[gptalk] Re: Puzzler - GP for one OU not being applied
- From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 2 Sep 2008 09:38:06 +0100
Hello.
I'm just learning GP myself so sorry if this is completely basic and n00bie.
When you stop using a GP setting don't you have to disable the setting to
remove it from the computer, rather than setting it to undefined? If so then
perhaps you've created a new GP with the lower security restrictions in place
but have left the old settings as undefined, and therefore it still has them in
place from the previous policy that applied?
This wouldn't explain why you saw the policy work as you wished for 5 minutes,
but it's the answer that sprang to my simple GP mind (if I'm correct).
Andrew
From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx]
Sent: 01 September 2008 21:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied
Just out of curiosity, can you do the following:
Get either the command-line Regview.exe from the 2003 resource kit tools or my
GUI PolViewer.exe utility (www.gpoguy.com/polviewer.htm).
While logged in as the user who is getting the errant policies, open the file
within %userprofile% called ntuser.pol (it might be hidden), from one of the
tools above. That file contains an archive of all of the GP registry settings
that are applying to the user. See if the errant policy is in that list. If so,
you might want to try renaming that file to something else and then doing a
gpupdate /force and see if that helps.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training, tools
and whitepapers. Also check out the Windows Group Policy Guide
<http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glance&n=283155>
, the definitive resource for Group Policy information.
Group Policy Management, Troubleshooting & Reporting Solutions at:
http://www.sdmsoftware.com/products
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Al Bracco
Sent: Monday, September 01, 2008 1:13 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Puzzler - GP for one OU not being applied
I have previously posted this on Tek-tips = here is the transcript so far.
QUESTION:
Windows 2003 SP2 server (single DC). Had previously setup an OU and GP for 8
PCs located in stores that needed to be very locked down. Now one of those PCs
needs some additional functionality enable. I created a new OU and moved that
user account into it. I am using GPM. I created a new policy for that OU with
my user configuration changes. It has been linked and enforced. I saw it work
once for about 5 minutes after doing a gpupdate. After rebooting the PC, it
stopped working. Instead of the new policy being applied, the old policy seems
to be enforced. However, the new policy is the only one listed for this OU in
GPM. I am not enforcing a domain default policy, either.
If I run the Group Policy Results wizard for this computer/user, it shows my
new GP0 as being the only one applied. I know the settings in the policy itself
are correct.
Any ideas on where to look next?
Al
-------------------------------------------------------------------
HANDLE: gmail2
POSTED ON: Aug 21, 2008
REPLY:
that sounds very strange indeed !!! You say that RSoP shows the policy being
applied so this should mean that the policies you have on place are being
applied .. why so you think thwy're not ?? Can you give us some examples of
what you configured that isn't working as expected ?
HANDLE: albracco
POSTED ON: Aug 22, 2008
REPLY:
The store PCS are extremely locked down, so they can't change anything in
Windows - just run the retail sql application they need. One example is
printers. From the store PCs, they do not have the ability to get to Control
Panel at all, never mind do anything with printers. The one PC in question is
actually in the warehouse. That PC has 4 printers attached, and he needs the
ability to select a printer from various applications. So, we need to unblock
most restrictions to do with printers. When it worked for that brief time, the
user could see control panel, and the only thing in it was Printers. And, from
the various Windows applications, he could select the printer he needed. When
the policy is not applied, he is completely locked out of those functions. We
have had to keep him logged in as administrator so he can do what he needs.
Obviously, we don't want to continue that.
It seems like the old policy is still being applied, rather than the new one.
Maybe it had something to do with when I moved the user account to the new OU?
Perhaps I should try deleting the user account and creating a new one?
Al
-------------------------------------------------------------------
HANDLE: gmail2
POSTED ON: Aug 30, 2008
REPLY:
sorry for the late reply on this. I wouldn't go deleting the account, but you
could create a new one in the same environment, same group membership etc, and
see if the policies have been applied ok
Also, I presume you've already checked, but are there any warnings/errors in
eventviewer or RSoP that indicate group policy processing failed?
I still can't quiet understand how RSoP could show the settings you want yet
they're not being applied. If you want you can use GPMC to save a HTML report
of group policy results (RSoP) and list it here, and I'll have a look. Change
any company/user names etc on the report as you see fit.
Sorry I haven't been able to provide you with a concrete solution, but we don't
have to admit defeat just yet !!!
HANDLE: Lemon13
POSTED ON: Aug 31, 2008
REPLY:
that i understand, the computers are in one ou and the restrictions apply, the
u created another ou where u put in a user that weakens the restrictions for
him on one of the pc´s in the other ou afik that wont work the restrictions are
cumulativ with the most restrictive in place
-------------------------------------------------------------------
HANDLE: gmail2
POSTED ON: Aug 31, 2008
REPLY:
I don't think that's the case here because logging as admin means the
restrictions are not in place. If the restrictions were per machine, it would
apply to all accounts, even local ones
[link
-------------------------------------------------------------------
HANDLE: albracco
POSTED ON: Sep 1, 2008
REPLY:
yes, the policies are per user, not computer. I don't have a default policy
that applies to everyone, just individual policies per OU and no policy for
admin. If I log into that computer with a username from the "stores" OU, it
applies the correct policies. if I login with the more restricted username, I
still get the store policy characteristics, even though that policy is only
linked to the stores OU.
A real puzzler...
-------------------------------------------------------------------
Other related posts:
