Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Group Policy part applying

Hi

We have in our active directory two OU's and they have our terminal servers in each, one has our test terminal server and the other our three load balanced terminal servers which all our users log into on a daily basis.

In Group Policy we have one policy which is linked to both OU's so that we have in principal a GPO that should apply to both OU's the same.

My problem is they dont... we login to our main terminal servers and we get internet explorer with settings doing one thing and yet if the same user logs into the test terminal server we get another set of settings being applied.

We have looked at the GPO and the test terminal server is applying the settings correctly...

The settings in question are only set in this GPO and not by the default domain policy either so there is nothing else being applied...

I have run the Group Policy Results for both set of servers and the one user and the reports do highlight the differences we are seeing - this is confusing me as the policy's are linked!

Help!

Thanks

Sagar
0
sagarh
Asked:
sagarh
  • 14
  • 11
  • 2
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Do you use GPO Filtering for those policies?
Check if those policies in both OUs are applied to user too.

Run gpresult /z from command-line to get more detailed information about GPO appliance

Regards,
Krzysztof
0
 
ienaxxxCommented:
Probably the policy you are trying to apply isn't a LOOPBACK policy.

That means that, since the policy is applied to the COMPUTER object, users settings aren't applied.

Check this:
http://support.microsoft.com/kb/231287
http://support.microsoft.com/kb/260370

HTH :-)
Bye!
0
 
sagarhAuthor Commented:
Hi

Could you explain more what is GPO filtering? How do I check if it is applied to user?

I will try running gpresult /z (we currently restirct access to command line - I will run it from a batch file...

Thanks
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Krzysztof PytkoActive Directory EngineerCommented:
GPO Filtering is used to not apply policy to all users/computers in a domain or OU (depends where policy is linked). When you change that, you may push it to soem users/computers group instead of all. It can be checked under GPMC console, select GPO and in the right pane you will see Delegation tab. There you will see whole DACL for that policy. If there is no "Authenticated Users" on the list, that means, someone used GPO Filtering for this policy

Krzysztof
0
 
sagarhAuthor Commented:
Hi

We have the loopback poilcy option applied.

Thanks
0
 
sagarhAuthor Commented:
Sorry one further point the loopback policy is applied and is set to Merge Mode.

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, what happens if you cheng it to "Replace Mode" ?
Maybe some settings are conflicting in "Merge mode" and are overwritten?

Krzysztof
0
 
sagarhAuthor Commented:
Hi

I have checked under the delegation tab and Authenicated Users is set with Read (from Security Filtering) permissions set inherited is set to No.

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, GPO Filtering is not set up. It should affect each computer/server/users within that OU

Krzysztof
0
 
sagarhAuthor Commented:
So GPO Filtering is not the issue (if I am not mistaken) the only other issue is if the loop back policy should be set to replace - can I check for anything else?

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Can you gather the gpresult /z output ?

We will see exactly which settings are missing or replaced

Krzysztof
0
 
ienaxxxCommented:
Hi Sagarh,
could be a permission problem on the GPO object. Check this:

in GPMC.MSC, click to highlight the GPO. Then, in the right pane, check what is written under security filtering. Should be "Authenticated Users".

Check either: right click on the GPO and select EDIT, then (in the gpedit.msc that fires up) right-click the root-node (the policy name) and select properties. Check permissions under the security tab.

Another thing:
In GPMC.msc you can plan for policy deployment and view the expected policy result by using "Group Policy Modeling" and "Group Policy Results" features.


HTH.
Bye!
0
 
sagarhAuthor Commented:
Hi

I have attached to this note the gpreult /z output from both our servers logged in as me.

The gpresult test server file shows the GPO being applied properly and the gpresult terminal with it not..hopefully you find something that is not right.

Thanks
gpresult-test-server.txt
gpresult-terminal-server.txt
0
 
Krzysztof PytkoActive Directory EngineerCommented:
One more question. Have you tried to reboot that TS server(s) which are not applying GPO settings to check if it's not an issue?
I compared both files, and they are using the same GPOs set, so I don't know why there are differences. Please try to reboot server(s)

Krzysztof
0
 
sagarhAuthor Commented:
Hi

I have rebooted all our servers at least twice since this issues has started to occur...the only thing that has changed in the last five days is that we applied some Microsoft security patches through Windows update - but again all our servers were patched...

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Does this happen for each user or affects only some certain group of users?

Krzysztof
0
 
sagarhAuthor Commented:
All users


Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, one more thought. Can you unlink GPO from OU, wait some time or run

gpupdate /force

link it again, run again

gpupdate /force or reboot server

and test again?

Krzysztof
0
 
sagarhAuthor Commented:
Hi

I unlinked the GPO and ran gpupdate /force and then re linked it and restarted our domain controller and all three terminal servers unfortunatley that has not made any difference.

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Wrr ;)
Can you tru to use GPMC console to run GPO planning mode, please? We will see what is used during that, ok?

In GPMC console at the bottom of all nodes, you  will see "Group Policy Modeling". Click right mouse button on it and choose "Group Policy Modeling Wizard". And do planning mode for your user and that "faulty" TS

Krzysztof
0
 
sagarhAuthor Commented:
Hi

Please find attached the Group Policy Modelling output - you will note that it does state it is applying the internet explorer policies yet when we login it is not....
mreynolds-on-IPU-TS-Servers.htm
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Strange :/ Can you delete user profile from that server and log on once again, creating new profile?

Krzysztof
0
 
sagarhAuthor Commented:
Hi

We created a brand new user and logged into our terminal server same issue - yet logging into the test terminal server worked fine...

Thanks
0
 
sagarhAuthor Commented:
Hi

i have found the issue! see this link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24334027.html

Really Really sorry I had not noticed that the terminal servers had been upgraded to IE8 without my knowledge!
0
 
sagarhAuthor Commented:
Moderators.

What do I do regarding closing this question off and awarding points etc?

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Great! I'm glad that you found a solution!
So, please close the question accepting your last post as an answer to save it in EE knowledgebase for others :)

Krzysztof
0
 
sagarhAuthor Commented:
One of my colleagues had upgraded the terminal servers to IE8 yet our test server was not upgraded hence the reason why we were seeing two different outcomes regarding group policy - my mistake should have checked this before positing for help.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 14
  • 11
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now