?
Solved

2k3 group policy is not working

Posted on 2006-05-04
52
Medium Priority
?
556 Views
Last Modified: 2009-07-29
Created an OU, placed user in there, user configuration added a logon script. Runs fine.

Instead of doing the user, we wanted to apply a logon script on the specific server.

So created a new OU, placed my server in there, made a new policy and under computer and then user confiugration we added the script

It does not run

I am not sure if it was supposed to be in user or computer config.


any help greatly appreciated.

0
Comment
Question by:shankshank
  • 27
  • 17
  • 5
  • +2
52 Comments
 
LVL 2

Expert Comment

by:whaupwit
ID: 16609513
  What are you try to script on this specific server?  Under Computer Configuration -> Scripts, these only run on Startup or ShutDown.  Have you rebooted the Server?  
   Whether you want this script to run under User Logon/Logoff or Computer Startup/ShutDown depends on what you want the script to do.  
   If you want something to happen on this specific server, it sounds like you want to use the Computer Configuration -> Scripts -> Startup.  
   Can you give us more detail?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16609595
I want it to run when the user logs on, so I placed the machine in the OU, and in the group policy under user config I added that script.

but for some reason it isn't applying to the user.
0
 
LVL 2

Expert Comment

by:whaupwit
ID: 16609788
What is your User Logon Script trying to do?  Do you want this Script to run when the User logs into the Server locally? Or is the user logging into a Domain?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 5

Author Comment

by:shankshank
ID: 16609808
user loggin in through citrix
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16609959
Hi shankshank,

Logon scripts works independently:
Startup works when the computer starts and before the user login.
Shutdown works when the computer stops no matter what user was logged.
Logon works when the user login no matter in what computer.
Logoff either.

As a workaround you can check in your user Logon script the server name and execute actions accordingly, for instance:

if %COMPUTERNAME% == MYSERVER (
  do whatever
)

cheers
0
 
LVL 5

Author Comment

by:shankshank
ID: 16614908
wpadron
there is a computer configuration and a user configuration

when I apply a user configuration policy (start logon script) to an OU with the user in it, it runs perfect.

Then I try to apply this config with the computer in the  OU, and the user out of it, and the script doesn't run, why is that?


Shouldn't there be a way to run a logon script for any user that logs into a certain machine without applying that setting in the LOCAL group policy or a customzied batch file? I thought ADs whole purpose was the easy management of policies.????

someone correct me if I am wrong, but there should be a way thru AD to do this
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16615109
Why are people logging in to a server? Are they not logging into the domain?  What is your environment?

Are the Server and User in the same OU?  Is the GP linked to the OU?  Do the server and the user had read and apply group policy permissions?
Understand that as wpadron has explained how GPs work at the computer and user level.

Are you using the group policy manger (the new one)?  Have you tried the GP Modeling and results - I find them VERY useful.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16615532
They are loggin into the domain, but the particular server that they login to is a Citrix server. Teh server and user is not in the same OU. The GP is linked to the OU of the computer.

Is the new group polciy manager what is included with 2003 by default?

Maybe what I am trying to do is not possible?
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16615594
The user still needs to have both read and apply permissions to the group policy.

The new GP manager is a download from Microsoft.  Get it! It helps you visulize the concepts of linking GPs to OUs and permissions.  For example if you have a GP that is linked to a test ou.  You have 50 people in that OU but you only want a group of people to have the GP applyed to them.  Create a group, assign the group read and apply, remove the other permissions and make people members of that group.  Only people who you add to that group will have that GP applyed.  

This also works for computers - make the computers members of a group that has permissions to the GP.  

hope that helps
0
 
LVL 5

Author Comment

by:shankshank
ID: 16615633
where is this new one?
0
 
LVL 2

Assisted Solution

by:studlyed
studlyed earned 150 total points
ID: 16615640
gpupdate /force
maybe the policy is not getting fully updated.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16615913
So this is nice, I can visualize it, and I did enforce, but it seems it still will not apply that setting to a user.

I did a simple remove HELP from start menu, under the user configuration. Put the Computer in that OU, and allowed authenticated useres, but it won't even do that
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16615999
After you made the change you must wait (depending on what the policy is) or run a gpupdate /force on XP or if the secedit for 2000 computers IF it is a user GP.  IF it is a computer GP you must reboot.

Run a GP modeling on the computer to see if you logic is correct.  This shows what the AD thinks will be applied to the computer or user.  Once you have that working the way you want it to, you can run the GP Results if the computer is a XP or 2003 computer to see what is ACTUALLY occurring.  If the model works and the result is not, then we know where to troubleshoot next.

This could be as simple as the link order - a higher priority GP is overriding a lower one.

If you did a User GP - insure that that user - not the computer - has the permission.  If you left the default of auth. users that should work.  try the GPUpdate.

0
 
LVL 5

Author Comment

by:shankshank
ID: 16616161
I ran the GP modeling wizard and it said succesfull. It applied  it to all authenticated users and then servers in the OU. but of course when I login, i dont' see the policy in effect, even after running the gpupdate
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616180
So I have a users group and a OU with my Citrix server

Can you tell me step by step how to apply a policy to any user who logs into that particular server?

I made a simple GP already which hides the HELP link from the start menu.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616382
I reran the test and under GPO denied GPos it shows my GPO denied and reasoin being is 'empty'

what does that mean?
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616387
what are you trying to accomplish?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616393
I take that back, that was under computer config, under user config it runs
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616395
that you did not tell the GP to "do anything" - like remove the help from the start bar
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616412
Ok, what am I trying to accomplish.

I want to create a OU called Citrix Servers, and apply a GP to it. So anyone that logs into the citrix servers, get a specific user GP applied.

Can I do this?
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616422
yes,  What is it you want to do in the GP?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616432
Here is the structure

computers
 - citrix servers OU
    - server 1

users
   -user 1
   -user 2

apply GP to Citrix servers OU so that when the user logs in to that server, specific polciies applied
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616445
In the GP I want to add a specific local site to the intranet zone
and also for IE user autheticaion do logon 'automatic logon only in intranet zone'

That is all I need, but I used the startmenu stuff and hiding choices for a q uick test
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616509
OK, Have you figured out how to make that GP do that? or is that what your question is?

I thought you were asking why GPs were not working and it looks like they are now working.

You can apply GPs to OUs for Users and Computers.  You don't even need to create a new OU to do this.  Create a group for this GP for users and computers.  Add the users and computers to the group. Assign the read and apply to the GP.  Define the GP (what you want the GP to do -like remove help). And force the update.  Understand like said before, computer scripts GP require the computer to be rebooted and some user scripts require the user to re-log in.  You can force the task with the GPUpdate /force or the secedit (with switches) commands.

0
 
LVL 5

Author Comment

by:shankshank
ID: 16616543
Oh no no, I understand how to edit that GP, that si fine

the problem is they are not being applied, not working

I don't want to put the users and computers in same group. I just want to apply a policy to the computer group OU, with user ssettings, so when that user logs in to a computer in that Particular OU it gets applied.  Is that doable? Or do I really have to have that user moved to a diff group?

I don't want to move the user because the hierchy is getting so confusing now with diff groups and people
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616599
OK. just insure that the users have permissions to read the apply.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16616605
How do I do that?
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616606
sorry, Read and apply GP
 and so what you need to in a login script.
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16616667
Create the GP
link the GP to the OU where the servers are.
under security filtering - click on add.  Add the servers and users you want the computer / user polices to take effect.  The users or a group containing the users can be in another OU.  
Since you want the user policy to only happen when your users login to that server, you need to use the "login" script portion of the GP and write a script to do what you want.

0
 
LVL 5

Author Comment

by:shankshank
ID: 16616911
ok I clicked add, the computers wasn't allowed, so i went to object types and checked computers, added my computer. Now i have the citrix computer and the user I am testing. I am going to wait a few minutes, apply Gpupdate on the citrix server, and then try loggin into it
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617061
It didn't work.....When i ran a gpresult, under applied group p olicy objects it doesn't show the polciy
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16617128
use the GP manager to check using group policy results to insure that the GP has taken effect.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617155
thanks for showing me these nice tools

I did as you told, and under user config summer, it doesn't show my gpo under the applied or denied gpos
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617177
Ok this is odd. It sees the GPO for the computer config, and denied it, but for user config it doesn't show up
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16617237
So using the GPM (gp manager) you are looking at the OU and have highlighted the ou where the server is.
on the scope tab is the link enabled say yes?
under filertering on the scope tab do you have both the user and server listed?
on the status tab is it enabled for both?
on the settings tab you should see what you have configured the GP to do.
and on the deligation tab both the user and computer shoud have read listed.

Check all of theses things.

What does it list for the reason it was denied.  And where do you see that the computer config is denied?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617299
Yes to everything, only we don;'t have status tab but details tab.

For reason for denying the computer config is ebcause it is 'empty' which makes sense since I applied no computer settings, only User settings
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16617702
Hi shankshank,

As far as i know what you want to do isn't possible without some sort of scripting.
My last advice is trying using WMI filters, see http://support.microsoft.com/default.aspx?scid=kb;en-us;555253

I'll keep tracking this thread ;)

0
 
LVL 5

Author Comment

by:shankshank
ID: 16617742
WMI filters only apply on Windows XP and Winsows Server 2003 computers. WMI filters are ignored on earlier versions of Windows. In order to be able to filter policies you will need at least one domain controller running Windows Server 2003 in your environment.


what is winsnows ?? hahah ok back to reading the KB
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16617786
OK, Let me understand somthing.......Do you have the GPs working for the user when they login??? If not lets fix that first.  

If that works then the question is what you are trying to accomplish via the GP.

So, do you have GPs working so when people login to the citrix some basic gp is applied?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617806
Under GP group policy results, it shows this for user configuration

Applied GPos
Local group policy
and default domain policy

Normal GPs work yes
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16617836
As far as adding the url to the correct zone.

Check out user config/windows settings/internet explorer maint/security

You can set your settings off of your current settings or change it as you need.

Lets get basic GPs working before we tweek.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617854
i did that for IE, but of course it wouldn't apply. you want me to add that in the regular GP?

I don;t understand why when I run a results the computer config sees the GP but the user config doesn;t
0
 
LVL 6

Expert Comment

by:e_vanheel
ID: 16617855
So just to clarify.

You are getting GPs to apply to a user when they logion to a citrix server they way you want.....Right?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16617882
no! The GP i created is not applying to the user when they connect to the citrix box. That's the whole problem I've been trying to say.


0
 
LVL 6

Assisted Solution

by:e_vanheel
e_vanheel earned 675 total points
ID: 16617990
What is the name of you GP?
0
 
LVL 2

Expert Comment

by:whaupwit
ID: 16630091
How are the users connecting the the Citrix Server?  Terminal Services, or ICA Client?
   I am assuming the users log into their PC workstation and domain.  The PC successfully applied it's StartUp Script (if the PC was not already on).  The user's Logon Script runs succesfully on the workstation.  
   Then, the user opens a connection to the Citrix Server, right?
0
 
LVL 5

Author Comment

by:shankshank
ID: 16630105
The name of the is Citrix test


whaupwit: That is exactly how people connect to the Citrix server, ICA client.
0
 
LVL 2

Expert Comment

by:whaupwit
ID: 16630331
  Okay, I have some experience working through these types of Citrix issues.  Each user is logging into the server virtually through the ICA Client, so it does seem like you would treat them like normal users logging into a normal workstation.  I can research the Active Directory implementation on GPs for Citrix Servers and User Configs, but there may be a simpler solution.  
   Since the Citrix Server is accepting user logons, you could modify the Default User Profile to include the few changes you want, and then you don't need a GP at all.
   If you are more comfortable with GPs, you could put a local policy in place on the Citrix Server.  Your stated goals are just a couple clicks in a local GP on the Citrix Server itself.  Of course you know, the local GP can do a whole lot more than IE settings.
 
0
 
LVL 5

Author Comment

by:shankshank
ID: 16630452
I did have a local policy in place, but for management purposes it didn't make sense to have some servers managed through GP and then the others on their local policy. So I figured, best practices is to put GP.

True that I could modify the default user profile, which I did for minor things such as exchange setup etc.

Let me know what you find, it doesn;t make sense o tme that the gp management tool shows that their are in place and should be working, yet nothing gets really implemented
0
 
LVL 2

Accepted Solution

by:
whaupwit earned 675 total points
ID: 16633715
 All right, I have polled my collegues and come to a concensus.  The AD structure is an appropriate way to manage your Citrix Server User Logons.  
  Whether users log straight into the Server Console (in person standing in front of the case) or log into a terminal session through an ICA Client, the GPO for User Configs and Logon Scripts should work fine.  
  That said, Citrix is not the most stable thing to get GPOs to work on (as you have found).  In my environment, we implemented both local Group Policies and Default User profile changes on top of GPOs at the OU level.
  The reasons are real world constraints and limitations on what each could deliver in our environment.  I will post more info in a bit.  Work calls.....
0
 
LVL 5

Author Comment

by:shankshank
ID: 16691072
It was actually loopback policy which needed to be enabled in GP under computer configuration
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question