Solved

Group Policy in AD OU not applying to all users in group assigned to GP

Posted on 2004-09-07
16
445 Views
Last Modified: 2012-06-27
I have 2 GP's setup in an OU, one is for loopback processing and the other configured to lockdown a Terminal Server.  I have a group that applies the lockdown policy for selected users.  The problem I am having is that only certain users in this group are having the GP applied when logged into their session.  The user's that are not being applied are the latest ones I have created and added to the group.  I don't understand why some users in the group work and the newly created users don't.  Please help.

Thanks  
0
Comment
Question by:zCitrixz
  • 5
  • 5
  • 4
  • +2
16 Comments
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
Has the policy propagated yet? Try running secedit /refreshpolicy user_policy and secedit /refreshpolicy machine_policy from a cmd prompt, wait, then run gpresult /v from a cmd prompt from a logged on user to check, additionally you may want to check that these users have read and apply group policy permissions on the gpo's

Deb :))
0
 
LVL 2

Expert Comment

by:Ranidae
Comment Utility
Hmm... are the users in the ou that the policy applies to?  Group policy does not apply to groups, but only to users in the ou where the policy is linked.
0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
Ranidae,, you are wrong,,, in order for a group policy to apply the following conditions must be met:
1. the object must be within the OU.
2. the oject must have read and apply group policy rights to the OU (these rights can be applied to any GROUP, so in effect GPOs can be applied to groups.)
3. the policy must not be filtered out in any way.  
0
 

Author Comment

by:zCitrixz
Comment Utility
I have only one OU and group policy set for it.  Applied to that policy is a group that has read and apply.  Everything works fine and always has for users in this group.  I have recently added a few newly created users to this group, which are not having the policy applied.  The original users in this same group still have the policy applied, working correctly.  Shouldn't all users in this group have the policy applied.  All users are located in the same builtin OU, "Users".
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Ranidae is correct in what he says in the context in which he has said it - you can't apply group policy per-se to security groups just by adding the security group to the OU - you CAN (as mikeleebrla has pointed out) use filtering to selectively apply or deny the application of group policy to security groups but this has to be done via the ACL, nor can you set a gpo on the default containers such as the built-in users container.

From what you've said I am slightly confused as to your set-up. For the single OU that you have said that you have - what exactly object-wise does it contain? Do you have users in the ou itself? Computers? What exactly is in there, and which policies are being applied successfully to some and not others? What policies are set at the domain and /or site level - ie via the default domain policy? and which are only attached to this OU?

Ordinarily you would have users moved from the built-in users container to a specific OU, at which point they would recieve group policy that applied to that OU subject to the correct permissions in the acl for that OU. They would also recieve permissions from the domain and or site policies too depending on what you have set there. Please give as much info as you can, and it would help to post the results of running gpresult /v from a command prompt from the login of both successful user in terms of policy application and non-successful user (edited for domain specific confidentiality of course).

Deb :))

0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
Comment Utility
You need to check the loopback mode on BOTH policys, otherwise the one without loopback will/may be ignored, if it's not also applied to the users OU.

I always use Loopback to lockdown TS servers in mixed TS/DT environments.

The other thing I do is cut the Group Policy refresh rate - it defaults to 90 minutes! That's OK on a big network, but not on a baby one...
0
 

Author Comment

by:zCitrixz
Comment Utility
Thanks for the Gpresult suggestion Debsy.  I ran it under the user that is having the policy applied and the one that isn't.  Besides the output stating that the one isn't applying it, I noticed the only diference was the local profile name.  The output from Gpresult /V is as follows and the difference is the same for all users that work and don't work.

Policy is applied:

Roaming profile:      \\metad\profiles\Shop
  Local profile:      C:\Documents and Settings\Shop.DAS


Policy is not applie:

Roaming profile:      \\metad\profiles\Graham
  Local profile:      C:\Documents and Settings\Graham

Note, the difference is the local profile (username.domain)

Any idea on how to create (username.domain) local profile?  I must have missed something when creating these new batch of users that aren't working.

Thanks
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
the .domain just shows up if there's already a "shop" folder there, which isn't owned by domain\shop, so that Graham folder may well relate to domain\graham (aka graham.domain)

I still think you need to enable loopback prcessing on both Policies in the TS OU if the users are in a different OU...

go on - just try it!

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:zCitrixz
Comment Utility
I enabled loopback policy on the other Policy in the TS OU and refreshed but still the same problem.
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
Ok, double check the permissions on both group policies and make sure your group has Read and Apply Group Policy rights to the objects - maybe you initially set it up with individual user permissions?

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Could you check the event logs on the TS and from where the user is logging on? Also what are the client pc's?

0
 

Author Comment

by:zCitrixz
Comment Utility
Nothing in the event logs in relation to what is going on.  
I am doing all testing from one PC (Win2K)
A bit more info on my setup:
In AD I have just one manually created OU called Metaframe Server.  The object located in the OU is my MetaFrame Server.  At the OU I have a 2 policy's (the only policy's I have created).  The first that runs at the OU is called LoopBack and is a policy with just the loopback feature enabled.  The only one with read and apply group policy is the MetaFrame Server.
The next policy that runs is called Lockdown and has things like disable changing background, hide drives, etc...  The only one with read and appy group policy is a group called MetaLock that is only used for the purpose of applying the GPO.

Testing from my PC the policy's run with most users in the MetaLock group, except for 3 I created recently.  The only thing different with these users I noticed is that on the Metaframe Server their local profile folder is only their username.  Where as the other working users have a username and username.domain folder.  Hope some of this helped a bit.
Also when running gpresult /v the user not working did run the LoopBack GPO, but not Lockdown.

0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
I still think you need to enable Loopback mode in the lockdown policy.

0
 

Author Comment

by:zCitrixz
Comment Utility
It has always worked fine without it enabled at "lockdown" and still does for most users in the group the policy applies to.  It's just a couple new users I added recently to the group it doesnt work for.
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
Can you at least try it? I promise I'll shut up if it doesn't work.

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

I would think that harleyjd is right - if you enable the loopback it it will work. Could you post the FULL results of the gpresult /v - from working logon and not working logon so we can see which policies are being applied and from where? There is no logical reason that I can see really why the users that work should be pulling this policy as it is set, due to the loopback not being enabled on that policy. The only thing I can think of (not being able to test this theory out at the moment) is that the users that do work pulled this policy at least once in the past, which would explain why their profile folders are different. Usually profile location changes etc are changed registry settings that stay changed. If you post the full gpresult logs then it will confirm or deny this,

Deb :))
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now