Groop Policy Loosing its marbles...

G

Guest

All,
I am stumped here..
I have 7 computers in a Training OU that are for student use. 5 in our lab
and 2 at our counter.
I have three policies defined for that OU and I have Block Inheritance
turned on, which all three set to be enforced and having the training user
below added to read them implicitly along with
authenticated users.

1) Rename Administrator (Computer Policy) <- Renames Administrator
2) Automatic Logon (Computer Policy) <- Automatically logs onto the PC with
a user called kent\training, which I created under our REGISTRARS OU
3) Training Machine Policy (User Policy) <- Lock the machine down for web
access only, no drive access, etc...

This was previously working fine, however something has changed and I am not
sure what. because only 1 and 2 are applying.
When I run a Resultant Set of Policy on the training PC's, under the
computer properties, I see all three listed, however
under user properties, none of the three are listed, and instead I see the
ones from the OU one level above (Which is also where the training user
resides), which
include a Firewall setting, Folder redirection and others.

I have block inheritance on, and it seems to work with the computer
settings, but it is not working with the user settings? (Allowing upper
Policies (none non blocking) to apply).
Any idea how I can get the third policy to reapply itself?

Thanks,
Nathan
 
R

Ryan Hanisco

The user is in the parent OU and so does not fall under the scope of the
user policy applied to the child OU. You should be able to move that user
to the child OU and get the user policies to apply. Try that to test -- do
a secedit to refresh the policy.

The user policy is applying to the computers... it just doesn't do anything
to the computer object.

I would suggest moving the user object OR moving the GPO to the parent
folder and doing GPO filtering to make it apply only to that user.
 
C

Cary Shultz [A.D. MVP]

Looks like Ryan is going to address the issues that you are having with the
current setup. I might have an alternative suggestion on how you could do
things.

Have you thought about using a lockdown GPO? Most likely in Replace
mode....

You would simply put the computer account objects in the test OU and link
the GPO to that OU. This way it does not matter who logs on to those
computers - they will be in lockdown mode. Naturally, you would set it up
so that the Domain Admins ( or whatever ) would not be affected buy this
lockdown GPO!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Block OU browsing but still apply policy? 12
Can't get correct group policy to Vista machine - using wrong group policy 1
Confuse about Block policy inheritance 1
Group Policy Argument 2
Can you block default domain policy settings - specifically complex password at OU or user level? 4
Group Policy Not working 1
Large Global single domain Group Policy design 1
User Group Policy does not apply to some machines 3

Top