Good spotting Omar--this is one of the irritating things about GPMC--not showing the Deny filters. Although RSOP should report a GPO that is denied via sec. group filtering. Darren _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: Wednesday, November 15, 2006 10:16 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User not getting Logon script GPO The 2nd client is not a member of the "MGT Dean's Suite" security group and he apparently gets the policy. Does your policy have any filtering enabled? If you are using GPMC it will only show the group that the policy is being applied to example "Authenticated Users." If a group is denied policy it will not show in GPMC. You will need to edit the policy to open it in a different window and then at the top of the window select and right click the policy and review the entire ACL in the Security tab to see if there are any groups that are getting denied the policy. Omar _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Washington, Booker Sent: Wednesday, November 15, 2006 9:33 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User not getting Logon script GPO Ok, I reapplied the GPO, but to no avail. I will provide a snippet of the rsop from the two clients. One that is not getting the GPO first, and the 2nd snippet from the client that is. The only outright difference I see is that one DC2 is applying the policy to the first computer and DC1 is applying the policy to the 2nd computer. Even though it may smell of replication, these polices have not been changed for "months", at least the "Dean Suite non HR user logon scripts" GPO. First client USER SETTINGS -------------- CN=rs85,OU=Users,OU=Admin-Finance,OU=Deans Suite,OU=Groups,DC=agt,DC=at,DC=b uzz Last time Group Policy was applied: 11/15/2006 at 12:15:59 PM Group Policy was applied from: mgt-dc02.mgt.gt.buzz Group Policy slow link threshold: 500 kbps Applied Group Policy Objects ----------------------------- Default Domain Policy Folder Redirection The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) Services Filtering: Not Applied (Empty) Test Remote Administration firewall opening Filtering: Not Applied (Empty) Block IE 7 Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone Local Access BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL MGT Accounting MGT No Public Folder Access MGT Dean's Suite Resultant Set Of Policies for User: ------------------------------------ Software Installations ---------------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ N/A Folder Redirection ------------------ GPO: Folder Redirection Setting: InstallationType: basic Grant Type: Exclusive Rights Move Type: Contents of Local Directory moved Policy Removal: Redirect the folder back to user profile location Redirecting Group: Everyone Redirected Path: \\mgt-filesrvr-01\profile$\rs85\desktop <file:///\\mgt-filesrvr-01\profile$\rs85\desktop> GPO: Folder Redirection Setting: InstallationType: basic Grant Type: Exclusive Rights Move Type: Contents of Local Directory moved Policy Removal: Redirect the folder back to user profile location Redirecting Group: Everyone Redirected Path: \\mgt-filesrvr-01\profile$\rs85\my <file:///\\mgt-filesrvr-01\profile$\rs85\my> docume nts\My Pictures 2nd Client USER SETTINGS -------------- CN=lwright7,OU=Users,OU=Admin-Finance,OU=Deans Suite,OU=Groups,DC=agt,DC=at, DC=buzz Last time Group Policy was applied: 11/15/2006 at 11:37:25 AM Group Policy was applied from: mgt-dc01.mgt.gt.buzz Group Policy slow link threshold: 500 kbps Applied Group Policy Objects ----------------------------- Default Domain Policy Dean Suite non HR user logon scripts Folder Redirection The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Services Filtering: Not Applied (Empty) Block IE 7 Filtering: Not Applied (Empty) Local Group Policy Filtering: Not Applied (Empty) Test Remote Administration firewall opening Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone Local Access BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL MGT Graduate Office MGT Undergraduate Office MGT No Public Folder Access Resultant Set Of Policies for User: ------------------------------------ Software Installations ---------------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ N/A Folder Redirection ------------------ GPO: Folder Redirection Setting: InstallationType: basic Grant Type: Exclusive Rights Move Type: Contents of Local Directory moved Policy Removal: Redirect the folder back to user profile location Redirecting Group: Everyone Redirected Path: \\mgt-filesrvr-01\profile$\lwright7\deskt op GPO: Folder Redirection Setting: InstallationType: basic Grant Type: Exclusive Rights Move Type: Contents of Local Directory moved Policy Removal: Redirect the folder back to user profile location Redirecting Group: Everyone Redirected Path: \\mgt-filesrvr-01\profile$\lwright7\my do cuments\My Pictures _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Washington, Booker Sent: Wednesday, November 15, 2006 12:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User not getting Logon script GPO I don't see any userinit event erros on the client. I am going to remove the link, wait about 5 or so minutes to make sure that change replicates, and re-add the link and see what happens. What I find as weird is that one of the users in that OU gets the policy, so that would have me conclude that it was linked correctly. I will keep the list posted as to the progress _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 15, 2006 11:52 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User not getting Logon script GPO Booker- If the GPO containing the logon script doesn't even appear in the RSOP list as "denied", that usually means one of two things. Either the GPO is not really linked to the hierarchy containing the users or the DC where those users are processing the GPO hasn't replicated that GPO completely. Do you see any "userinit" error events in the application event log on those clients? Darren _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Washington, Booker Sent: Wednesday, November 15, 2006 8:45 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: User not getting Logon script GPO Let me add, I "believe' for all intensive purposes, they USE to get the logon script policy, but now it does not even show as being applied. _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Washington, Booker Sent: Wednesday, November 15, 2006 11:38 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] User not getting Logon script GPO I have several users within a GPO that for SOME strange reason are not getting a policy for a logon script For all intensive purposes, everything that I looked at, says they should be getting the policy The policy itself has no special security filtering. The policy is applied to the OU where the user accounts reside and they are logon user scripts, not Computer Configuration start up scripts When I run a rsop from the user's computer, or a modeling from within GPMC, I don't even see the policy in the list of applied or denied policies The kicker.. ONE user in the OU gets the policy, while the other 8 do not!! What troubleshooting step am I missing?