[gptalk] Re: User not getting Logon script GPO

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 15 Nov 2006 10:44:26 -0800

When you say edit the policy in a different window, do you mean look at the
policy under the SYSVOL folder?

 

I mean edit the group policy. When the window opens that will allow you to
change settings in the policy- right click the policy at the top of the
window and select properties- then select the Security tab and look for any
groups that have any denied settings.

 

Since the group thing may be the cause- open AD users and computers and open
the properties of the group to check the membership. When you open AD users
and computers look at the top left pane to see which Domain Controller you
are connected to.

 

After you see the group membership select the other DC in AD users and
computers to see if the other DC also sees the same group membership.

 

You wouldn't by any chance be controlling any group memberships with a
restricted group "group policy" would ya?

 

Also- when you added the logon script to this policy- what file path did you
specify for the logon script? Did you just open the script section of the
policy and just paste your file from the clipboard or did you specify a
server path like \\dc2\netlogon\deanlogonscript.vbs
<file:///\\dc2\netlogon\deanlogonscript.vbs> ?

 

If you just pasted the logon script into the default location of the scripts
in the GPO- I would check the sysvol location of that policy to ensure that
the logon script has been replicated to each Domain Controller.

 

Check all your domain controller directory and file replication event logs
to see if there are any indications of replication errors.

 

Omar

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 10:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

The policy has the default security settings.  I did not apply any security
filtering to the policy.

 

I have deleted the policy and I am creating a new one.  Interesting about
the 2nd client not being a part of the deans suite group.  I actually put
that user in the group as I was troubleshooting.  You may be on to something
because even with the new policy, it is still not showing on the 1st client,
but still showing on the 2nd client because the Group membership when the
policy was applied does not reflect her new status as a member of the MGT
deans suite group.

 

When you say edit the policy in a different window, do you mean look at the
policy under the SYSVOL folder?

 

Thanks

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Wednesday, November 15, 2006 1:16 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

The 2nd client is not a member of the "MGT Dean's Suite" security group and
he apparently gets the policy. 

 

Does your policy have any filtering enabled? If you are using GPMC it will
only show the group that the policy is being applied to example
"Authenticated Users."

 

If a group is denied policy it will not show in GPMC. You will need to edit
the policy to open it in a different window and then at the top of the
window select and right click the policy and review the entire ACL in the
Security tab to see if there are any groups that are getting denied the
policy.

 

 

Omar

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 9:33 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Ok, I reapplied the GPO, but to no avail.

 

 I will provide a snippet of the rsop from the two clients.  One that is not
getting the GPO first, and the 2nd snippet from the client that is.  The
only outright difference I see is that one DC2 is applying the policy to the
first computer and DC1 is applying the policy to the 2nd computer.  Even
though it may smell of replication, these polices have not been changed for
"months", at least the "Dean Suite non HR user logon scripts" GPO.

 

 

 

First client

 

USER SETTINGS
--------------
    CN=rs85,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,DC=b
uzz
    Last time Group Policy was applied: 11/15/2006 at 12:15:59 PM
    Group Policy was applied from:      mgt-dc02.mgt.gt.buzz
    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Folder Redirection

 

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

 

         Services
            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening
            Filtering:  Not Applied (Empty)

 

        Block IE 7
            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Local Access
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        MGT Accounting
        MGT No Public Folder Access
        MGT Dean's Suite

 

    Resultant Set Of Policies for User:
    ------------------------------------

 

        Software Installations
        ----------------------
            N/A

 

        Public Key Policies
        -------------------
            N/A

 

        Administrative Templates
        ------------------------
            N/A

 

        Folder Redirection
        ------------------
            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:
\\mgt-filesrvr-01\profile$\rs85\desktop
<file:///\\mgt-filesrvr-01\profile$\rs85\desktop> 

 

            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:   \\mgt-filesrvr-01\profile$\rs85\my
<file:///\\mgt-filesrvr-01\profile$\rs85\my>  docume
nts\My Pictures

 

 

 

 

2nd Client

 

USER SETTINGS

--------------

    CN=lwright7,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,

DC=buzz

    Last time Group Policy was applied: 11/15/2006 at 11:37:25 AM

    Group Policy was applied from:      mgt-dc01.mgt.gt.buzz

    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects

    -----------------------------

        Default Domain Policy

        Dean Suite non HR user logon scripts

        Folder Redirection

 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

         Services

            Filtering:  Not Applied (Empty)

 

        Block IE 7

            Filtering:  Not Applied (Empty)

 

        Local Group Policy

            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening

            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:

    ----------------------------------------------------

        Domain Users

        Everyone

        Local Access

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        LOCAL

        MGT Graduate Office

        MGT Undergraduate Office

        MGT No Public Folder Access

 

    Resultant Set Of Policies for User:

    ------------------------------------

 

        Software Installations

        ----------------------

            N/A

 

        Public Key Policies

        -------------------

            N/A

 

        Administrative Templates

        ------------------------

            N/A

 

        Folder Redirection

        ------------------

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\deskt

op

 

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\my do

cuments\My Pictures

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

I don't see any userinit event erros on the client.

 

I am going to remove the link, wait about 5 or so minutes to make sure that
change replicates, and re-add the link and see what happens.

What I find as weird is that one of the users in that OU gets the policy, so
that would have me conclude that it was linked correctly.

 

I will keep the list posted as to the progress

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, November 15, 2006 11:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Booker-

If the GPO containing the logon script doesn't even appear in the RSOP list
as "denied", that usually means one of two things. Either the GPO is not
really linked to the hierarchy containing the users or the DC where those
users are processing the GPO hasn't replicated that GPO completely. Do you
see any "userinit" error events in the application event log on those
clients?

 

Darren

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 8:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

Let me add,

 

I "believe' for all intensive purposes, they USE to get the logon script
policy, but now it does not even show as being applied.

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User not getting Logon script GPO

 

I have several users within a GPO that for SOME strange reason are not
getting a policy for a logon script

For all intensive purposes, everything that I looked at, says they should be
getting the policy

 

The policy itself has no special security filtering.

The policy is applied to the OU where the user accounts reside and they are
logon user scripts, not Computer Configuration start up scripts

When I run a rsop from the user's computer, or a modeling from within GPMC,
I don't even see the policy in the list of applied or denied policies

 

The kicker.. ONE user in the OU gets the policy, while the other 8 do not!!

 

What troubleshooting step am I missing?

 

 

 

 

Other related posts: