Polices not working on OU

[Guest]

I have encountered a strange issue wherein the group policies doesn't work
when applying it on OU ... these polices were working perfectly fine few days
back and all of sudden it had stopped.

The Default Domain Policy works fine and other policy those are applied
domain wide also works fine ...

Any solution or suggestion to the same would be highly appreciated.

 

[Mark Heitbrink [MVP]]

Hi,

I have encountered a strange issue wherein the group policies doesn't work
when applying it on OU ... these polices were working perfectly fine few days
back and all of sudden it had stopped.
The Default Domain Policy works fine and other policy those are applied
domain wide also works fine ...

Perhaps, you have set the GPOs at domainlevel to "no override"?

Mark

 

[Guest]

Mark: Many thanks for replying, but that's the first thing that striked my
mind also; I am sorry but that's not the case. I am pretty much aware with
"No Override or Block policy inheritance" concept ...

.... and if you make new policy (Not on OU) it works perfectly fine. This
policy was tested earlier and it worked fine.

here's the scenario, We wanted users not to have internet connection
therefore i had to change the proxy settings to false ip address 0.0.0. ...
so created an OU and then made a new gp with the necessary settings and then
used a Block Policy Inheritance whereby we don't get any Default Domain
Policy and then I did a No Overide on that Group policy so that it's the only
policy that can applied for specific usrs and added the user's under
delegation and made sure that Apply GP has a check mark under security
settings.


Please suggest or any comment on the same why isn't it working now ..

 

[Norbert Fehlauer [MVP]]

sj wrote:
Hi,

here's the scenario, We wanted users not to have internet connection

That would be a perfect scenario for a proxy with user authentification,
wouldn't it?
Any attempt with group policies would be nothing more then a work around.
Because you can not configure all browsers by a GPO. For example firefox.

Doesn't help on your special case, but should be worth thinking about.

HTH
Norbert

 

[lforbes]

here’s the scenario, We wanted users not to have internet

connection therefore i had to change the proxy settings to false ip
address 0.0.0. ... so created an OU and then made a new gp with the
necessary settings and then used a Block Policy Inheritance whereby we
don’t get any Default Domain Policy

Hi,

First of all, it is a big no-no to block the Default Domain Policy.
Just so you know =).

Second. Policy Settings applied under IE Maintenance are only applied
once on first logon. There is a setting that you can use to enable if
you want it to process it all the time. However, it is a Computer
Policy so it needs to be on the Computer OU’s - Under Computer -
Admin - System - Group Policy - Internet Explorer Maintenance Policy
Processing "Process even if Group policy objects have not changed".

Third - Creating a phony Proxy is a nice little hack, but it doesn’t
always work and you can get around it. If you don’t want users to
access Internet Explorer, Run a startup script using xcacls.vbs and
set permissions on the Crogram FilesInternet Explorer to
Admin=Full Control and System = Full Control, removing Users and every
other group.

Just so you know that the best way to do this is to get a
Authenticated Proxy Server like ISA or the like. I am not sure if the
newest Linux proxy servers allow you to do it via authentication or
not but at least they are free.

Cheers,

Lara

 

[Guest]

Thanks Lara & Norbet for replying.

Norbet: I know that it's a workaround and we cannot avoid by having a 3rd
party browser, but for now this the only thing i know how to avoid the user
and having authentication at the sametime but not to forget I ALSO Want the
user's to browse IntrAAnet site ....

Lara: I like the idea of *Run a startup script using xcacls.vbs* but as i
told norbet that i would also want to give the ability of browsing local
Intranet....

Anyways I found the problem ... One of my colleague moved the users from
that container therefore the policy wasn't working though the delgation was
perfectly fine under the scope of management.

Cheers ;-