[gptalk] Re: Custom adm template not blocked when GPO is blocked ?

  • From: "Washington, Booker" <Booker.Washington@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 26 Oct 2006 14:42:03 -0400

Well, this was on their first pickup of the policy.  So, I never got to
the stage of having to do a gpupdate, or a log off and back on.  I have
the logon Group Policy setting, set to wait for network before logging
on so that it will pick up the policy right away.

 

So it remains a mystery as to why that part of the policy got applied.

 

I did like your other suggestions regarding the permissions issue.  I
will look into that.

 

Thanks

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, October 26, 2006 2:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is
blocked ?

 

Ok. This should work then. Preferences are not handled differently than
any other policies with respect to security filtering. Couple of things
to keep in mind--when you add the Deny to the GPO, the computer has to
refresh GP to pick that up. So, make sure that you've done that. Also, I
presume you are re-logging on as the user rather than just trying
gpupdate?

 

Darren

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Thursday, October 26, 2006 10:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is
blocked ?

Only the computers are in the OU where the policy is applied.

 

The AD hierarchy is as follows

 

Admin-Finance OU

            Computers OU

                        Desktops

                        Laptops

            Users

 

The GPO is linked at the Computers OU

 

Does that help?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, October 26, 2006 1:06 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is
blocked ?

 

Where is the GPO linked? Are both the users and the loopback computers
within the scope of the GPO? 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Thursday, October 26, 2006 9:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is
blocked ?

I understand about the adm setting not going away, but this is a
different problem.

 

In one GPO, I have Folder redirection setup for the Desktop, and the my
Documents folders.  I also have the custom adm for the favorites setup
so that the Favorites are redirected to the My Documents Folder.

 

For that entire GPO, in the delegation side, I have a particular group
set to "Deny" Apply Group Policy.  I also have the Loopback processing
set to Enable and merge.

 

The policy is applied against a set of computers.  When users log onto
those computers, their my docs and desktop folders are not redirected
(because the deny permission is hit).. however their Favorites folder is
redirected.

 

Why would that part of the policy not get denied along with the desktop
and my docs?

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, October 26, 2006 12:46 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Custom adm template not blocked when GPO is
blocked ?

 

The custom ADM setting, if it had already been applied, will not go away
by denying the GPO, because its a "preference" and not a policy (see
www.gpoguy.com/faq/tattoo.htm). You would have to have a separate policy
that disables that setting for the group in question.

 

As for the other permission issue, I suspect that has to do with how the
permissions are set when the custom ADM redirects the folder. Check the
difference in inheritance flags between the two different directories.
One thing you can do is put the ADM in a separate GPO from the Folder
Redirection and set it with a lower priority on the container to ensure
that it always processes second. 

 

Darren

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Thursday, October 26, 2006 9:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Custom adm template not blocked when GPO is blocked ?

I have a GPO for folder redirection that redirects the desktop and the
My Documents Folder.  I have a special adm template that redirects the
Favorites to the "redirected" My Documents folder.  This is all in the
same GPO.

 

I have set a certain group of people to not get the policy, by setting a
"Deny" Apply Group Policy setting.  

 

What has happened is that the Policy has been denied, HOWEVER the custom
adm part of the policy about the Favorites was still applied...

 

Why is that?  I must be missing something about how custom template
files are applied and policies, etc.

 

Thanks

 

Another weird thing that I noticed and this may be a separate post, but
on some folders under the main share, where I have set exclusive use of
the folders to the users, I am able to access the My Documents folder
(where the favorites are being redirected), and other user's My
documents folders i can not access, which is what i would expect.

 

It appears that the users where the Favorites adm template was applied
first, those are the people whose My Documents folders i can access.  If
the My Documents and Desktop Redirections happened first, I can not
access those folders.

 

Very strange

 

 

 

 

Booker T. Washington III

Systems Support Specialist

404-894-8716 direct

404-385-5188 alt

 

 

 

Other related posts: