Solved

Group Policy part applying

Posted on 2011-09-28
27
222 Views
Last Modified: 2012-05-12
Hi

We have in our active directory two OU's and they have our terminal servers in each, one has our test terminal server and the other our three load balanced terminal servers which all our users log into on a daily basis.

In Group Policy we have one policy which is linked to both OU's so that we have in principal a GPO that should apply to both OU's the same.

My problem is they dont... we login to our main terminal servers and we get internet explorer with settings doing one thing and yet if the same user logs into the test terminal server we get another set of settings being applied.

We have looked at the GPO and the test terminal server is applying the settings correctly...

The settings in question are only set in this GPO and not by the default domain policy either so there is nothing else being applied...

I have run the Group Policy Results for both set of servers and the one user and the reports do highlight the differences we are seeing - this is confusing me as the policy's are linked!

Help!

Thanks

Sagar
0
Comment
Question by:sagarh
  • 14
  • 11
  • 2
27 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716007
Do you use GPO Filtering for those policies?
Check if those policies in both OUs are applied to user too.

Run gpresult /z from command-line to get more detailed information about GPO appliance

Regards,
Krzysztof
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 36716048
Probably the policy you are trying to apply isn't a LOOPBACK policy.

That means that, since the policy is applied to the COMPUTER object, users settings aren't applied.

Check this:
http://support.microsoft.com/kb/231287
http://support.microsoft.com/kb/260370

HTH :-)
Bye!
0
 

Author Comment

by:sagarh
ID: 36716058
Hi

Could you explain more what is GPO filtering? How do I check if it is applied to user?

I will try running gpresult /z (we currently restirct access to command line - I will run it from a batch file...

Thanks
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716082
GPO Filtering is used to not apply policy to all users/computers in a domain or OU (depends where policy is linked). When you change that, you may push it to soem users/computers group instead of all. It can be checked under GPMC console, select GPO and in the right pane you will see Delegation tab. There you will see whole DACL for that policy. If there is no "Authenticated Users" on the list, that means, someone used GPO Filtering for this policy

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36716091
Hi

We have the loopback poilcy option applied.

Thanks
0
 

Author Comment

by:sagarh
ID: 36716107
Sorry one further point the loopback policy is applied and is set to Merge Mode.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716111
OK, what happens if you cheng it to "Replace Mode" ?
Maybe some settings are conflicting in "Merge mode" and are overwritten?

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36716112
Hi

I have checked under the delegation tab and Authenicated Users is set with Read (from Security Filtering) permissions set inherited is set to No.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716125
OK, GPO Filtering is not set up. It should affect each computer/server/users within that OU

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36716140
So GPO Filtering is not the issue (if I am not mistaken) the only other issue is if the loop back policy should be set to replace - can I check for anything else?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716265
Can you gather the gpresult /z output ?

We will see exactly which settings are missing or replaced

Krzysztof
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 36716266
Hi Sagarh,
could be a permission problem on the GPO object. Check this:

in GPMC.MSC, click to highlight the GPO. Then, in the right pane, check what is written under security filtering. Should be "Authenticated Users".

Check either: right click on the GPO and select EDIT, then (in the gpedit.msc that fires up) right-click the root-node (the policy name) and select properties. Check permissions under the security tab.

Another thing:
In GPMC.msc you can plan for policy deployment and view the expected policy result by using "Group Policy Modeling" and "Group Policy Results" features.


HTH.
Bye!
0
 

Author Comment

by:sagarh
ID: 36716705
Hi

I have attached to this note the gpreult /z output from both our servers logged in as me.

The gpresult test server file shows the GPO being applied properly and the gpresult terminal with it not..hopefully you find something that is not right.

Thanks
gpresult-test-server.txt
gpresult-terminal-server.txt
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716834
One more question. Have you tried to reboot that TS server(s) which are not applying GPO settings to check if it's not an issue?
I compared both files, and they are using the same GPOs set, so I don't know why there are differences. Please try to reboot server(s)

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36716854
Hi

I have rebooted all our servers at least twice since this issues has started to occur...the only thing that has changed in the last five days is that we applied some Microsoft security patches through Windows update - but again all our servers were patched...

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716874
Does this happen for each user or affects only some certain group of users?

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36717152
All users


Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36717210
So, one more thought. Can you unlink GPO from OU, wait some time or run

gpupdate /force

link it again, run again

gpupdate /force or reboot server

and test again?

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36813591
Hi

I unlinked the GPO and ran gpupdate /force and then re linked it and restarted our domain controller and all three terminal servers unfortunatley that has not made any difference.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36813621
Wrr ;)
Can you tru to use GPMC console to run GPO planning mode, please? We will see what is used during that, ok?

In GPMC console at the bottom of all nodes, you  will see "Group Policy Modeling". Click right mouse button on it and choose "Group Policy Modeling Wizard". And do planning mode for your user and that "faulty" TS

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36813766
Hi

Please find attached the Group Policy Modelling output - you will note that it does state it is applying the internet explorer policies yet when we login it is not....
mreynolds-on-IPU-TS-Servers.htm
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36813925
Strange :/ Can you delete user profile from that server and log on once again, creating new profile?

Krzysztof
0
 

Author Comment

by:sagarh
ID: 36814020
Hi

We created a brand new user and logged into our terminal server same issue - yet logging into the test terminal server worked fine...

Thanks
0
 

Accepted Solution

by:
sagarh earned 0 total points
ID: 36815692
Hi

i have found the issue! see this link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24334027.html

Really Really sorry I had not noticed that the terminal servers had been upgraded to IE8 without my knowledge!
0
 

Author Comment

by:sagarh
ID: 36815704
Moderators.

What do I do regarding closing this question off and awarding points etc?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36890033
Great! I'm glad that you found a solution!
So, please close the question accepting your last post as an answer to save it in EE knowledgebase for others :)

Krzysztof
0
 

Author Closing Comment

by:sagarh
ID: 36941224
One of my colleagues had upgraded the terminal servers to IE8 yet our test server was not upgraded hence the reason why we were seeing two different outcomes regarding group policy - my mistake should have checked this before positing for help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question