GPO issues....
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
in Off-Topic
Okay so I am in the process of rebuilding a couple policies. Right now I a have a Terminal Server policy that is linked to a terminal Server OU. In this OU there are 2 computer objects and a Global Security group named TS users. IN the GPO I have various computer settings for the termserv's and user settings for the TS user security group.
Yesterday when I started this, I moved the TS user group from one OU that had no GPO applied to it, to the Termserv OU that has the termserv GPO. When I first did that, everything was working great. I have test accounts that are in the TS user group and I use those to test RSOP. Well when I logged in with this test account, it was locked down. So everything was great.
Then when I got home I VPN'ed into work to tweak it a little more, and when I logged in as a test account on the terminal server, none of the POlices were applied. I did a gpupdate then a gpresult and the GPO was not listed in the output. I have no idea why. One minute it was working and a couple hours later is wasn't.
Then I took the test user out of the TS user group and put the user account as a leaf object in the Termserv OU. I left the TS user group in the OU.
Now when I log in with the account that is now a leaf object, it works and the GPO is applied. When I log in with another test account that is still in the TS user group, it does not work.
The only other GPO that is applied to the TS user group is a default domain policy that propagates down the whole tree. The TS user group is a member of the All Employees group.
In the security filter pane in GPO management snapin, I have TS users and Authenticated users and domain admins listed in the filter. Authenticated users and TS users have the read and apply group policy NTFS permissions permitted. I do not want domain admins affected by these policies, only TS users.
I know this is a lot to take in, but does anyone have any ideas? Any MCSE's out there? Why does the user leaf object work, but the users in the TS global security group not work? Thanks in advance.
Yesterday when I started this, I moved the TS user group from one OU that had no GPO applied to it, to the Termserv OU that has the termserv GPO. When I first did that, everything was working great. I have test accounts that are in the TS user group and I use those to test RSOP. Well when I logged in with this test account, it was locked down. So everything was great.
Then when I got home I VPN'ed into work to tweak it a little more, and when I logged in as a test account on the terminal server, none of the POlices were applied. I did a gpupdate then a gpresult and the GPO was not listed in the output. I have no idea why. One minute it was working and a couple hours later is wasn't.
Then I took the test user out of the TS user group and put the user account as a leaf object in the Termserv OU. I left the TS user group in the OU.
Now when I log in with the account that is now a leaf object, it works and the GPO is applied. When I log in with another test account that is still in the TS user group, it does not work.
The only other GPO that is applied to the TS user group is a default domain policy that propagates down the whole tree. The TS user group is a member of the All Employees group.
In the security filter pane in GPO management snapin, I have TS users and Authenticated users and domain admins listed in the filter. Authenticated users and TS users have the read and apply group policy NTFS permissions permitted. I do not want domain admins affected by these policies, only TS users.
I know this is a lot to take in, but does anyone have any ideas? Any MCSE's out there? Why does the user leaf object work, but the users in the TS global security group not work? Thanks in advance.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Comments
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Group Policy cannot be applied to Groups at all. Only users objects and computer objects.
You can filter on groups with permissions, but the GPO itself cannot be applied to a group object.
I didn't notice your mention of groups in your PM - sorry.All things are possible, only believe. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
You're trying to apply group policy to a security group and have it inherited to the members of the group? Even though the name says "group policy" it has nothing to do with groups. You need to place the users in the OU or link the GPO to the OU that the users reside in to apply the GPO.
GPO can be applied to Sites, Domains' and Organizational Units, not to groups, and not inherited through a group like permissions.The only easy day was yesterday! -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
Okay thanks. Thats strange that is had the desired results at first. dang I think I need to go back to the books on GPO's.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
GPO setting will remain on the local computer (in the regristy) until there is another GPO applied to remove them. This sometimes can result in erradic results when appling GPO's to users because if a user with no GPOs applied to their account logs onto a computer where someone else has logged on with a GPO that removes the "run" option from the start menu, the user with no GPO applied will not have the run option either, because that policy is still enforced in the local registry.The only easy day was yesterday!
-
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
hmmm.....Interesting
Derek, is there anything you don't know? Thanks again.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
shednik
Member Posts: 2,005
Netstudent wrote:hmmm.....Interesting
Derek, is there anything you don't know? Thanks again.
I know seriously dt
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Microsoft claims that as long as the policies you set are stored in one of four approved registry locations they are not persistent, in that when you remove the GPO that applied the policy, they revert to a default state. These are called true policy settings, as opposed to preferences. The locations are:
HKEY_LOCAL_MACHINE\SOFTWARE\policies (preferred location)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\policies (preferred location)
HKEY_ CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
They also claim that everything displayed in the GPMC under Administrative Templates are true policy settings, however I have not seen this to be entirely true, especially with regard to IE settings.All things are possible, only believe. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Sprkymrk is your resident expert in all things Microsoft, I just thrown in my 2 cents when I know the answer
Other than that I shut up and watch. The only easy day was yesterday! -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
.dtlokee wrote:Sprkymrk is your resident expert in all things Microsoft, I just thrown in my 2 cents when I know the answer Other than that I shut up and watch.
I take all the help I can get, heaven knows I need it. I've been wrong many times. Please chime in whenever you feel like it. I learn new stuff every day around here. Nice to see the Cisco guys over here once in while anyway. All things are possible, only believe. -
shednik
Member Posts: 2,005
Like you said mark MS kinda grows on you like a fungus but i still like cisco better
-
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
I appreciate the input guys.
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
sprkymrk wrote:I learn new stuff every day around here.
This is really what drives me to be so active here. I handle the IT-responsibilities for a small business with just under 30 employees. I only apply a small percentage of what I've learned on a daily basis, and I'm afraid that I will slowly lose the rest of that knowledge over time. Participating in more complex discussions on this site makes me feel like I am in a larger enterprise environment and helps solidify what I've learned. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
dynamik wrote:sprkymrk wrote:I learn new stuff every day around here.
This is really what drives me to be so active here. I handle the IT-responsibilities for a small business with just under 30 employees. I only apply a small percentage of what I've learned on a daily basis, and I'm afraid that I will slowly lose the rest of that knowledge over time. Participating in more complex discussions on this site makes me feel like I am in a larger enterprise environment and helps solidify what I've learned.
I agree. It's like playing tennis, you only get better playing with people who are above your skill level The only easy day was yesterday! -
Mishra
Member Posts: 2,468 ■■■■□□□□□□
dynamik wrote:sprkymrk wrote:I learn new stuff every day around here.
This is really what drives me to be so active here. I handle the IT-responsibilities for a small business with just under 30 employees. I only apply a small percentage of what I've learned on a daily basis, and I'm afraid that I will slowly lose the rest of that knowledge over time. Participating in more complex discussions on this site makes me feel like I am in a larger enterprise environment and helps solidify what I've learned.
Or you are just a giant nerd.
I'm pretty sure most of the people who try to help others do it to help them stay on top of the game.
I enjoy MS Linux and Cisco as well... Now we just need people asking Linux questions more often as I'm pretty good with it too but I can't manage it in my new job so those skills will fade away over time.
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
-
paintb4707
Member Posts: 420
dtlokee wrote:You're trying to apply group policy to a security group and have it inherited to the members of the group? Even though the name says "group policy" it has nothing to do with groups. You need to place the users in the OU or link the GPO to the OU that the users reside in to apply the GPO.
GPO can be applied to Sites, Domains' and Organizational Units, not to groups, and not inherited through a group like permissions.
Are you sure? I created a group policy that applies to a security group of users and computers. The GPO is linked to the root domain and no OU in particular. The GPO has applied for everyone.
I've also done it in a test environment and proved that it did work. -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
paintb4707 wrote:dtlokee wrote:You're trying to apply group policy to a security group and have it inherited to the members of the group? Even though the name says "group policy" it has nothing to do with groups. You need to place the users in the OU or link the GPO to the OU that the users reside in to apply the GPO.
GPO can be applied to Sites, Domains' and Organizational Units, not to groups, and not inherited through a group like permissions.
Are you sure? I created a group policy that applies to a security group of users and computers. The GPO is linked to the root domain and no OU in particular. The GPO has applied for everyone.
I've also done it in a test environment and proved that it did work.
Your GPO is being applied to users and computers because you have applied the GPO to the domain. It is not being specifically applied to groups.
Try this: Create a test GPO that does something obvious, like change the wallpaper or something. Then create a test OU, call it whatever you like, say "WPTest" or something. Now, place ONLY groups in that OU. You'll see that when you log in as a member of that group, it won't change the wallpaper. Add a USER to that OU, log in as that user, and voila, wallpaper!All things are possible, only believe. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
Ya...thanks to these guys, I was able to knock the rust off a little quicker. I got the exact results I was looking for by putting user objects in the OU instead of the Terminal Server user group. It took a little strategy to get everything right.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
