lrkwalkers
asked on
Group policy not being applied to user
A user in an OU has a user configuration group policy applied. However, when the user logs in and rsop is run, the policy is not applied with the result of the setting being pulled from a group policy object that has been set on the entire domain. Why won't the OU policy overwrite the policy applied to the entire domain? No enforce or block inheritance is turned on.
Please help!
Please help!
Does this person belong to a group that has rights to the Group Policy Object? Check the GPO security. Try and do a manual gpupdate /force on the client from command prompt see if that works.
ASKER
Sorry, meant to say that I've tried a gpupdate /force.
The policy for the OU where the user sits is being applied to authenticated users and authenticated users have permission to read the GPO.
The policy for the OU where the user sits is being applied to authenticated users and authenticated users have permission to read the GPO.
Hi lrkwalkers,
Run "gpresult /v > gpo.log" on client and check log file with notepad. Is policy listed at all or is it denied? if it is denied what is the reason next policy name?
HTH
Toni
Run "gpresult /v > gpo.log" on client and check log file with notepad. Is policy listed at all or is it denied? if it is denied what is the reason next policy name?
HTH
Toni
ASKER
It isn't listed at all.
Are you sure that user account used for testing is in OU to which policy is linked? If it is, are there any "userenv" errors in Application log on client computer?
ASKER
Positive - that's why I'm so confused.
No userenv errors in the event logs either. Really weird.
No userenv errors in the event logs either. Really weird.
Was user created in this OU or was moved from other OU? Can you create new test user account in this OU? Can you make one insignificant change in any policy tha applies to current user? Is change propagated after "gpupdate /force"? Is user configuration part of your policy enabled?
ASKER
Was user created in this OU or was moved from other OU?
Moved
Can you create new test user account in this OU?
Done - same result
Can you make one insignificant change in any policy tha applies to current user?
There's one policy that I want to apply to this Users OU and that is to turn on the proxy server. All the other GPOs are being applied to the computer (terminal server) in a different OU. That being said, the policy being applied to the users OU is not even being applied at all.
Is change propagated after "gpupdate /force"?
See above
Is user configuration part of your policy enabled?
Yep!
Moved
Can you create new test user account in this OU?
Done - same result
Can you make one insignificant change in any policy tha applies to current user?
There's one policy that I want to apply to this Users OU and that is to turn on the proxy server. All the other GPOs are being applied to the computer (terminal server) in a different OU. That being said, the policy being applied to the users OU is not even being applied at all.
Is change propagated after "gpupdate /force"?
See above
Is user configuration part of your policy enabled?
Yep!
Does terminal server's GPO use loopback processing in replace mode?
ASKER
At least one of them do - yes. There's about a dozen being applied with a good naming scheme so it's easier to manage.
Will that affect the GPO for the users OU? No OUs being applied to the computer have any proxy settings enabled.
Will that affect the GPO for the users OU? No OUs being applied to the computer have any proxy settings enabled.
Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.
That means, you won't be able to set proxy in user configuration, but there is a policy in computer configuration which might be used:
"Make proxy settings per-machine (rather than per user)"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/792.mspx?mfr=true
And this one: "Disable changing proxy settings"
If you enable this policy, the user will not be able to configure proxy settings. You can import your current Proxy settings from your machine using Internet Explorer Maintenance under Admin Templates using group policy editor.
If you disable or do not configure this policy setting, the user will have the freedom to configure proxy settings.
That means, you won't be able to set proxy in user configuration, but there is a policy in computer configuration which might be used:
"Make proxy settings per-machine (rather than per user)"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/792.mspx?mfr=true
And this one: "Disable changing proxy settings"
If you enable this policy, the user will not be able to configure proxy settings. You can import your current Proxy settings from your machine using Internet Explorer Maintenance under Admin Templates using group policy editor.
If you disable or do not configure this policy setting, the user will have the freedom to configure proxy settings.
ASKER
Ok, nearly there.
What's the easiest way to do the following?
On this particular terminal server, we will have two sets of users - one set will have the proxy and the other set won't. I don't want to mess up the GPOs already applied to the OU where the computer sits. What can we do with the two separate users OUs?
What's the easiest way to do the following?
On this particular terminal server, we will have two sets of users - one set will have the proxy and the other set won't. I don't want to mess up the GPOs already applied to the OU where the computer sits. What can we do with the two separate users OUs?
I'm afraid that you won't get any further, unfortunately. The whole point of loopback processing is that it does not differentiate users.
If one TS GPO is set to replaced, all user polices are ignored. I haven't actually try this but the only way I can imagine that this would work is to configure all TS GPO to merge mode and the create two separate user polices for proxy. I will repeat, I'm not sure if this will work and as I don't have environment to test this, you might want to give it a try and post back?
If one TS GPO is set to replaced, all user polices are ignored. I haven't actually try this but the only way I can imagine that this would work is to configure all TS GPO to merge mode and the create two separate user polices for proxy. I will repeat, I'm not sure if this will work and as I don't have environment to test this, you might want to give it a try and post back?
ASKER
Exactly what I was thinking - I was actually in the middle of changing all the GPOs to merge.
Will post back real soon.
Will post back real soon.
ASKER
Ok, did a gpupdate /force and the rsop on the replace/merge is now merge.
But the user policy is still not being applied! :(
But the user policy is still not being applied! :(
ASKER
Sorry - it must be being applied cos it's in gpresult now.
ASKER
It's not overwriting the domain policy though!!
ASKER
So my question is now...
Why won't the user's OU GPO overwrite the GPO at the domain level?!
Why won't the user's OU GPO overwrite the GPO at the domain level?!
Is link for policy at domain level set to Enforced (No override)?
ASKER
Nope.
Can you locate the following policy in one of your GPOs for TS (or create a new one, even better idea) and configure this setting:
"Computer Configuration\Administrati ve Templates\System\Group Policy\IE Maintenance Policy Processing\Process even if the Group Policy Objects have not changed"
"Computer Configuration\Administrati
ASKER
No change.
Policy still shows in gpresult but rsop shows domain policy setting.
The OU that the user is in is about 4 OU levels down from the domain - this shouldn't matter should it?
Policy still shows in gpresult but rsop shows domain policy setting.
The OU that the user is in is about 4 OU levels down from the domain - this shouldn't matter should it?
It shouldn't. Problem with IE policies is that policies do not change, settings do, that's way I suggested setting in previous post.
If you have GPMC installed can you run Group policy modeling for any user account in this OU logging to any computer in OU with terminal servers? Which settings win in this case?
If you have GPMC installed can you run Group policy modeling for any user account in this OU logging to any computer in OU with terminal servers? Which settings win in this case?
ASKER
How do you tell which one wins?
Examine proxy setting on settings tab and it should actually say Wining GPO, if I'm not mistaken.
ASKER
Ok, the domain GPO is the winning one.
BUT...
if I run the group policy modelling wizard with the loopback policy not set at all (the first time I ran it with merge), the user GPO gets applied!
Maybe I should turn off loopback altogether...still doesn't make sense though.
BUT...
if I run the group policy modelling wizard with the loopback policy not set at all (the first time I ran it with merge), the user GPO gets applied!
Maybe I should turn off loopback altogether...still doesn't make sense though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
LOL - agreed...it is definitely too complicated.
Will give you the points - thanks
Will give you the points - thanks
ASKER
Question answered!