[gptalk] Re: User not getting Logon script GPO

From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
To: <gptalk@xxxxxxxxxxxxx>
Date: Wed, 15 Nov 2006 10:15:36 -0800
The 2nd client is not a member of the "MGT Dean's Suite" security group and
he apparently gets the policy. 

 

Does your policy have any filtering enabled? If you are using GPMC it will
only show the group that the policy is being applied to example
"Authenticated Users."

 

If a group is denied policy it will not show in GPMC. You will need to edit
the policy to open it in a different window and then at the top of the
window select and right click the policy and review the entire ACL in the
Security tab to see if there are any groups that are getting denied the
policy.

 

 

Omar

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 9:33 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Ok, I reapplied the GPO, but to no avail.

 

 I will provide a snippet of the rsop from the two clients.  One that is not
getting the GPO first, and the 2nd snippet from the client that is.  The
only outright difference I see is that one DC2 is applying the policy to the
first computer and DC1 is applying the policy to the 2nd computer.  Even
though it may smell of replication, these polices have not been changed for
"months", at least the "Dean Suite non HR user logon scripts" GPO.

 

 

 

First client

 

USER SETTINGS
--------------
    CN=rs85,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,DC=b
uzz
    Last time Group Policy was applied: 11/15/2006 at 12:15:59 PM
    Group Policy was applied from:      mgt-dc02.mgt.gt.buzz
    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Folder Redirection

 

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

 

         Services
            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening
            Filtering:  Not Applied (Empty)

 

        Block IE 7
            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Local Access
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        MGT Accounting
        MGT No Public Folder Access
        MGT Dean's Suite

 

    Resultant Set Of Policies for User:
    ------------------------------------

 

        Software Installations
        ----------------------
            N/A

 

        Public Key Policies
        -------------------
            N/A

 

        Administrative Templates
        ------------------------
            N/A

 

        Folder Redirection
        ------------------
            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:
\\mgt-filesrvr-01\profile$\rs85\desktop
<file:///\\mgt-filesrvr-01\profile$\rs85\desktop> 

 

            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:   \\mgt-filesrvr-01\profile$\rs85\my
<file:///\\mgt-filesrvr-01\profile$\rs85\my>  docume
nts\My Pictures

 

 

 

 

2nd Client

 

USER SETTINGS

--------------

    CN=lwright7,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,

DC=buzz

    Last time Group Policy was applied: 11/15/2006 at 11:37:25 AM

    Group Policy was applied from:      mgt-dc01.mgt.gt.buzz

    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects

    -----------------------------

        Default Domain Policy

        Dean Suite non HR user logon scripts

        Folder Redirection

 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

         Services

            Filtering:  Not Applied (Empty)

 

        Block IE 7

            Filtering:  Not Applied (Empty)

 

        Local Group Policy

            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening

            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:

    ----------------------------------------------------

        Domain Users

        Everyone

        Local Access

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        LOCAL

        MGT Graduate Office

        MGT Undergraduate Office

        MGT No Public Folder Access

 

    Resultant Set Of Policies for User:

    ------------------------------------

 

        Software Installations

        ----------------------

            N/A

 

        Public Key Policies

        -------------------

            N/A

 

        Administrative Templates

        ------------------------

            N/A

 

        Folder Redirection

        ------------------

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\deskt

op

 

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\my do

cuments\My Pictures

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

I don't see any userinit event erros on the client.

 

I am going to remove the link, wait about 5 or so minutes to make sure that
change replicates, and re-add the link and see what happens.

What I find as weird is that one of the users in that OU gets the policy, so
that would have me conclude that it was linked correctly.

 

I will keep the list posted as to the progress

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, November 15, 2006 11:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Booker-

If the GPO containing the logon script doesn't even appear in the RSOP list
as "denied", that usually means one of two things. Either the GPO is not
really linked to the hierarchy containing the users or the DC where those
users are processing the GPO hasn't replicated that GPO completely. Do you
see any "userinit" error events in the application event log on those
clients?

 

Darren

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 8:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

Let me add,

 

I "believe' for all intensive purposes, they USE to get the logon script
policy, but now it does not even show as being applied.

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User not getting Logon script GPO

 

I have several users within a GPO that for SOME strange reason are not
getting a policy for a logon script

For all intensive purposes, everything that I looked at, says they should be
getting the policy

 

The policy itself has no special security filtering.

The policy is applied to the OU where the user accounts reside and they are
logon user scripts, not Computer Configuration start up scripts

When I run a rsop from the user's computer, or a modeling from within GPMC,
I don't even see the policy in the list of applied or denied policies

 

The kicker.. ONE user in the OU gets the policy, while the other 8 do not!!

 

What troubleshooting step am I missing?
Follow-Ups:

[gptalk] Re: User not getting Logon script GPO
From: Washington, Booker

[gptalk] Re: User not getting Logon script GPO
From: Darren Mar-Elia
References:
- [gptalk] Re: User not getting Logon script GPO
  - From: Washington, Booker
[gptalk] Re: User not getting Logon script GPO

Other related posts:
