Help needed with W2K3 Group Policy not being applied at user logon

[murras68]

Hi,

I'm having problems with a GPO that is linked to an OU which contains a
group which has users and groups from other OU's in AD.

I am running a batch file as a logon for the user configuration part of
the GPO, the Computer part of the GPO is disabled to speed things up.
Basically the GPO will run a batch file for users associated with the
GPO linked to the OU.

The problems that are occurring is that the GPO does not seem to
process. I can run the batch file form the dos prompt of a user's PC
which performs the required function, which is to copy a shortcut from
a network folder to the user's desktop.

When I run GPresult on the user's PC a can see that in the user
configuration the results are that the Local Policy is filtered and no
policy is applied, yet when I run the batch file from within the user
configuration part of the Default Domain GPO everthing works fine. I
have checked the permissions and even used block inheritance on the OU
where the users and groups exist but still no joy.

Has anyone got any suggestions on why this is happening and how to get
this working for users as there is no computer GPO setting as it is
intended for only users to recieve a desktop shortcut as they login.

Thanks

Murras88

 

[Guest]

Are the users accounts who must 'receive' the login script physically located
in the OU where the GPO is linked to?

Regards,
Erik

 

[murras68]

Yes, the users and groups are in the OU whicih the GPO is linked to.

Regards

Steve

 

[Guest]

Some other things to check/try:
* The users/groups need "read" and "apply" permissions on the GPO
* MSKB: Scripts May Not Run Before Windows Explorer Starts Even Though the
"Run Logon Scripts Synchronously" Setting is Enabled
(http://support.microsoft.com/default.aspx?scid=kb;en-us;304970)

You cold also try the RSoP (Resultant Set of Policy) mmc, which has a better
GUI and also contains a planning mode, so you can "test" what a result of a
policy would/should be of your GPO assigned to a user.

An even better tool is the Group Policy Management Console:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
This tool provides a more user friendly and more ease of use method to
troubleshoot and plan group policies.

Regards,

Erik

 

[murras68]

Hi Erik,

Thanks for the reply but I still have the same problem.

The GPO works when it is part of the Default Domain GPO but not when it
is linked further down to an OU that is within another OU.

I have run GPresult and RSoP and it shows that the local policy is
being filtered out but does not say what policy is filtering it out.

If you have any more ideas I would greatly welcome them.

Thanks

Steve

 

[Mark Heitbrink [MVP]]

Hi,

The GPO works when it is part of the Default Domain GPO but not when it
is linked further down to an OU that is within another OU.

- your User/Computer is not part of the OU where you linked
the GPO, the target is not inside the scope of the GPO.
or
- you worked with DSACLs on the GPO, e.g you removed Auth.Users
or
- you worked with block inheritance on a OU or force on GPO and
the settings are overwritten.

Mark

 

[Guest]

Could you give me a little more info about the Ou structure, depth, contents,
were GPO's are linked, with or without 'no override' or 'block inheritance'
and what settings you want to have enforced on the user/workstation?

 

[murras68]

Hi Erik,

The structure is

Domain > Directorate OU > 6 OU's based on Departments and 1 OU called
Folder Access containing the group called Folder Access Group which has
members from the 6 Department OU's.

The GPO is linked to OU called Folder Access containing the group
called Folder Access Group.

Regards

 

[Guest]

In your current description the Ou 'Folder Access' does not seems to contain
the actual user objects, but only a Security Group.

* Where are the User objects located? If they are not in the 'Folder Access'
OU the GPO will not apply to the users.
* How are the ACL's for the GPO configured?

 

[Mark Heitbrink [MVP]]

Hi,

Domain > Directorate OU > 6 OU's based on Departments and 1 OU called
Folder Access containing the group called Folder Access Group which has
members from the 6 Department OU's.

Group Policies, even if they are called "Group", can not be applied
to Security Groups. There is no target (user or computerobject)
in your scope.
You have to move the users to the OU, where you linked the GPO.
Security >groups can only be used for filtering.

If you link the GPO to a higher level, and "all" your users would be
involved, then you can use the security group to filter who is able
to "read" and "apply" the GPO.

Mark

 

[murras68]

Hi mark,

The users are located within another OU called users.

I will change my settings and let yo know the outcome.

Thanks for replying.

Steve

 

[Mark Heitbrink [MVP]]

Hi,

The users are located within another OU called users.

And this is your problem, we mentioned.
Just move the users to the OU and everything will be alright.

Mark