Help needed with W2K3 Group Policy not being applied at user logon

  • Thread starter Thread starter murras68
  • Start date Start date
M

murras68

Hi,

I'm having problems with a GPO that is linked to an OU which contains a
group which has users and groups from other OU's in AD.

I am running a batch file as a logon for the user configuration part of
the GPO, the Computer part of the GPO is disabled to speed things up.
Basically the GPO will run a batch file for users associated with the
GPO linked to the OU.

The problems that are occurring is that the GPO does not seem to
process. I can run the batch file form the dos prompt of a user's PC
which performs the required function, which is to copy a shortcut from
a network folder to the user's desktop.

When I run GPresult on the user's PC a can see that in the user
configuration the results are that the Local Policy is filtered and no
policy is applied, yet when I run the batch file from within the user
configuration part of the Default Domain GPO everthing works fine. I
have checked the permissions and even used block inheritance on the OU
where the users and groups exist but still no joy.

Has anyone got any suggestions on why this is happening and how to get
this working for users as there is no computer GPO setting as it is
intended for only users to recieve a desktop shortcut as they login.

Thanks

Murras88
 
Are the users accounts who must 'receive' the login script physically located
in the OU where the GPO is linked to?

Regards,
Erik
 
Some other things to check/try:
* The users/groups need "read" and "apply" permissions on the GPO
* MSKB: Scripts May Not Run Before Windows Explorer Starts Even Though the
"Run Logon Scripts Synchronously" Setting is Enabled
(http://support.microsoft.com/default.aspx?scid=kb;en-us;304970)

You cold also try the RSoP (Resultant Set of Policy) mmc, which has a better
GUI and also contains a planning mode, so you can "test" what a result of a
policy would/should be of your GPO assigned to a user.

An even better tool is the Group Policy Management Console:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
This tool provides a more user friendly and more ease of use method to
troubleshoot and plan group policies.

Regards,

Erik
 
Hi Erik,

Thanks for the reply but I still have the same problem.

The GPO works when it is part of the Default Domain GPO but not when it
is linked further down to an OU that is within another OU.

I have run GPresult and RSoP and it shows that the local policy is
being filtered out but does not say what policy is filtering it out.

If you have any more ideas I would greatly welcome them.

Thanks

Steve
 
Hi,
The GPO works when it is part of the Default Domain GPO but not when it
is linked further down to an OU that is within another OU.
Click to expand...

- your User/Computer is not part of the OU where you linked
the GPO, the target is not inside the scope of the GPO.
or
- you worked with DSACLs on the GPO, e.g you removed Auth.Users
or
- you worked with block inheritance on a OU or force on GPO and
the settings are overwritten.

Mark
 
Could you give me a little more info about the Ou structure, depth, contents,
were GPO's are linked, with or without 'no override' or 'block inheritance'
and what settings you want to have enforced on the user/workstation?
 
Hi Erik,

The structure is

Domain > Directorate OU > 6 OU's based on Departments and 1 OU called
Folder Access containing the group called Folder Access Group which has
members from the 6 Department OU's.

The GPO is linked to OU called Folder Access containing the group
called Folder Access Group.

Regards
 
In your current description the Ou 'Folder Access' does not seems to contain
the actual user objects, but only a Security Group.

* Where are the User objects located? If they are not in the 'Folder Access'
OU the GPO will not apply to the users.
* How are the ACL's for the GPO configured?
 
Hi,
Domain > Directorate OU > 6 OU's based on Departments and 1 OU called
Folder Access containing the group called Folder Access Group which has
members from the 6 Department OU's.
Click to expand...

Group Policies, even if they are called "Group", can not be applied
to Security Groups. There is no target (user or computerobject)
in your scope.
You have to move the users to the OU, where you linked the GPO.
Security >groups can only be used for filtering.

If you link the GPO to a higher level, and "all" your users would be
involved, then you can use the security group to filter who is able
to "read" and "apply" the GPO.

Mark
 
Hi mark,

The users are located within another OU called users.

I will change my settings and let yo know the outcome.

Thanks for replying.

Steve
 
Hi,
The users are located within another OU called users.
Click to expand...

And this is your problem, we mentioned.
Just move the users to the OU and everything will be alright.

Mark
 
Back
Top