[gptalk] Loopback GPO Deny perms not working consistently

  • From: Robert Tannehill <rtannehill@xxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 15 Dec 2006 17:03:49 -0800

Hey All,
Here's my problem.  I have a loopback GPO applied to some Citrix servers,
which locks down the users.  The admins, however, need "normal" access to
the servers through RDP, so, per Darren's recommendation, I created a
group for the admins which I permission with a Deny for the Apply Group
Policy.  This has worked, but not for all the admin accounts for some
I ran a USERENV.LOG to compare the an account that was properly having the
GPO apply denied, and one that wasn't working as prescribed.  In the logs,
both are indicating that the GPO "is not getting applied" and is skipped.
However, there is a point in the USERENV.LOG where it shows the GPO
entries being backed out for the working one, and not being backed out for
the non working one.
For example:
Working properly:
USERENV(28c.165c) 17:20:51:094 ParseRegistryFile: Entering with
<C:\Documents and Settings\goodGPOuser\ntuser.pol>.
USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted
USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted
USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted
USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted
... 150 more lines...
USERENV(28c.165c) 17:20:51:344 DeleteRegistryValue: Deleted
USERENV(28c.165c) 17:20:51:344 DeleteRegistryValue: Deleted
USERENV(28c.165c) 17:20:51:344 ParseRegistryFile: Leaving.
USERENV(28c.165c) 17:20:51:344 ResetPolicies: resetting shell autorun
value for server.
USERENV(28c.165c) 17:20:51:344 ResetPolicies: Leaving.

Not removing policy:
1. USERENV(28c.1630) 17:31:57:812 SetRegPermissionsOnPoliciesKey:
Resetting permission on the policy key
2. USERENV(28c.1630) 17:31:57:812 ParseRegistryFile: Entering with
<C:\Documents and Settings\badGPOuser\ntuser.pol>.
3. USERENV(28c.1630) 17:31:57:812 ParseRegistryFile: Leaving.
4. USERENV(28c.1630) 17:31:57:812 ResetPolicies: resetting shell autorun
value for server.
5. USERENV(28c.1630) 17:31:57:812 ResetPolicies: Leaving.

Notice that between lines 2 & 3, there are no "DeleteRegistryValue" lines,
and so.... the policy is still in play.
Thanks for any comments/clues/"where to goes to see what the heck is going
Robert Tannehill
Sr. Computer Engineer
Computer Sciences Corporation

Other related posts: