Avatar of lrkwalkers
lrkwalkers

asked on 

Group policy not being applied to user

A user in an OU has a user configuration group policy applied.  However, when the user logs in and rsop is run, the policy is not applied with the result of the setting being pulled from a group policy object that has been set on the entire domain.  Why won't the OU policy overwrite the policy applied to the entire domain?  No enforce or block inheritance is turned on.

Please help!
Microsoft Server OSWindows OSMicrosoft Legacy OS

Avatar of undefined
Last Comment
lrkwalkers
Avatar of AncientFrib
AncientFrib
Flag of United States of America image

Does this person belong to a group that has rights to the Group Policy Object?  Check the GPO security.  Try and do a manual gpupdate /force on the client from command prompt see if that works.
Avatar of lrkwalkers
lrkwalkers

ASKER

Sorry, meant to say that I've tried a gpupdate /force.

The policy for the OU where the user sits is being applied to authenticated users and authenticated users have permission to read the GPO.
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Hi lrkwalkers,

Run "gpresult /v > gpo.log" on client and check log file with notepad. Is policy listed at all or is it denied? if it is denied what is the reason next policy name?

HTH

Toni
Avatar of lrkwalkers
lrkwalkers

ASKER

It isn't listed at all.
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Are you sure that user account used for testing is in OU to which policy is linked? If it is, are there any "userenv" errors in Application log on client computer?
Avatar of lrkwalkers
lrkwalkers

ASKER

Positive - that's why I'm so confused.

No userenv errors in the event logs either.  Really weird.
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Was user created in this OU or was moved from other OU? Can you create new test user account in this OU? Can you make one insignificant change in any policy tha applies to current user? Is change propagated after "gpupdate /force"? Is user configuration part of your policy enabled?
Avatar of lrkwalkers
lrkwalkers

ASKER

Was user created in this OU or was moved from other OU?

Moved

Can you create new test user account in this OU?

Done - same result

Can you make one insignificant change in any policy tha applies to current user?

There's one policy that I want to apply to this Users OU and that is to turn on the proxy server.  All the other GPOs are being applied to the computer (terminal server) in a different OU.  That being said, the policy being applied to the users OU is not even being applied at all.

Is change propagated after "gpupdate /force"?

See above

Is user configuration part of your policy enabled?

Yep!
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Does terminal server's GPO use loopback processing in replace mode?
Avatar of lrkwalkers
lrkwalkers

ASKER

At least one of them do - yes.  There's about a dozen being applied with a good naming scheme so it's easier to manage.

Will that affect the GPO for the users OU?  No OUs being applied to the computer have any proxy settings enabled.


Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

That means, you won't be able to set proxy in user configuration, but there is a policy in computer configuration which might be used:
"Make proxy settings per-machine (rather than per user)"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/792.mspx?mfr=true

And this one: "Disable changing proxy settings"
If you enable this policy, the user will not be able to configure proxy settings. You can import your current Proxy settings from your machine using Internet Explorer Maintenance under Admin Templates using group policy editor.
If you disable or do not configure this policy setting, the user will have the freedom to configure proxy settings.


Avatar of lrkwalkers
lrkwalkers

ASKER

Ok, nearly there.

What's the easiest way to do the following?

On this particular terminal server, we will have two sets of users - one set will have the proxy and the other  set won't.  I don't want to mess up the GPOs already applied to the OU where the computer sits.  What can we do with the two separate users OUs?


Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

I'm afraid that you won't get any further, unfortunately. The whole point of loopback processing is that it does not differentiate users.
If one TS GPO is set to replaced, all user polices are ignored. I haven't actually try this but the only way I can imagine that this would work is to configure all TS GPO to merge mode and the create two separate user polices for proxy. I will repeat, I'm not sure if this will work and as I don't have environment to test this, you might want to give it a try and post back?
Avatar of lrkwalkers
lrkwalkers

ASKER

Exactly what I was thinking - I was actually in the middle of changing all the GPOs to merge.  

Will post back real soon.
Avatar of lrkwalkers
lrkwalkers

ASKER

Ok, did a gpupdate /force and the rsop on the replace/merge is now merge.

But the user policy is still not being applied! :(
Avatar of lrkwalkers
lrkwalkers

ASKER

Sorry - it must be being applied cos it's in gpresult now.
Avatar of lrkwalkers
lrkwalkers

ASKER

It's not overwriting the domain policy though!!
Avatar of lrkwalkers
lrkwalkers

ASKER

So my question is now...

Why won't the user's OU GPO overwrite the GPO at the domain level?!
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Is link for policy at domain level set to Enforced (No override)?
Avatar of lrkwalkers
lrkwalkers

ASKER

Nope.
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Can you locate the following policy in one of your GPOs for TS (or create a new one, even better idea) and configure this setting:
"Computer Configuration\Administrative Templates\System\Group Policy\IE Maintenance Policy Processing\Process even if the Group Policy Objects have not changed"

Avatar of lrkwalkers
lrkwalkers

ASKER

No change.

Policy still shows in gpresult but rsop shows domain policy setting.

The OU that the user is in is about 4 OU levels down from the domain - this shouldn't matter should it?
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

It shouldn't. Problem with IE policies is that policies do not change, settings do,  that's way I suggested setting in previous post.

If you have GPMC installed can you run Group policy modeling for any user account in this OU logging to any computer in OU with terminal servers? Which settings win in this case?
Avatar of lrkwalkers
lrkwalkers

ASKER

How do you tell which one wins?
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Examine proxy setting on settings tab and it should actually say Wining GPO, if I'm not mistaken.
Avatar of lrkwalkers
lrkwalkers

ASKER

Ok, the domain GPO is the winning one.

BUT...

if I run the group policy modelling wizard with the loopback policy not set at all (the first time I ran it with merge), the user GPO gets applied!

Maybe I should turn off loopback altogether...still doesn't make sense though.
ASKER CERTIFIED SOLUTION
Avatar of lrkwalkers
lrkwalkers

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of lrkwalkers
lrkwalkers

ASKER

LOL - agreed...it is definitely too complicated.  

Will give you the points - thanks


Avatar of lrkwalkers
lrkwalkers

ASKER

Question answered!
Windows OS
Windows OS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo