GPO was working, but not anymore...

[Guest]

I recently created a GPO in an OU on a Win2k DC. Initially, everything was working splendidly. In addition to the GPO, I created a VBScript to map network drives, printers, etc. Initially, I placed this file on the client machine and modified the GPO option "run this program when a user logs in" to point to the file. However, I then decided to place the file on the server, rather than having to copy it onto each client. So, I copied the file onto the server and modifed the GPO to point to this file. Since then, the GPO hasn't worked.

When I run gpresult from the client, I get the following:
The following GPOs were not applied because they were filtered out
ACNLogin
Filtering: Denied (Security)

We are using XP Pro clients and a Win2k DC in this particular domain. Also, users are logging on to the client machines using accounts from another domain, so that we don't have to recreate the user accounts in the other domain.

To my knowledge, other than the fact that I copied the script file from the XP client on to the Win2k DC, nothing else has changed. Like I said, until I copied this file and repointed the GPO, things seemed to work fine. When I realized that the GPO was no longer working, I repointed the GPO back to the script on the client, but it made no difference.

I have since tried modifying the GPO to treat this script file as a bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but am still getting the same result when I run gpresult.

Any help would be most appreciated!

 

[Tim Hines [MSFT]]

The message indicates that the policy has been filtered. Check the security
settings of the GPO to make sure that the appropriate groups have access to
it. By default authenticated users have read and apply group policy.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

I recently created a GPO in an OU on a Win2k DC. Initially, everything

was working splendidly. In addition to the GPO, I created a VBScript to map
network drives, printers, etc. Initially, I placed this file on the client
machine and modified the GPO option "run this program when a user logs in"
to point to the file. However, I then decided to place the file on the
server, rather than having to copy it onto each client. So, I copied the
file onto the server and modifed the GPO to point to this file. Since then,
the GPO hasn't worked.

When I run gpresult from the client, I get the following:
The following GPOs were not applied because they were filtered out
ACNLogin
Filtering: Denied (Security)

We are using XP Pro clients and a Win2k DC in this particular domain.

Also, users are logging on to the client machines using accounts from
another domain, so that we don't have to recreate the user accounts in the
other domain.

To my knowledge, other than the fact that I copied the script file from

the XP client on to the Win2k DC, nothing else has changed. Like I said,
until I copied this file and repointed the GPO, things seemed to work fine.
When I realized that the GPO was no longer working, I repointed the GPO back
to the script on the client, but it made no difference.

I have since tried modifying the GPO to treat this script file as a

bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but
am still getting the same result when I run gpresult.

 

[Guest]

The security settings are correct. Authenticated users have read and apply group policy...


--
Michelle Corella
Network Administrator
New Mexico State University

The message indicates that the policy has been filtered. Check the security
settings of the GPO to make sure that the appropriate groups have access to
it. By default authenticated users have read and apply group policy.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

I recently created a GPO in an OU on a Win2k DC. Initially, everything

was working splendidly. In addition to the GPO, I created a VBScript to map
network drives, printers, etc. Initially, I placed this file on the client
machine and modified the GPO option "run this program when a user logs in"
to point to the file. However, I then decided to place the file on the
server, rather than having to copy it onto each client. So, I copied the
file onto the server and modifed the GPO to point to this file. Since then,
the GPO hasn't worked.

When I run gpresult from the client, I get the following:
The following GPOs were not applied because they were filtered out
ACNLogin
Filtering: Denied (Security)

We are using XP Pro clients and a Win2k DC in this particular domain.

Also, users are logging on to the client machines using accounts from
another domain, so that we don't have to recreate the user accounts in the
other domain.

To my knowledge, other than the fact that I copied the script file from

the XP client on to the Win2k DC, nothing else has changed. Like I said,
until I copied this file and repointed the GPO, things seemed to work fine.
When I realized that the GPO was no longer working, I repointed the GPO back
to the script on the client, but it made no difference.

I have since tried modifying the GPO to treat this script file as a

bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but
am still getting the same result when I run gpresult.

 

[Tim Hines [MSFT]]

Since the defaults are ok then there may be a deny set for an object. An
explicit deny overrides any other permissions that a group or user may have.
Based on gpresult, an object has been given an explicit deny on the ACNlogin
policy. Review the GPO permissions and determine which group has been
denied

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

The security settings are correct. Authenticated users have read and apply group policy...


--
Michelle Corella
Network Administrator
New Mexico State University

 

[Guest]

I do have deny set for all of the administrator groups. However, Authenticated Users and Domain Users are set to read and apply group policy.


--
Michelle Corella
Network Administrator
New Mexico State University

 

[Darren Mar-Elia]

Michelle-
So if you have a user who is in one of those Administrator groups as well
as, obviously, in Authenticated Users, then the Deny will win out over any
Allows that you have for Auth. Users. Just in case you weren't taking that
into account.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

I do have deny set for all of the administrator groups. However,

Authenticated Users and Domain Users are set to read and apply group policy.