Group policy not being applied to user

Does this person belong to a group that has rights to the Group Policy Object?  Check the GPO security.  Try and do a manual gpupdate /force on the client from command prompt see if that works.

Sorry, meant to say that I've tried a gpupdate /force.

The policy for the OU where the user sits is being applied to authenticated users and authenticated users have permission to read the GPO.

Hi lrkwalkers,

Run "gpresult /v > gpo.log" on client and check log file with notepad. Is policy listed at all or is it denied? if it is denied what is the reason next policy name?

HTH

Toni

It isn't listed at all.

Are you sure that user account used for testing is in OU to which policy is linked? If it is, are there any "userenv" errors in Application log on client computer?

Positive - that's why I'm so confused.

No userenv errors in the event logs either.  Really weird.

Was user created in this OU or was moved from other OU? Can you create new test user account in this OU? Can you make one insignificant change in any policy tha applies to current user? Is change propagated after "gpupdate /force"? Is user configuration part of your policy enabled?

Was user created in this OU or was moved from other OU?

Moved

Can you create new test user account in this OU?

Done - same result

Can you make one insignificant change in any policy tha applies to current user?

There's one policy that I want to apply to this Users OU and that is to turn on the proxy server.  All the other GPOs are being applied to the computer (terminal server) in a different OU.  That being said, the policy being applied to the users OU is not even being applied at all.

Is change propagated after "gpupdate /force"?

See above

Is user configuration part of your policy enabled?

Yep!

Does terminal server's GPO use loopback processing in replace mode?

At least one of them do - yes.  There's about a dozen being applied with a good naming scheme so it's easier to manage.

Will that affect the GPO for the users OU?  No OUs being applied to the computer have any proxy settings enabled.

Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

That means, you won't be able to set proxy in user configuration, but there is a policy in computer configuration which might be used:
"Make proxy settings per-machine (rather than per user)"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/792.mspx?mfr=true

And this one: "Disable changing proxy settings"
If you enable this policy, the user will not be able to configure proxy settings. You can import your current Proxy settings from your machine using Internet Explorer Maintenance under Admin Templates using group policy editor.
If you disable or do not configure this policy setting, the user will have the freedom to configure proxy settings.

Ok, nearly there.

What's the easiest way to do the following?

On this particular terminal server, we will have two sets of users - one set will have the proxy and the other  set won't.  I don't want to mess up the GPOs already applied to the OU where the computer sits.  What can we do with the two separate users OUs?

I'm afraid that you won't get any further, unfortunately. The whole point of loopback processing is that it does not differentiate users.
If one TS GPO is set to replaced, all user polices are ignored. I haven't actually try this but the only way I can imagine that this would work is to configure all TS GPO to merge mode and the create two separate user polices for proxy. I will repeat, I'm not sure if this will work and as I don't have environment to test this, you might want to give it a try and post back?

Exactly what I was thinking - I was actually in the middle of changing all the GPOs to merge.  

Will post back real soon.

Ok, did a gpupdate /force and the rsop on the replace/merge is now merge.

But the user policy is still not being applied! :(

Sorry - it must be being applied cos it's in gpresult now.

It's not overwriting the domain policy though!!

So my question is now...

Why won't the user's OU GPO overwrite the GPO at the domain level?!

Is link for policy at domain level set to Enforced (No override)?

Nope.

Can you locate the following policy in one of your GPOs for TS (or create a new one, even better idea) and configure this setting:
"Computer Configuration\Administrative Templates\System\Group Policy\IE Maintenance Policy Processing\Process even if the Group Policy Objects have not changed"

No change.

Policy still shows in gpresult but rsop shows domain policy setting.

The OU that the user is in is about 4 OU levels down from the domain - this shouldn't matter should it?

It shouldn't. Problem with IE policies is that policies do not change, settings do,  that's way I suggested setting in previous post.

If you have GPMC installed can you run Group policy modeling for any user account in this OU logging to any computer in OU with terminal servers? Which settings win in this case?

How do you tell which one wins?

Examine proxy setting on settings tab and it should actually say Wining GPO, if I'm not mistaken.

Ok, the domain GPO is the winning one.

BUT...

if I run the group policy modelling wizard with the loopback policy not set at all (the first time I ran it with merge), the user GPO gets applied!

Maybe I should turn off loopback altogether...still doesn't make sense though.

LOL - agreed...it is definitely too complicated.  

Will give you the points - thanks

Question answered!