troubleshooting Group Policy settings
I'm looking for some help figuring this one out. I have 2 users that appear to be identical in Active Directory. Same group memberships, etc. We are running remote desktop services and have turned off control panel and access to admin tools for those people. However we have 3 people who need to log in and perform admin functions. Two of those people's account work correctly and have control panel and admin tools, but the third one does not.
I've tried the group policy setting wizard but that doesn't go deep enough, and I can't figure out how to get it to think I'm coming in from remote desktop (maybe it doesn't matter). But never the less, the report has very minimal information and not the detail I would have expected.
So the question is, how do I figure out the difference and fix it?
I've tried the group policy setting wizard but that doesn't go deep enough, and I can't figure out how to get it to think I'm coming in from remote desktop (maybe it doesn't matter). But never the less, the report has very minimal information and not the detail I would have expected.
So the question is, how do I figure out the difference and fix it?
digitap
You mentioned a report. Logged on as the user in question, have you run rsop.msc to see what group policy is being applied? Is this the report you speak of?
I would suggest a few things with this one, feel free to disregard steps that you have taken already.
1 - Check out the local policies for each user.. Start > Run > GPEDIT.MSC
2 - If the users are roaming, try their access on another terminal to replicate the problem, if you cant then wipe/reimage the box you are having problems with
3 - Check to see if they are added a local administrators or if the users are scattered into different group policies locally.
3 - Check to see if their groups are different in Active Directory, all three users should belong to the same groups.
4 - Roaming profile scripts should be check too, just in case they aren't receiving the same login scripts.
1 - Check out the local policies for each user.. Start > Run > GPEDIT.MSC
2 - If the users are roaming, try their access on another terminal to replicate the problem, if you cant then wipe/reimage the box you are having problems with
3 - Check to see if they are added a local administrators or if the users are scattered into different group policies locally.
3 - Check to see if their groups are different in Active Directory, all three users should belong to the same groups.
4 - Roaming profile scripts should be check too, just in case they aren't receiving the same login scripts.
if they all are inheriting same policy then it shouldnt be a problem what happen to the third user is he not able to use speicfic application or he cant login at all when you are allowing remote access you need to also configure from the computer properties who can access remotely is the third user group or user itself there
ASKER
Yes I ran rsop.msc. That is the report that wasn't much help.
Here are some more details: I created a GPO specifically for remote desktop users. It has some quite restrictive settings. Beyond that the only group that is allowed remote desktop access is administrators. All 3 user accounts are in the windows default "Users" gpo and not in the remote desktop object.
I did log on to this account BEFORE he was added to the administrators group. Could that be the problem? Maybe there's settings attached to his account that are hanging around from his previous more restrictive settings.
I have logged on to this account from multiple machines, so it is not a local policy problem. All 3 users belong to the same groups. (Domain users and administrators)
Here are some more details: I created a GPO specifically for remote desktop users. It has some quite restrictive settings. Beyond that the only group that is allowed remote desktop access is administrators. All 3 user accounts are in the windows default "Users" gpo and not in the remote desktop object.
I did log on to this account BEFORE he was added to the administrators group. Could that be the problem? Maybe there's settings attached to his account that are hanging around from his previous more restrictive settings.
I have logged on to this account from multiple machines, so it is not a local policy problem. All 3 users belong to the same groups. (Domain users and administrators)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I gave a B because it was a suggestion and not a definitive answer. It could have been a C, but if someone helps you out...
ASKER
Deleting and re-creating the user account solved the problem.
You should post the final solution for others who have the same challenge. Thanks for the points!
Sorry...should have refreshed. Thanks again!