?
Solved

User stuck with the wrong group policy enforced...

Posted on 2008-11-06
11
Medium Priority
?
761 Views
Last Modified: 2013-12-04
One of our clients has several different sets of GPOs based on specific users and the the PCs they log in on.   For instance, if they log in using a terminal server, their session is severely locked down, whereas if they log on to a desktop or laptop, its more lax.

One of the users used the terminal server the other night to work from home.  Upon returning to the office, she logged into her PC and still had the terminal server GPO applied to her user name.   We can't run GPUPDATE because of the security lock down... we can't even right click on My Computer to get to properties, see the C drive or even map a drive.

I created a test user with identical settings as the user and that account could log into her desktop with no issues at all.  She logged into a different computer and had the same lock down, which says to me that something is up with the account.

I checked the Term Server and there were no active or disconnected sessions from her.  I tried GPUDATE as the test user, but as expected it didn't do anything.

Anyone have any ideas?
0
Comment
Question by:FrontlineTech
11 Comments
 
LVL 5

Expert Comment

by:Dawilliams
ID: 22899421
I would double check the gpo settings sounds like somebody made a change, the terminal gpo should not have been applied to the desktop,by the sounds of the set up.  A gpupdate wont work at this time but a log off , or a hard shutdown and a log on should force the new policy settings.
0
 
LVL 2

Expert Comment

by:EfrenM
ID: 22899428
have you tried gpupdate /sync?
0
 

Author Comment

by:FrontlineTech
ID: 22899664
Efren - I tried it logged in as another user to that machine.  This was a TEST user account I logged in with that was an identical copy of the user's account.    That user had the proper GPO applied and we could do anything.  Unfortunately it did not work.   Worse off I CANNOT run gpudate when she is logged in because of the restrictions in place.

DaWilliams - No one else logging into the computer is having the same issue and no one else on the domain is having the issue, so I don't think it was a GPO change or more people would be affected.  As I stated in the description, her account faces this regardless of which PC she logs into...  We tried hard reboots, but its not the DEVICE GPO but the USER GPO that seems to be the issue.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Expert Comment

by:EfrenM
ID: 22899772
well you can always try exclude that test user from the gpo and then run a gpupdate /sync  , is the gpupdate blocked at the local machine level or via a gpo?
0
 

Author Comment

by:FrontlineTech
ID: 22899932
Efren - The test user WORKS FINE.  Everyother user on that machine and in the domain works fine.  It is JUST her username.  I ran GPUDATE /sync under the test user.... this will not fix the issue because it won't update the GP for the problem user.  

GPUPDATE is not blocked, but rather running any kind of command line is UNDER THE PROBLEM USER.    The particular GPO that is sticking with the user is locking down everything.  I can't right click, I can't open a command line, I can't use the RUN command, I can't see the C drive.  EVERYTHING is locked down.  I tried running GPUPDATE using a batch file and it too was restricted.

For some reason, the Term Servers GPO that applies to users when they log into a Term Server is staying applied to her User account even though she is not logged into a term server and is instead logged into her laptop.    I need to find a way to force a GPUPDATE for her USERNAME, but can't find a way to do it.  I can't connect to the PC using PSEXEC nor through the GPO wizard.
0
 
LVL 2

Expert Comment

by:EfrenM
ID: 22900016
hmm have you ran gpupdate /force on the servers? i remembered you said shes blocked on anyother pc so it might be stuck on the server itself
0
 

Author Comment

by:FrontlineTech
ID: 22900153
Efren - I will try it, but my understanding of GPUDATE is that it will only update the specific user and the specific PC.... which means her USER name is still not updated.    Trying it now and no change.  
0
 
LVL 2

Expert Comment

by:EfrenM
ID: 22900329
yea but wanted to give it a shot, hmm let me think
0
 
LVL 2

Expert Comment

by:EfrenM
ID: 22900338
can you exclude her from the gpo of the terminal ?
0
 
LVL 1

Accepted Solution

by:
safetykids earned 2000 total points
ID: 22900634
Maybe you could change the terminal gpo settings on the domain, temporarily, and then run GPUDATE, then change the permissions back to how they were.
0
 

Author Comment

by:FrontlineTech
ID: 22904219
Safetykids...

Its funny that you say that because that occurred to me as well yesterday afternoon.   I am waiting to hear back from her.  Will keep you posted.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Screencast - Getting to Know the Pipeline
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question