Solved

User GPO changes are not being propagated to existing user accounts

Posted on 2015-01-30
22
462 Views
Last Modified: 2015-02-05
We have a server farm running terminal services on Windows server 2012 systems.   We use user profile disks.

The problem we have is, when we change a setting in the user section of the GPO, it only gets applied to new user accounts, not existing ones.  I'm sure stuff is being cached, but I don't see how to force a reset of this information.

Blowing away the user profile disk solves the problem, but we can't do that for 400 users, because each one has some customized icons on their desktop, which would have to be re-configured.

I've got loop back processing enabled and the farm computers are linked to the remote desktop users group policy.  Not sure how to move forward with this.
0
Comment
Question by:geekdad1
22 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40580602
Could you tell us what your GPO is doing? So you have the policy applying to the RDS Servers rather than users because you have loop back enabled?
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40580681
Here's a sample.  We had enabled User Configuration / Policies / Administrative templates / Windows Components / File Explorer / Turn on Classic Shell.  We decided that not configuring that option would work better for our users.  So we set the setting back to not configured.  Run gpupdate /force on both farm servers.  Then log on as an existing user.  The desktop still behaves the same.

We ran into the same issue when we decided to change the desktop background.  The new background only existed for accounts created after the change, not any that already existed.

The users belong to an OU especially for remote desktop.  There is a group policy that has specific settings for the user configuration and the computer configuration.  This GPO is linked to both the OU for the users and the OU for the server farm.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40581291
Have you save entire user profile in UPD or part of user profile?

Select "Store all user data and settings on user profile disk"

Also GPO only need to be set on OU containing RD Session Hosts
Also enable loopback processing mode in replace mode on this GPO only
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40581370
setting it to not configured does not change the setting back what it does is ignore the setting you need to set it to disabled later on you can configure it to to not configured
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40584474
Store all user data and settings was already set.  Can you explain something regarding which OU to apply a GPO to?  Each GPO has a computer section and a users section.  If you apply a GPO to a computer object (like a farm server) does it then apply the user section to anyone logging into the computer?  That doesn't seem right.  Same if you apply a GPO to a user account, I would think only the user section of the GPO would apply to that user regardless of which machine they logged into.  Unless I'm wrong the GPO would have to be applied to an OU that has only the farm computers and the OU containing the remote desktop users.

I set the gpo to disabled.  Then ran gpupdate /force on the two farm servers.  Logged in to an existing account and it's still the same as it was.  Any other suggestions?
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40584545
I confirmed that deleting the user profile disk gets the GPO applied properly.  However that doesn't help me much in this situation.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40584559
whatever your guess is right, if you apply user restrictions GPO to OU containing farm servers, it will apply to all users who would logon to those servers thru RDP and loopback processing will enforce this behavior.

From RDS user RDP session, Can you please run gpresult /h C:\usergpo.htm to check what settings are applied on user and post her to further troubleshoot
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40584605
Here is the output from the gpresult.  It has the right GPO's applied, and it says that the classic shell is disabled.  I ran the same thing with the user account that I removed the UPD from to see if I could discern any difference.  For all intents and purpose they are the same.  I'll post the diff results right after this.
bad.htm
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40584621
Here are the diff results (using textpad) I've removed the unnecessary lines.  test71 (left) is the working file, test 73 (right) is the non working file.

Compare: (<)C:\Users\Dougp\Documents\good.htm (201861 bytes)
   with: (>)C:\Users\Dougp\Documents\bad.htm (201863 bytes)

5c5
< <title>PAR\test71</title>
---
> <title>PAR\test73</title>
< <div class="he2i"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;">During last <strong>user policy</strong> refresh on 2/2/2015 11:08:50 AM</td></tr><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;"><v:group class="vmlimage" style="width:15px;height:15px;vertical-align:middle" coordsize="100,100" alt="Warning">
---
> <div class="he2i"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;">During last <strong>user policy</strong> refresh on 2/2/2015 11:03:55 AM</td></tr><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;"><v:group class="vmlimage" style="width:15px;height:15px;vertical-align:middle" coordsize="100,100" alt="Warning">
< <tr><td>worksafebc.com</td><td>2</td><td>Remote Users v2</td></tr>
< <tr><td>health.gov.bc.ca</td><td>2</td><td>Remote Users v2</td></tr>
---
> <tr><td>health.gov.bc.ca</td><td>2</td><td>Remote Users v2</td></tr>
> <tr><td>worksafebc.com</td><td>2</td><td>Remote Users v2</td></tr>
1597,1598c1597,1598
< </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_USERS\.DEFAULT\Control Panel\Colors, Value name: Background)</span><a class="expando" href="#"></a></div>
< <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">Background</span><a class="expando" href="#"></a></div>
---
> </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca, Value name: *)</span><a class="expando" href="#"></a></div>
> <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">*</span><a class="expando" href="#"></a></div>
1608,1614c1608,1614
< <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_USERS</td></tr>
< <tr><td>Key path</td><td>.DEFAULT\Control Panel\Colors</td></tr>
< <tr><td>Value name</td><td>Background</td></tr>
< <tr><td>Value type</td><td>REG_SZ</td></tr>
< <tr><td>Value data</td><td>0 0 0</td></tr>
< </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca, Value name: *)</span><a class="expando" href="#"></a></div>
< <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">*</span><a class="expando" href="#"></a></div>
---
> <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_CURRENT_USER</td></tr>
> <tr><td>Key path</td><td>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca</td></tr>
> <tr><td>Value name</td><td>*</td></tr>
> <tr><td>Value type</td><td>REG_DWORD</td></tr>
> <tr><td>Value data</td><td>0x2 (2)</td></tr>
> </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_USERS\.DEFAULT\Control Panel\Colors, Value name: Background)</span><a class="expando" href="#"></a></div>
> <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">Background</span><a class="expando" href="#"></a></div>
1624,1628c1624,1628
< <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_CURRENT_USER</td></tr>
< <tr><td>Key path</td><td>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca</td></tr>
< <tr><td>Value name</td><td>*</td></tr>
< <tr><td>Value type</td><td>REG_DWORD</td></tr>
< <tr><td>Value data</td><td>0x2 (2)</td></tr>
---
> <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_USERS</td></tr>
> <tr><td>Key path</td><td>.DEFAULT\Control Panel\Colors</td></tr>
> <tr><td>Value name</td><td>Background</td></tr>
> <tr><td>Value type</td><td>REG_SZ</td></tr>
> <tr><td>Value data</td><td>0 0 0</td></tr>
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40584651
To get difference:
Delete existing UPD for userx
set GPO with specific option and apply it to userx with new UPD
export gpresult output in htm format

Then change any settings or add any new settings
again logon with userx and export output in htm format

This will give you clear picture hopefully
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40584685
That's exactly what I did.  I'll post the working gpresult now, and you can check for any other differences as well.  Maybe you'll spot something that I missed.
good.htm
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:geekdad1
ID: 40585213
Here's another clue.  Our internal staff are in a different OU from our remote desktop clients.  When I made the last change her desktop changed over to using a double click.  However not the external clients.  So I'm wondering about either inheritance, security filtering or possibly the way I've got the OU's set up.

It looks right to me but something is still wrong.  Here's what I have.
The group policy OU'sThe group policy OU's
The GPO I'm making changes to is Remote Users v2.
As you can see it's attached to farm computers and Restricted Access Accounts (RAA).
All of our outside clients login accounts are in the RAA OU.
All of the remote desktop farm servers are in the "farm computers" OU.  I don't know if this has any bearing but we keep all of the User Profile Disks on another server that is not part of this group.

We have a group set up in the RAA Active directory which contains all of the external client accounts. It's called "Remote PAR Users".  The farm computers belong to a group as well called "par farm".

Here is the scope properties of the GPO.
scope details
The security filtering includes the appropriate groups, so it looks right.  I'll continue testing, and see what else I can figure out.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40585568
Thanks for sharing detailed info
You made GPO application complex

U need to unlink default domain policy and remote user V2 GPOs from RAA OU for TWO reasons.
remote user V2 policy should be latched only to OU containing farm computers
Also default domain policy policy is already linked to domain, so no need to latch it again to RAA OU

Also there is no point in making parfarm security group as "Farm Computers" OU is already there and I believe RDS servers are kept in this OU, you already have authenticated users group defined on security filtering tab for remote users V2 GPO, so no need to specify separate security group for farm computers under security filtering.
When you apply GPO to this OU, it will by default apply to farm servers

Lastly just ensure that Group Policy loopback processing is enabled in replace mode with remote users V2 GPO

If you made these changes as suggested, just run gpupdate /force on domain controllers, on restricted user workstations as well and check if it works
May be you can reboot farm server once
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40587455
Here's what I've got setup now.  But it's still not right.
gpo1.PNG
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40587476
I've got the GPO remote users v2 linked to the farm computers OU.  I've set the security filtering to enable it only for the Remote PAR Users.  However when I log on as a user, and run gpresult, it says that remote users V2 has not been applied.

Did I misunderstand what you suggested?
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40587606
I have loopback processing set to replace mode.  None of the user settings now apply.  I've linked the remote users v2 back to the RAA OU, and now at least all of the user settings are being applied.  

I can't get the double click to work for existing  accounts.  Only new accounts.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40587969
I have seen screen shot
U have added policy to correct OU, however wrong group on security filtering


Replace remote par users with authenticated users

Note that GPO remote users V2 should apply to farm servers OU and when you set authenticated users there, policy will be applied to farm servers and all users who would logging on farm servers would be affected
No need to apply GPO to Remote Par Users group explicitly, your GPO loop back processing will take care of that

The Idea would be, policy would be applied to Farm servers OU with loop back processing enabled so that it will automatically applied to all users who would logon to farm servers since policy contains user settings.

If you apply this policy to OU containing users, it will be applied to those users no matter on which server they logon in entire domain which is not the requirement.
Policy should get enforced only if users logon to Farm servers
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40589326
We have other users, (admin and office staff) who aren't subject to these restrictions.  So although authenticated users would work, the remote par users group is a better choice for us.  Also since these users only ever log onto the farm computers, it's not an issue if the policy is always applied to them.

What I don't understand is why when I applied the GPO to only the farm computers and turned on  loopback processing and set the security filtering on, the GPO was not applied? Could it be because the remote PAR users group is in a custom OU?

I appreciate your patience and help with this.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40589523
You do applied GPO to farm computers, however it is not applying to farm computers simply because authenticated users is not there

U are applying GPO to OU containing farm servers but same time in security filtering you have removed authenticated users as a fact GPO is not applying
Farm servers are also member of Authenticated users group and hence it is required there

Replace remote par users with authenticated users

Now no matter where remote par users OU stays
0
 
LVL 1

Author Closing Comment

by:geekdad1
ID: 40589830
Thanks.  That clears things up.  The original problem still remains, but at this point I think that from the look of things some settings are only set once and no matter how hard you'd like to, you won't be able to change them without deleting the user profile disk.  For another example, try changing the desktop wallpaper through GPO.  That never changes as well.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40590394
OK
Please try below wrt original problem:

The UPD behavior is to get disconnected when user logged of the RDS session
When user logged back again, it simply attach UPD again, so have you tried Gpupdate /force on user session to see if any GPO changes are getting reflected?

If that works, you can set gpupdate OR gpupdate /force in .bat file and apply this GPO to user configuration \Windows Settings\ scripts \ logon in same GPO and check
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40591600
No luck.  logged in, ran gpoupdate /force, logged off, logged back in again.  No change.  It was a good idea though.  The user profile disk has registry settings saved in it.  I wonder if the gpo settings get applied to the registry upon login and then later the settings in the UPD get applied.  That would cause the UPD settings to take precedence.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now