[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

GPO's only work if user is member of local administrators group on Win2k workstations

Posted on 2004-11-23
18
Medium Priority
?
262 Views
Last Modified: 2010-04-14
I have 2 Windows 2000 Servers, and a whole slew of Win2k workstations.  Currently, all users are members of their pc's Administrators group, but not the Domain Admins group.  We tried to tighten security down and started by removing users from the local admins group.  When I did, all of my GPOs defined in AD Users and Groups stopped working, including scripts and restrictions (screensaver forced to lock, etc).  If I add users back to the local admins, things work great.

Ideas?

Thanx,
Mike
0
Comment
Question by:pingking
  • 10
  • 4
  • 3
  • +1
18 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12657287
Have you checked the security permissions on the GPOs to make sure the domain users group has the appropriate rights?
0
 

Author Comment

by:pingking
ID: 12657345
Authenticated users have read and apply, and I gave write just for kicks.  No dice.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12657575
run gpresult.exe from one of the clients to see if it gives you any info such as maybe if there is gpo filtering setup.
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
LVL 18

Expert Comment

by:luv2smile
ID: 12657775
On the properties tab of the GPO, go to WMI filter and see if any filters are set up there.
0
 

Author Comment

by:pingking
ID: 12658112
It's a 2000 server, not 2003.  Is WMI available on 2000?  If so, where?
0
 

Author Comment

by:pingking
ID: 12658379
More good news.  Test show that if I create a new user, it works fine.  If I move a current user to a new OU, same problem.  I think it's something with the user accounts themselves.  Afortunadamente, there are less than 50 users, but I would really hate to recreate each and redo profiles.

Aarrgghh
0
 
LVL 5

Expert Comment

by:TJworld
ID: 12659517
Is the event log reporting anything?

0
 

Author Comment

by:pingking
ID: 12665106
Nothing new.  Had a few license errors (really thought I was onto something there), but turned out to be nothing (I had several licenses that had been issued > a year ago that had not been released, so I released them - no help).
0
 
LVL 5

Expert Comment

by:TJworld
ID: 12665253
I'm wondering if somehow those users don't have Apply Group Policy permissions in the GPO?

To check for *each* GPO you have, follow this example:

http://live.tjworld.net/help/ee/Q_21217635a.wmv (Streaming media) or
http://tjworld.net/help/ee/Q_21217635a.wmv (Web download)

0
 

Author Comment

by:pingking
ID: 12665526
Talk about some slow streaming media.  I've verified the permissions on the GPO, and even added domain users as a group (as opposed to authenticated users) and manually set the Read & Apply rights.  Still waiting on that video...
0
 

Author Comment

by:pingking
ID: 12665583
Saw the media, already tried that.  Anything else...
0
 
LVL 5

Expert Comment

by:TJworld
ID: 12665680
I think the connection is under pressure, almost fully saturated with a mega file transfer.

I think you have to examine the file permissions both on the SYSVOL share and also on the local PC in the locations it copies GPO files to.

%systemroot%\security\templates\

To track whats going on how about enabling auditing of file access for that folder and its children, and do the same on the SYSVOL share.

See what the Domain Controller and the Workstation are actually doing and hopefully what is failing?
0
 

Author Comment

by:pingking
ID: 12665824
That's gonna take a little while.  I'll let  you know...
0
 

Author Comment

by:pingking
ID: 12669462
OK.  User has Read/Execute, List & Read on both the SYSVol and local %systemroot%\security\templates directories.  System has full access.  Network does not appear saturated in any way, shape or form (ie. network performance has not degraded in any way).

Whatcha thinK?
0
 
LVL 5

Expert Comment

by:TJworld
ID: 12674133
lol... Network Saturation... i was on about my streaming media connecton :-D

If you can hang on 24 hours I'll post this one to Microsoft Private support see what Microsoft have to say about?
0
 
LVL 5

Accepted Solution

by:
swinterborn earned 1500 total points
ID: 12677634
You said that a newly created user gets the GPO's applied correctly. Therefore there are no issues with permissions on the GPO or sysvol. Prime culprit would have to be profiles - I've seen profiles prevent GPO application too many times, the answer has always been to delete the existing profile , let it be recreated from scratch, and then the GPO applies perfectly.

Obviously you would want to test out one profile first to verify this, before going through all of them.

If you are using roaming profiles, make sure you delete both the source profile on the server and any cached copies on workstations. If you believe there may be data on the users desktops, etc, rename the source profile rather than deleting (profilename.bad has always worked for me ;')) but still delete any cached copies.

HTH
0
 

Author Comment

by:pingking
ID: 12697362
I was afraid you were going to say that, and it's just the thing I was trying to avoid.  I'll let you know...

Thanx
0
 

Author Comment

by:pingking
ID: 12866802
I ended up having to recreate nearly EVERY profile.  All of which were roaming.  Ick.  But it's done, and it's working.

Thanx
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Loops Section Overview
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month19 days, left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question