Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Nick,
So long as the user account objects reside directly in the OUs to which the
GPOs are linked ( or in an OU that is under - not at the same level - as the
OU to which the GPO is linked ) then there should be no problems. UNLESS
you have somewhere ticked the Block Inheritance checkbox. It is important
that the user account objects reside directly in the OU to which the GPO is
linked. Hmmm....I have stated this several times. It could be important!
;-)
So, my first question to you is: the GPO that is to affect the
Administrators - to what OU have you linked it? To the Administrators OU or
to the "username" OU? And is the "username" OU the OU in which the user
account objects directly reside? If you linked it to the "Groupname" OU
then things are not going to work! Er, unless the user account objects that
are to fall under the Scope of Management of this GPO directly reside in
that OU - which I am assuming is not the case! It would seem that you have
answered this question already in your previous post. What happens if you
link it to the "username" OU? In fact, since this one is working I might
just leave it alone!
My second question to you is: the GPO that is to affect the Instructors - to
what OU have you linked it? To the Instructors OU or to the "username" OU?
And is the "username" OU the OU in which the user account objects directly
reside? Again, if you linked it to the "Groupname" OU then things are not
going to work. Again, making the same assumption as in my first question.
It would seem that you have answered this question already in your previous
post. What happens if you link it to the "username" OU?
My third question to you is: the GPO that is to affect the Students - to
what OU have you linked it? To the Students OU or to the "username" OU for
each year? And is the "username" OU the OU in which the user account
objects directly reside? Again, if you linked it to the "Groupname" OU then
things are not going to work. Again, making the same assumption as in my
first question. And, for this GPO - do you have the same GPO for all years
or a different GPO for each year? It would seem that you have answered this
question already in your previous post. What happens if you link it to the
"username" OU?
My fourth question for you is: are you making use of Group Filtering? This
is where you go to the security tab of each GPO and remove the Authenticated
Users security group ( which has both READ and APPLY GROUP POLICY rights )
and replace it with a security group of your choosing! So, if you are doing
this......are you using the correct security group? And in the case of the
Students are you using all of the security groups ( 1st year, 2nd year, 3rd
year, etc. )
My fifth question for you is: the GPOs that you have created are *naturally*
affecting the user configuration side of things. Please correct me if I am
wrong. Are you sure that you have not somehow disabled the user
configuration side of these GPOs? There is a place where you can disable
either one half or the GPO ( either the user configuration or the computer
configuration ) or both!
My sixth question for you is: have you used any of the troubleshooting tools
available to you? GPOTOOL is one such tool that is available to you. So is
GPResult.
My final question to you is: is everything fine and dandy with DNS? I know
that you have answered this already a couple of times but with Active
Directory a lot of things go back to DNS.......
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Nick" <Nick@discussions.microsoft.com> wrote in message
news:A18A9DB6-8E82-4F78-8292-2C08D5FE0B71@microsoft.com...
> sorry about that....
>
> all of the users are located in OUs which are inside another OU called
> SBJATC Users (sbjatc is our domain)..... here is the basic set up
> sbjatc.local
> OU
> OU
> OU
> Sbjatc Users
> Instructors
> Groupname
> Username
> Students
> Groupname
> 1st year
> Username
> 2nd year
> Username
> 3rd year
> Username
> Administrators
> Groupname
> Username
>
> I have the GPOs for the Instructor OU, the Student OU and the
> administrators
> OU.
>
> The GPO works for the Administrators OU (could this work because these are
> also administrators for the local computers?)
>
> anyways.... the instructors, and students when I logon with one of the
> usernames gives me "INFO: The policy object does not exist." when i run
> gpresult
>
> when i run it on one of the administrators accounts it works fine.
>
> The only thing that doesn't seem to work is the folder redirection on the
> administrators GPO. I have that redirected to
> \\server\administrator\documents\%username% but it doesn't work...
> all of the scripts work, but not the redirection...
>
> Thanks for your help so far.
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Nick,
>>
>> Think about what you are doing for a moment!
>>
>> GPOs are typically a domain thing. Granted, they apply to four levels:
>> local, Site, Domain, OU. And, they apply only to the objects that
>> directly
>> reside in the level to which the GPO is linked. The key words are
>> 'directly
>> reside'. It seems that you are doing something with groups! Not gonna
>> happen.
>>
>> Please explain to us your AD environment ( do the computer account
>> objects
>> reside in an OU or do they reside in the default COMPUTERS container , at
>> what level is the GPO linked, are the computer account objects members of
>> the domain or of a workgroup, etc. etc. etc. ).
>>
>> We need a lot more information from you....
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>>
http://www.activedirectory-win2000.com
>>
http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Nick" <Nick@discussions.microsoft.com> wrote in message
>> news:9CB6DDB4-EA90-4BBE-AEF7-18CDF2C9CEF7@microsoft.com...
>> >I have a gpo setup on my windows 2000 AD server. I have 3 groups,
>> > Instructors, Students, and Administrators. I have different policies
>> > for
>> > each
>> > group. On my local XP Pro Machine, the policies only work for
>> > administrators,
>> > What am I doing wrong?
>> >
>> > Thanks in advance for your help
>>
>>
>>