[gptalk] Re: Policy will not change for logged on user - even after gpupdate

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 14 Feb 2008 09:01:26 +1100

Hi Booker,

 

This maybe a long shot, but you can often get problems that non tattooed
policies do not get removed because the NTUSER.POL in the Default User
directory does not match the registry settings in NTUSER.DAT in the Default
User directory.

 

With tattooed policies, the NTUSER.POL file contains all of the entries that
must be removed. After doing Template processing, it then rewrites the
NTUSER.POL file with all the registry values that are to be removed on the
next cycle. This means that if you have the setting included in the registry
in your Default User directory (NTUSER.DAT), but not in your the NTUSER.POL
file, it will never know to remove it.

 

So you need to first check if the offending registry entry is in NTUSER.DAT
in the Default User directory. You can do this by opening it from within
Regedit. If it is present, you need to check that you have an NTUSER.POL
file in the Default directory. If it is missing, that is your problem. If it
is present, open it with notepad and see if you can see the registry key.
The display is messy, but provided it is not too big you should be able to
see it.



It is only a problem for users who have different Policy settings to those
in the default policy. For those that are the same, the NTUSER.POL is
rewritten correctly when they first process policies.

 

There was lengthy discussion on this back in late November under "Problem
with GPO Setting even after set to 'Not Configured'"

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Thursday, 14 February 2008 4:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Policy will not change for logged on user - even after
gpupdate

 

I was thinking that, but this user is in a group that has the deny setting
in place for that policy.  Very confusing.

 

Thanks for your input

 

 

 

 

Booker T. Washington III

Systems Support Specialist

404-894-8716 direct

404-385-5188 alt

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Shane Williford
Sent: Wednesday, February 13, 2008 12:52 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Policy will not change for logged on user - even after
gpupdate

That is because this is a "User" setting, which follows the person; if the
'user' is still in the test OU with this setting/restriction, it will still
apply.

 

Regards,
Shane

 

Shane M. Williford

Systems Administrator

MCSE, MCSA Sec, Sec+, Net+, A+

Mazuma Credit Union

shane.williford@xxxxxxxxxx

816-361-4194 x6012

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, February 13, 2008 11:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Policy will not change for logged on user - even after
gpupdate

 

A user is logged onto a lab machine that had the profile size restriction
set.  We moved the computer to a new OU, that does not have that
restriction.  Even after the user performs a gpupdate, they still get the
message that thier profile size is too big.  

 

Is that not a policy setting that can be changed, while the user is logged
on?

 

 

 

Booker T. Washington III

Systems Support Specialist

404-894-8716 direct

404-385-5188 alt

 

 

Notice: The information transmitted in this e-mail may contain confidential
and/or legally privileged information intended only for the use of the
individual(s) named above. Review, use, disclosure, distribution, or
forwarding of this information by persons or entities other than the
intended recipient(s) is prohibited by law and may subject them to criminal
or civil liabilities. Statements and opinion expressed in this e-mail may
not represent those of Mazuma Credit Union. All e-mail communications
through Mazuma's corporate email system are subject to archiving and review
by someone other than the recipient. If you have received this communication
in error, please notify the sender immediately and delete/destroy any and
all copies of the original message from any computer or network system. 

Other related posts: