[gptalk] Re: Custom adm template not blocked when GPO is blocked ?

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 26 Oct 2006 10:05:30 -0700

Where is the GPO linked? Are both the users and the loopback computers
within the scope of the GPO? 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Thursday, October 26, 2006 9:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is blocked ?



I understand about the adm setting not going away, but this is a different
problem.

 

In one GPO, I have Folder redirection setup for the Desktop, and the my
Documents folders.  I also have the custom adm for the favorites setup so
that the Favorites are redirected to the My Documents Folder.

 

For that entire GPO, in the delegation side, I have a particular group set
to "Deny" Apply Group Policy.  I also have the Loopback processing set to
Enable and merge.

 

The policy is applied against a set of computers.  When users log onto those
computers, their my docs and desktop folders are not redirected (because the
deny permission is hit).. however their Favorites folder is redirected.

 

Why would that part of the policy not get denied along with the desktop and
my docs?

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, October 26, 2006 12:46 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is blocked ?

 

The custom ADM setting, if it had already been applied, will not go away by
denying the GPO, because its a "preference" and not a policy (see
www.gpoguy.com/faq/tattoo.htm). You would have to have a separate policy
that disables that setting for the group in question.

 

As for the other permission issue, I suspect that has to do with how the
permissions are set when the custom ADM redirects the folder. Check the
difference in inheritance flags between the two different directories. One
thing you can do is put the ADM in a separate GPO from the Folder
Redirection and set it with a lower priority on the container to ensure that
it always processes second. 

 

Darren

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Thursday, October 26, 2006 9:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Custom adm template not blocked when GPO is blocked ?

I have a GPO for folder redirection that redirects the desktop and the My
Documents Folder.  I have a special adm template that redirects the
Favorites to the "redirected" My Documents folder.  This is all in the same
GPO.

 

I have set a certain group of people to not get the policy, by setting a
"Deny" Apply Group Policy setting.  

 

What has happened is that the Policy has been denied, HOWEVER the custom adm
part of the policy about the Favorites was still applied...

 

Why is that?  I must be missing something about how custom template files
are applied and policies, etc.

 

Thanks

 

Another weird thing that I noticed and this may be a separate post, but on
some folders under the main share, where I have set exclusive use of the
folders to the users, I am able to access the My Documents folder (where the
favorites are being redirected), and other user's My documents folders i can
not access, which is what i would expect.

 

It appears that the users where the Favorites adm template was applied
first, those are the people whose My Documents folders i can access.  If the
My Documents and Desktop Redirections happened first, I can not access those
folders.

 

Very strange

 

 

 

 

Booker T. Washington III

Systems Support Specialist

404-894-8716 direct

404-385-5188 alt

 

 

 

Other related posts: