[gptalk] Re: New to the list, vexing issue here...

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 2 Oct 2008 14:29:35 -0700

Stephen-

I wonder if this isn't a problem with the user profiles of existing users
not correctly picking up the policy settings. Is it possible that
permissions were screwed with on these existing user's profiles that would
prevent changes being successfully written using policy to their HKCU hives?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Stephen Barash
Sent: Thursday, October 02, 2008 2:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: New to the list, vexing issue here...

 

Darren, thanks for the reply. No, no loopbacks in this environment. I
haven't fired up the userenv.log, I guess I'll have to do so. 

 

FWIW, this issue has been occurring for years - through promotions and
demotions of several domain controllers. Moving around fsmo's hasn't helped.

 

I do have one separate GP for these users that uses the Windows Settings -
Internet Explorer Maintenance, which I know generally shouldn't be used when
using Administrative templates - IE settings, but that's the only way I know
to set certain settings like home page. But if this was causing an issue,
then why would everything work pass through for new users?

 

Previously, to get things done, I've had to do a search and replace on
registry user keys for each terminal server to insert the settings, and then
rebuilt the 'default user' to include the change for new users. Not fun!

 

I'll grab a userenv.log asap..

 

-Stephen

 

Stephen R. Barash

Clever Ducks-Computer Network Services

1413 Monterey Street

San Luis Obispo, CA 93401

p.805.543.1930 x15

www.cleverducks.com

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, October 02, 2008 2:09 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: New to the list, vexing issue here...

 

Stephen-

If you are using Admin. Templates IE zone policies then it wouldn't be a
tattooing issue. I wonder if some loopback issues might be throwing things
off. I presume you guys are using Loopback in a TS environment? Also, have
you fired up userenv.log to see what it is saying for a given problem user?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Stephen Barash
Sent: Thursday, October 02, 2008 2:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] New to the list, vexing issue here...

 

Hello folks, I've been trying to roll out Administrative Template IE7
Intranet security zone changes via group policy for a long time. Gpmodeling
shows the changes for existing users. With gpresults, the changes are never
picked up - gpupdate doesn't help.

 

If I create a new user, the new user does pick up these changes. But no-go
on the hundreds of existing users.

 

This is a load balanced terminal server environment, with roaming profiles.
I thought this may be a 'tatooing' issue, but tools like Clean Registry
Policy Utility don't seem appropriate as user profiles are stored at a
centralized location on a file server.

 

Any suggestions? Especially for a way to propagate these changes en masse?

 

Thanks!

Stephen

 

 

Other related posts: