Solved

Group Policy part applying

Posted on 2011-09-28
27
220 Views
Last Modified: 2012-05-12
Hi

We have in our active directory two OU's and they have our terminal servers in each, one has our test terminal server and the other our three load balanced terminal servers which all our users log into on a daily basis.

In Group Policy we have one policy which is linked to both OU's so that we have in principal a GPO that should apply to both OU's the same.

My problem is they dont... we login to our main terminal servers and we get internet explorer with settings doing one thing and yet if the same user logs into the test terminal server we get another set of settings being applied.

We have looked at the GPO and the test terminal server is applying the settings correctly...

The settings in question are only set in this GPO and not by the default domain policy either so there is nothing else being applied...

I have run the Group Policy Results for both set of servers and the one user and the reports do highlight the differences we are seeing - this is confusing me as the policy's are linked!

Help!

Thanks

Sagar
0
Comment
Question by:sagarh
  • 14
  • 11
  • 2
27 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Do you use GPO Filtering for those policies?
Check if those policies in both OUs are applied to user too.

Run gpresult /z from command-line to get more detailed information about GPO appliance

Regards,
Krzysztof
0
 
LVL 10

Expert Comment

by:ienaxxx
Comment Utility
Probably the policy you are trying to apply isn't a LOOPBACK policy.

That means that, since the policy is applied to the COMPUTER object, users settings aren't applied.

Check this:
http://support.microsoft.com/kb/231287
http://support.microsoft.com/kb/260370

HTH :-)
Bye!
0
 

Author Comment

by:sagarh
Comment Utility
Hi

Could you explain more what is GPO filtering? How do I check if it is applied to user?

I will try running gpresult /z (we currently restirct access to command line - I will run it from a batch file...

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
GPO Filtering is used to not apply policy to all users/computers in a domain or OU (depends where policy is linked). When you change that, you may push it to soem users/computers group instead of all. It can be checked under GPMC console, select GPO and in the right pane you will see Delegation tab. There you will see whole DACL for that policy. If there is no "Authenticated Users" on the list, that means, someone used GPO Filtering for this policy

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

We have the loopback poilcy option applied.

Thanks
0
 

Author Comment

by:sagarh
Comment Utility
Sorry one further point the loopback policy is applied and is set to Merge Mode.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, what happens if you cheng it to "Replace Mode" ?
Maybe some settings are conflicting in "Merge mode" and are overwritten?

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

I have checked under the delegation tab and Authenicated Users is set with Read (from Security Filtering) permissions set inherited is set to No.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, GPO Filtering is not set up. It should affect each computer/server/users within that OU

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
So GPO Filtering is not the issue (if I am not mistaken) the only other issue is if the loop back policy should be set to replace - can I check for anything else?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Can you gather the gpresult /z output ?

We will see exactly which settings are missing or replaced

Krzysztof
0
 
LVL 10

Expert Comment

by:ienaxxx
Comment Utility
Hi Sagarh,
could be a permission problem on the GPO object. Check this:

in GPMC.MSC, click to highlight the GPO. Then, in the right pane, check what is written under security filtering. Should be "Authenticated Users".

Check either: right click on the GPO and select EDIT, then (in the gpedit.msc that fires up) right-click the root-node (the policy name) and select properties. Check permissions under the security tab.

Another thing:
In GPMC.msc you can plan for policy deployment and view the expected policy result by using "Group Policy Modeling" and "Group Policy Results" features.


HTH.
Bye!
0
 

Author Comment

by:sagarh
Comment Utility
Hi

I have attached to this note the gpreult /z output from both our servers logged in as me.

The gpresult test server file shows the GPO being applied properly and the gpresult terminal with it not..hopefully you find something that is not right.

Thanks
gpresult-test-server.txt
gpresult-terminal-server.txt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
One more question. Have you tried to reboot that TS server(s) which are not applying GPO settings to check if it's not an issue?
I compared both files, and they are using the same GPOs set, so I don't know why there are differences. Please try to reboot server(s)

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

I have rebooted all our servers at least twice since this issues has started to occur...the only thing that has changed in the last five days is that we applied some Microsoft security patches through Windows update - but again all our servers were patched...

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Does this happen for each user or affects only some certain group of users?

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
All users


Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
So, one more thought. Can you unlink GPO from OU, wait some time or run

gpupdate /force

link it again, run again

gpupdate /force or reboot server

and test again?

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

I unlinked the GPO and ran gpupdate /force and then re linked it and restarted our domain controller and all three terminal servers unfortunatley that has not made any difference.

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Wrr ;)
Can you tru to use GPMC console to run GPO planning mode, please? We will see what is used during that, ok?

In GPMC console at the bottom of all nodes, you  will see "Group Policy Modeling". Click right mouse button on it and choose "Group Policy Modeling Wizard". And do planning mode for your user and that "faulty" TS

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

Please find attached the Group Policy Modelling output - you will note that it does state it is applying the internet explorer policies yet when we login it is not....
mreynolds-on-IPU-TS-Servers.htm
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Strange :/ Can you delete user profile from that server and log on once again, creating new profile?

Krzysztof
0
 

Author Comment

by:sagarh
Comment Utility
Hi

We created a brand new user and logged into our terminal server same issue - yet logging into the test terminal server worked fine...

Thanks
0
 

Accepted Solution

by:
sagarh earned 0 total points
Comment Utility
Hi

i have found the issue! see this link

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24334027.html

Really Really sorry I had not noticed that the terminal servers had been upgraded to IE8 without my knowledge!
0
 

Author Comment

by:sagarh
Comment Utility
Moderators.

What do I do regarding closing this question off and awarding points etc?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Great! I'm glad that you found a solution!
So, please close the question accepting your last post as an answer to save it in EE knowledgebase for others :)

Krzysztof
0
 

Author Closing Comment

by:sagarh
Comment Utility
One of my colleagues had upgraded the terminal servers to IE8 yet our test server was not upgraded hence the reason why we were seeing two different outcomes regarding group policy - my mistake should have checked this before positing for help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now