[gptalk] Re: user config questions

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 18 Oct 2007 08:02:21 +1000

Hi Scott,

 

I am not sure exactly what you mean, but I think the answer may lie in
LoopBack processing. It sounds like you may have Loopback processing enabled
as REPLACE on your TS OU. Of course the User modeling tool should still give
the correct answer. In these sorts of cases, I always enable verbose logging
then check out the UserEnv log to find out what is REALLY happening, rather
than what is supposed to happen. To help, I have a free tool that makes more
sense of the log. You can download it from
http://www.sysprosoft.com/policyreporter.shtml

 

You probably know all about Loopback processing, but if not it allows you to
give the user different sets of policies depending which machine they log on
to.

 

If you set loop back processing on the Machine policy in the TS OU to
REPLACE you can get two different sets of policies:- 

When User logs on to a LAB PC they will get Policies D, A

When User logs on to a TS OU they will get Policies E, A

 

If you set loop back processing on the Machine policy in the TS OU to MERGE
you can get two different sets of policies:- 

When User logs on to a LAB PC they will get Policies D, A

When User logs on to a TS OU they will get Policies D, A, E, A

 

You could of course set Loopback processing on each of the specific LAB
policies. If this was set to replace they would get C, B, A . If it was set
to merge, they would get D, A, C, B, A

 

(Note: I have shown the policies in the order that they will be applied. In
the "merge" case, the domain policy actually gets applied twice)

 

Hope this helps.

 

 Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Bean, Scott
Sent: Thursday, 18 October 2007 4:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] user config questions

 

First let me describe my current setup.

 

--domain.local (A)

           |----Specific OU

                            |----Labs(B)

                                       |----Specific Lab(C)

                            |----Users(D)

           |----TS OU(E)

 

 

 

At the domain.local level I have 3 Policies that affect the domain.

At the specific OU level I have nothing.

At the Labs level I have one policy.  (I have many Specific Lab OUs but am
keeping it simple - Each having its own policy due to desktop and start menu
redirection)

At the Specific Lab level I have one policy that contains user config
settings. 

 

All Users that are in the Users OU that log onto a machine in the Specific
Lab OU get the correct settings.

 

Now at the TS OU I have 2 policies.  One is Computer Config.  The other is
User Config.  Basically I need to have multiple User Configs based on
groups.  The main reason for this is that we do desktop and start menu
redirection.  The TS OU is for a group of 2003 Terminal Servers.  My user
that is in the Users (listed above) is not getting the correct user config
when logging into a Terminal Server.  If I move the user to the TS OU the
Group Policy Modeling tool shows that I should get the correct policies but
when I log on it still does not have the correct settings.  If the user is
in the Users OU and I check the Group Policy Modeling tool then the user
config policy doesn't show up under applied gpos.

 

I guess my question is will I have to block inheritance on all the Specific
Lab OUs then instead of having my user config policy on the TS OU move it to
the Users OU?  Or what exactly is the best way to do this?

 

Sorry if this is somewhat confusing.

Other related posts: