Need help with multiple GPOs

[Graham Prentice]

Hi we have several OUs with computer objects in each OU.
Top---OU#1--GPO#1
---OU
---OU---OU#2--GPO#2---OU#3---GPO#3
When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
For this we set GPO loopback processing mode to 'merge'
Farther down the tree branches we have another OU with computer objects
which we would like to override the GPO#1 with GPO#2.
It seems GPO#1 likes to take affect even on OU#2.
I've tried setting GPO#2 loopback processing to 'replace' but still not
working.
The users log into either OU's so user placement is in the default 'Users'
OU.
What's strange is that it did seem to work a while back, but now it's not.
GPO#3 seems ok.
Unfortunately things are locked down a bit and access to the cmd prompt by
user is blocked by GPO.
Any ideas?
Thanks, Graham

 

[ptwilliams]

The first thing to ascertain is what policies are winning in the application
stakes. By default, unless no override is configured on a higher linked
GPO.

If you have some XP boxes, run the Resultant Set of Policy tool either as
the logged on user, or if things are tied down too much, logon as
administrator and run the RSoP and select the user you want.

You need to see both the user and computer policy, especially when utilising
loopback processing.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Hi we have several OUs with computer objects in each OU.
Top---OU#1--GPO#1
---OU
---OU---OU#2--GPO#2---OU#3---GPO#3
When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
For this we set GPO loopback processing mode to 'merge'
Farther down the tree branches we have another OU with computer objects
which we would like to override the GPO#1 with GPO#2.
It seems GPO#1 likes to take affect even on OU#2.
I've tried setting GPO#2 loopback processing to 'replace' but still not
working.
The users log into either OU's so user placement is in the default 'Users'
OU.
What's strange is that it did seem to work a while back, but now it's not.
GPO#3 seems ok.
Unfortunately things are locked down a bit and access to the cmd prompt by
user is blocked by GPO.
Any ideas?
Thanks, Graham

 

[lforbes]

It seems GPO#1 likes to take affect even on OU#2.

Is OU#1 and OU#2 at the same level or is OU#2 somehow inside OU#1? It
is weird that the Group Policies are applied like they are. I use the
Loopback mode with some computers however I haven’t had a problem.
Most of my user settings are User Based.

Cheers,

Lara

 

[Graham Prentice]

OK, I've been playing a bit more with it and discovered something a bit
different.

top of tree
--OU1 has GPO1---OU2 has GPO2 (user object is here)
--OU3 has GPO3--OU4 has computer object (w/s user is logged into)

GPO1 has loopback processing=merge
GPO3 has loopback processing=replace

When user logs into w/s under OU4, it seems he gets GPO1.
I tried unlinking GPO1 and running gpupdate then gpresult on the w/s.
It says "The following GPOs were not applied because they were filtered out"
Well my wanted GPO is in the list. How is it filtered out? I've clicked
'Allow' for Domain Users' and authenticated users.
Any ideas?
Graham

 

[Graham Prentice]

The system was set up for applying a GPO to a terminal server in OU1
and
applying a different GPO when the user logs onto a w/s in OU3
However, my gpresult is telling me that my wanted GPO is 'denied'
Filtering: Denied (security)
Do you know why this is happening?
Graham

 

[Graham Prentice]

Another question:

We are using mandetory profiles for these users.

If the user that was used to create the mandetory profile was a domain admin
at the time of the profile creation, does the new user that gets the
mandetory profile pickup any 'domain admin' rights? - even though they
normally don't have these rights? (domain user member)

Our GPOs have a security filter 'deny' for domain admins - perhaps some of
this is spilling over because of the mandetory profiles?

Thoughts?
Graham

 

[ptwilliams]

Answers inline...

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Another question:

We are using mandetory profiles for these users.

If the user that was used to create the mandetory profile was a domain admin
at the time of the profile creation, does the new user that gets the
mandetory profile pickup any 'domain admin' rights? - even though they
normally don't have these rights? (domain user member)

Paul: Certainly not. The user account will have full control permissions
over the profile directory structure; they will not be granted any
permissions elsewhere or gain additional rights -that's all very separate.


Our GPOs have a security filter 'deny' for domain admins - perhaps some of
this is spilling over because of the mandetory profiles?

Paul: Nope. More than likely, some users haven't been removed from the
administrative group.

Going back to what you said though, I'd get rid of the added permissions of
Domain Users; just leave it at authenticated users and then deny to domain
admins.

You should check the permissions on all the GPOs. If one's being filtered
out, this's the answer.


Thoughts?
Graham

 

[Graham Prentice]

Thanks for clearing that up.

It turns out the GPO was being denied because of builtin\Administrators
group had a deny in security filtering.

The computer object is a member of builtin\Administrators.
Once I removed Builtin\Administrators from the security filtering, it seemed
to work.

What's strange is that there are other GPOs with builtin\administrators
having a deny for the policy but they were taking affect on this
workstation?

Doesn't fully make sense to me but at least progress is happening and I'll
continue to test.

Thanks for all your replies.

Regards,
Graham