tell in more detail what is happening as the users logon by
enabling USERENV logging (steps in the article below) and then reproducing
the problem. You could gather a log from a working versus non-working as
well and compare/contrast them.

Another question that comes to mind (sorry if you've already stated this) is
whether the same issue occurs for a 'working' user logging into the same
workstation that a 'non-working' user typically logs into....

221833 How to enable user environment debug logging in retail builds of
Windows
http://support.microsoft.com/?id=221833

250842 Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?id=250842

Please repost if we can help further.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


"Habib Sajjad" <anonymous@discussions.microsoft.com> wrote in message
news:a17b01c497ed$03aae030$a601280a@phx.gbl...
>
>>-----Original Message-----
>>Tim,
>>
>>Thanks for the feedback. The GPO was just assigned the
> the default
>>permission, so the 'Authenticated Users' group should get
> the policy applied.
>>Just for good measure, the permissions are as follows:
>>Authenticated users: Read and Apply Policy
>>CREATOR OWNER: Nothing
>>Domain admins, Enterprise Admins and System: Read, Write,
> Create Children,
>>Delete Children.
>>
>>We have repeated the test from the other day and logged
> on as a new user in
>>the same OU as a user where the GPO isn't working. We
> then ran gpresult /z
>>against both of the users logged onto the same machine.
> An extract from those
>>is as follows:
>>
>>Working user:
>>
>>USER SETTINGS
>>--------------
>> CN=pupiltest,OU=00,OU=Pupils,DC=tgs,DC=local
>> Last time Group Policy was applied: 9/9/2004 at
> 9:42:19 AM
>> Group Policy was applied from:
> curriculum1.tgs.local
>> Group Policy slow link threshold: 500 kbps
>>
>>Non-Working User:
>>
>>USER SETTINGS
>>--------------
>> CN=pupil00,OU=00,OU=Pupils,DC=tgs,DC=local
>> Last time Group Policy was applied: N/A
>> Group Policy was applied from: N/A
>> Group Policy slow link threshold: 500 kbps
>>
>>Apart from that the outputs are identical except for the
> Administrative
>>Templates section. These have all of the same entires,
> but in a different
>>order. Is the order significant at all? I could include
> that section, but
>>it's a bit big to include if it isn't helpful. Let me
> know if it is worth a
>>look and I'll post it.
>>
>>Is any of that helpful at all? I am grateful for any
> advice you can give me.
>>
>>Cheers,
>>
>>Neil
>>.
>>I have faced the same problem in past then i got a
> solution through my research. Open your active directory
> and then computers.... check if the computer name for
> which you are applying the policies exists or not.. If
> computer Name Doesnot exists in the directory then add the
> same name manually then change the membership with the
> same name... Wish You good Luck Man