• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

Group Policy Object applied but not running

At a client site, we have a test OU set up to test some user settings that should run on log in and log off. The GPO is linked and enabled to the OU where the test ID is sitting.

The IDs are being used on a Citrix Presentation Server.

On login, a mandatory profile is used from a UNC path and the login scripts run, from the domain policy and this test GPO. A drive is mapped and a batch file is run. the GPResults shows that the GPO is applied. Checking the registry for a tag, we see the mandatory profile loaded.

On log out, another script runs (as noted int he test GPO) and everything is fine.

When we create a second ID and point the mandatory profile and add the ID into the test OU, we get the default profile (flag marker is missing when we look for it under HKCU that we set in mandatory profile), some of the user shell mappings are missing. The test GPO doesn't run the drive mapping or the batch file. Default domain GPO is applied.

Looking at GPResults, we see that the test GPO is listed as applied, but we haven't seen the script run or the drive map. Logout, no logout batch run. Tried it with several IDs we've created, including cloning off the good test one.

Always we see GPResult shows that the GPO is applied, but we don't see the scripts run that are listed in the GPO.

Anyone have any troubleshooting ideas?
0
hglobus
Asked:
hglobus
  • 7
  • 4
1 Solution
 
Daniel BorgerCommented:
have you enabled loopback processing mode for the user settings in the GPO?
0
 
hglobusAuthor Commented:
Yep.  Loopback processing is on.
0
 
hglobusAuthor Commented:
I have done the following:

I broke out the scripts that are in the GPO and set them to run in individual batch files.
I create new GPOs, linked to the OU and set one batch file with one command in each GPO.

When I logon with my working ID, it will run each of those batch scripts.

When I logon with any of my other IDs, it will not run the batch scripts, though a gpresult shows that the GPO is applied.

I've create a new OU and applied the existing GPOs to that OU and I created a new OU, put the Citrix servers into that OU and applied brand new GPOs to it.  SAME RESULT.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Daniel BorgerCommented:
Is there an group polices blocking the processing of command prompt or batch files for the non admins?
What happens if you set the scripts to run within the local machine group policy GPEDIT.MSC?
0
 
hglobusAuthor Commented:
There isn't anything blocking command prompt access or running command prompt interactively.  (All that is stripped out for now).

I'll try setting the script within the GPEDIT.MSC.

When I login with one of the non-working IDs, I go to the command prompt, go to the location of the login script and call it successfully.  It runs from within Explorer or the command prompt, no problems.

I modified the login script designation within the AD record to run the script.  That works fine - I need the logout portion as well to capture some settings and run a clean up script.

The issue appears to be that although gpresult is showing that it is applied, it appears to be 100% bipased, both on login or logout.
0
 
Daniel BorgerCommented:
perhaps you could set the logon scrips to process synchonously.
computer configuration\admin templates\system\scripts
0
 
hglobusAuthor Commented:
When I put the same info into GPEdit, it runs when I login to the server desktop using my admin ID.  It does not run when I log the user in to the Citrix server.
0
 
hglobusAuthor Commented:
Already being done.
0
 
Daniel BorgerCommented:
What was used to create the mandatory profile?  Any policies in the registry for that profile?
Does testing without the mandatory profile yeild better results?
If you elevate test users rights on the server (local admin) does that yeild better results?
Gpupdate/force on server after making change?



0
 
hglobusAuthor Commented:
Mandatory profile was created off of the defaul user profile with a few tweaks as per flexprofile documentation.  Done it at least 20 times before, no problems.

No policies were in place on the mandatory profile.

Testing with a generic ID, no admin perms, and works fine.

Removed mandatory profile, still the GPO does not run.

Elevated un-working test IDs to admin, no good.

Yes, GPUpdate /force done after each change, rebooted several times as well.

Stressing the fact that this works on an ID with low perms.  I then cloned THAT ID and it does not work.
0
 
hglobusAuthor Commented:
I just retried the ID without the mandatory profile.  It had the same problems.

I took a copy of the default profile off of one of the other Citrix servers and brought it over to the problem server, GPO ran on one of the problem IDs.

I converted that default profile to a mandatory profile and it worked.

So I was wrong when I stated that there was nothing in the mandatory profile that was blocking the GPO from running.  I just don't know what it is, so now I will have to pick back through it.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now