User stuck with the wrong group policy enforced...

One of our clients has several different sets of GPOs based on specific users and the the PCs they log in on.   For instance, if they log in using a terminal server, their session is severely locked down, whereas if they log on to a desktop or laptop, its more lax.

One of the users used the terminal server the other night to work from home.  Upon returning to the office, she logged into her PC and still had the terminal server GPO applied to her user name.   We can't run GPUPDATE because of the security lock down... we can't even right click on My Computer to get to properties, see the C drive or even map a drive.

I created a test user with identical settings as the user and that account could log into her desktop with no issues at all.  She logged into a different computer and had the same lock down, which says to me that something is up with the account.

I checked the Term Server and there were no active or disconnected sessions from her.  I tried GPUDATE as the test user, but as expected it didn't do anything.

Anyone have any ideas?
FrontlineTechAsked:
Who is Participating?
 
safetykidsCommented:
Maybe you could change the terminal gpo settings on the domain, temporarily, and then run GPUDATE, then change the permissions back to how they were.
0
 
DawilliamsCommented:
I would double check the gpo settings sounds like somebody made a change, the terminal gpo should not have been applied to the desktop,by the sounds of the set up.  A gpupdate wont work at this time but a log off , or a hard shutdown and a log on should force the new policy settings.
0
 
EfrenMCommented:
have you tried gpupdate /sync?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
FrontlineTechAuthor Commented:
Efren - I tried it logged in as another user to that machine.  This was a TEST user account I logged in with that was an identical copy of the user's account.    That user had the proper GPO applied and we could do anything.  Unfortunately it did not work.   Worse off I CANNOT run gpudate when she is logged in because of the restrictions in place.

DaWilliams - No one else logging into the computer is having the same issue and no one else on the domain is having the issue, so I don't think it was a GPO change or more people would be affected.  As I stated in the description, her account faces this regardless of which PC she logs into...  We tried hard reboots, but its not the DEVICE GPO but the USER GPO that seems to be the issue.
0
 
EfrenMCommented:
well you can always try exclude that test user from the gpo and then run a gpupdate /sync  , is the gpupdate blocked at the local machine level or via a gpo?
0
 
FrontlineTechAuthor Commented:
Efren - The test user WORKS FINE.  Everyother user on that machine and in the domain works fine.  It is JUST her username.  I ran GPUDATE /sync under the test user.... this will not fix the issue because it won't update the GP for the problem user.  

GPUPDATE is not blocked, but rather running any kind of command line is UNDER THE PROBLEM USER.    The particular GPO that is sticking with the user is locking down everything.  I can't right click, I can't open a command line, I can't use the RUN command, I can't see the C drive.  EVERYTHING is locked down.  I tried running GPUPDATE using a batch file and it too was restricted.

For some reason, the Term Servers GPO that applies to users when they log into a Term Server is staying applied to her User account even though she is not logged into a term server and is instead logged into her laptop.    I need to find a way to force a GPUPDATE for her USERNAME, but can't find a way to do it.  I can't connect to the PC using PSEXEC nor through the GPO wizard.
0
 
EfrenMCommented:
hmm have you ran gpupdate /force on the servers? i remembered you said shes blocked on anyother pc so it might be stuck on the server itself
0
 
FrontlineTechAuthor Commented:
Efren - I will try it, but my understanding of GPUDATE is that it will only update the specific user and the specific PC.... which means her USER name is still not updated.    Trying it now and no change.  
0
 
EfrenMCommented:
yea but wanted to give it a shot, hmm let me think
0
 
EfrenMCommented:
can you exclude her from the gpo of the terminal ?
0
 
FrontlineTechAuthor Commented:
Safetykids...

Its funny that you say that because that occurred to me as well yesterday afternoon.   I am waiting to hear back from her.  Will keep you posted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.