• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 616
  • Last Modified:

What is wrong with my GPO?

I have a few problems with the GPO on my terminal servers. I want them to be as secure as possible.

1. Users cannot run Microsoft Publisher. It will not allow you to save items to the desktop. I can create any other kind of office document, but I think that it doesnt have access to create some kind of temp file.

2. Users cannot open folders on desktop.

3. Network drives cannot be mapped.

Attached is my GPO. It is for server 2k8.


CITRIX-GPO--Do-not-edit-from-a-2.htm
0
Firecubes
Asked:
Firecubes
  • 12
  • 7
1 Solution
 
grantsewellCommented:
OK, breaking this down as best I can, some ideas for you:

1) Software Restriction Policies - do you really need them? If you want to disable Windows Help, just disable the service. Remove the rest of the software restriction policies to eliminate that as a possibility and speed up processing time.

2) What error are you getting when users run Publisher?

3) What folders can users not open on the desktop?

4) Mapping Network Drives - This is why:

     Windows Components\Windows Explorer\Remove "Map Network Drive" and "Disconnect Network Drive" is Enabled. Disable this setting to allow this feature.
0
 
FirecubesAuthor Commented:
1. I probably dont. But, I couldnt find the help service in 2008. I'll look for it again, I probably missed it. :)

2. I'm sorry, I meant microsoft access, not publisher. I was thinking publisher for some reason. The error is: This operation has been canceled due to restrictions in effect on this computer. Please contact the system administrator.

3. Anything. The teacher wants the students to save a file on their desktop in a folder. Teacher creates a folder on thier desktop, and it says there is a policy in effect restricting that. I checked the permissions, and they are inherited- and they look good.

4. Thank you. :)
0
 
grantsewellCommented:
Okie doke - happy to help so far;

As for the desktop, you have the Administrative Templates\Desktop\Desktop\Disable all items policy Enabled. That's the issue with not creating or opening folders.

For Access, you've got the Designated File Types set in the Software Restriction Policies, it's probably related. Try getting rid of that first, then see if you still have a problem.

As for the 2008 Help Service, my bad! Looks like it's no longer a service in 2008. You can still disable error reporting and hide the icons so they won't appear.

Good luck!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
FirecubesAuthor Commented:
Thank you. I will try this stuff and get back to you.
0
 
FirecubesAuthor Commented:
Ok, sorry it took so long.

This still did not fix any of my issues. I have attached the RSoP from the server they log onto.

As far as software restrictions, I simply removed the MS Access extentions. Is that what you meant?
asdf.txt
0
 
FirecubesAuthor Commented:
uppiing the points to 500
0
 
FirecubesAuthor Commented:
This is still an issue. Does anyone have any thoughts?
0
 
grantsewellCommented:
Can you please do an export of the updated policy using the GPMC like in your original post? Thx.
0
 
FirecubesAuthor Commented:
Sure. Here it is.
New-policy-settings.htm
0
 
grantsewellCommented:
OK.... thanks, this is helpful.

1) Desktop Folders Issue - what folders can't be opened? Custom folders? Are you using mandatory profiles? What are the permissions on these items?

2) Microsoft Access - what's being logged in the event log when the user unsuccessfully runs Microsoft Access? Is there a visible error message? What does it say?
0
 
FirecubesAuthor Commented:
The desktop folders is no longer an issue, I have decided to map them a shared drive instead. But, it will not map the drives.

"Cannot complete operation due to policies in effect on this computer. Please contact your system administrator."

When I remove the GPOs, it works fine. I just dont know which GPO is blocking it.
0
 
FirecubesAuthor Commented:
Oh, sorry they are roaming profiles, not mandatory.
0
 
grantsewellCommented:
How are the drives being mapped? I don't see a logon script? Or GP Preferences... If you're not doing it there, you've disabled the command prompt, so the script can't run.

Is this the only GPO for this system? There are no other computer policies that would affect it? Removing just this GPO causes everything to be fine?

What is in the error log on the mapped drives?
0
 
FirecubesAuthor Commented:
I am doing it via Active directory. The home directory field under the profile tab.

It was the only GPO being applied, I had inheritance blocked. Then, as part of the trouble shooting I let the defailt domain policy go through. Still have the same issue. I even created a new OU and tried it there.

There is no error, they just don't show up. And yes, if I remove the policies everything works fine.

0
 
grantsewellCommented:
The "Home Folder" option in AD is really more of a legacy feature (supporting NT4). I would consider using the Group Policy preferences feature that was introduced in Windows Server 2008. I imagine this will correct your issue with a conflicting policy setting. The other possibility is that your location reference is incorrect.

In the group policy management console, open your GPO, navigate to User Configuration > Preferences > Windows Settings > Drive Maps
0
 
FirecubesAuthor Commented:
I gave that a wirl. It still wont map it.

I think I may just shoot the server and put it out of it's misery. :)
0
 
grantsewellCommented:
Ha, well obviously it's gotta be the GPO. Maybe this can help - here's an attached GPO from my server. It does inherit other policies, but nothing that would restrict things like drive maps... mayb it can help you look through your policies. The important (and most likely the problem settings) are in Administrative Templates. As I type this, I've got another idea - try disabling just the computer policies or just the user policies within the GPO so we can narrow down where the issue. Those options are in the "Details" tab in the Group Policy Management Console.
Terminal-Server-Lockdown.htm
0
 
FirecubesAuthor Commented:
I fixed both the issues, I think, but now my folder redirection doesnt work. Which is odd to me, because I do the exact same thing on my test enviroment, and it works like a charm.  
0
 
FirecubesAuthor Commented:
Thanks. :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 12
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now