[gptalk] Re: Puzzler - GP for one OU not being applied

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 4 Sep 2008 11:01:16 -0700


Absolutely the file exists when the user is not logged in. You will see it
under c:\documents and settings\username if you are logged in as
Administrator, which should work.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Al Bracco
Sent: Thursday, September 04, 2008 10:13 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Puzzler - GP for one OU not being applied



I suppose I have a bit of a catch-22. The "store" policy set that seems to
be getting enforced incorrectly will not allow the user to do what you
suggest. That means I would have to change the policy and that would affect
everyone else. Since this is behaving badly, I'm hesitant to do that. Is the
file you reference (ntuser.pol) only in existence when the user is logged
in, or does it hang around after logoff and I could I find it somehow if
logged in as administrator?


At 04:28 PM 9/1/2008, you wrote:

Just out of curiosity, can you do the following:
Get either the command-line Regview.exe from the 2003 resource kit tools or
my GUI PolViewer.exe utility ( <http://www.gpoguy.com/polviewer.htm>
While logged in as the user who is getting the errant policies, open the
file within %userprofile% called ntuser.pol (it might be hidden), from one
of the tools above. That file contains an archive of all of the GP registry
settings that are applying to the user. See if the errant policy is in that
list. If so, you might want to try renaming that file to something else and
then doing a gpupdate /force and see if that helps.
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
<http://www.gpoguy.com/> -- the best source for GPO FAQs, video training,
tools and whitepapers. Also check out the Windows
s_1/104-1133146-9411929?v=glance&n=283155>  Group Policy Guide, the
definitive resource for Group Policy information. 
Group Policy Management, Troubleshooting & Reporting Solutions at:
From: gptalk-bounce@xxxxxxxxxxxxx [ mailto:gptalk-bounce@xxxxxxxxxxxxx
<mailto:gptalk-bounce@xxxxxxxxxxxxx> ] On Behalf Of Al Bracco
Sent: Monday, September 01, 2008 1:13 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Puzzler - GP for one OU not being applied
I have previously posted this on Tek-tips = here is the transcript so far.
Windows 2003 SP2 server (single DC). Had previously setup an OU and GP for 8
PCs located in stores that needed to be very locked down. Now one of those
PCs needs some additional functionality enable. I created a new OU and moved
that user account into it. I am using GPM. I created a new policy for that
OU with my user configuration changes. It has been linked and enforced. I
saw it work once for about 5 minutes after doing a gpupdate. After rebooting
the PC, it stopped working. Instead of the new policy being applied, the old
policy seems to be enforced. However, the new policy is the only one listed
for this OU in GPM. I am not enforcing a domain default policy, either.
If I run the Group Policy Results wizard for this computer/user, it shows my
new GP0 as being the only one applied. I know the settings in the policy
itself are correct.
Any ideas on where to look next?
HANDLE: gmail2
POSTED ON: Aug 21, 2008
that sounds very strange indeed !!! You say that RSoP shows the policy being
applied so this should mean that the policies you have on place are being
applied .. why so you think thwy're not ??  Can you give us some examples of
what you configured that isn't working as expected ?
HANDLE: albracco
POSTED ON: Aug 22, 2008
The store PCS are extremely locked down, so they can't change anything in
Windows - just run the retail sql application they need. One example is
printers. From the store PCs, they do not have the ability to get to Control
Panel at all, never mind do anything with printers. The one PC in question
is actually in the warehouse. That PC has 4 printers attached, and he needs
the ability to select a printer from various applications. So, we need to
unblock most restrictions to do with printers. When it worked for that brief
time, the user could see control panel, and the only thing in it was
Printers. And, from the various Windows applications, he could select the
printer he needed. When the policy is not applied, he is completely locked
out of those functions. We have had to keep him logged in as administrator
so he can do what he needs. Obviously, we don't want to continue that.
It seems like the old policy is still being applied, rather than the new
one. Maybe it had something to do with when I moved the user account to the
new OU? Perhaps I should try deleting the user account and creating a new
HANDLE: gmail2
POSTED ON: Aug 30, 2008
sorry for the late reply on this.  I wouldn't go deleting the account, but
you could create a new one in the same environment, same group membership
etc, and see if the policies have been applied ok
Also, I presume you've already checked, but are there any warnings/errors in
eventviewer or RSoP that indicate group policy processing failed?
I still can't quiet understand how RSoP could show the settings you want yet
they're not being applied.  If you want you can use GPMC to save a HTML
report of group policy results (RSoP) and list it here, and I'll have a
look.  Change any company/user names etc on the report as you see fit.
Sorry I haven't been able to provide you with a concrete solution, but we
don't have to admit defeat just yet !!!
HANDLE: Lemon13
POSTED ON: Aug 31, 2008
that i understand, the computers are in one ou and the restrictions apply,
the u created another ou where u put in a user that weakens the restrictions
for him on one of the pc´s in the other ou afik that wont work the
restrictions are cumulativ with the most restrictive in place
HANDLE: gmail2
POSTED ON: Aug 31, 2008
I don't think that's the case here because logging as admin means the
restrictions are not in place.  If the restrictions were per machine, it
would apply to all accounts, even local ones
HANDLE: albracco
POSTED ON: Sep 1, 2008
yes, the policies are per user, not computer. I don't have a default policy
that applies to everyone, just individual policies per OU and no policy for
admin. If I log into that computer with a username from the "stores" OU, it
applies the correct policies. if I login with the more restricted username,
I still get the store policy characteristics, even though that policy is
only linked to the stores OU.
A real puzzler...

Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional

Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.opensystemscomputing.com/> 
www.go2unix.com <http://www.go2unix.com/> 

Other related posts: