Policies Not Applying

[Guest]

I have a flat AD Tree, Domain.net, then my Organizational Units. I have an OU that contains all of my users (AllUsers) and an OU that contains all computers (AllComps). AllUsers has a login script assigned in the User Configuration/Windows Settings. I have four users that I would like to experiment with. I've created a new OU (TestUsers) on the same level as AllUsers and moved them into this container. This new container has a little different login script but for all intents and purposes is the same

When I put myself into this TestUsers, the script executes fine. When any of the four other "normal" users login, they still execute the old script. It's as if they never moved from the AllUsers container. The only real caveat is that all four of these users are located at the other end of a frame relay circuit. It's almost as if they're not getting "updated". However, I've made changes to the Login Notice and their machine DO reflect those changes. The fact that they can login and authenticate to the network should indicate that they can see my domain. Why would the changes I've made in Active Directory not affect them

Thank you in advance for any and all help.

 

[Seth Scruggs [MSFT]]

Hi Jacques -

Are your test clients using Windows XP or Windows 2000?

If you only see this problem on Windows XP, this behavior could be caused by
Fast Logon Optimization. I believe that this setting only change the
behavior of Software Installation and Folder Redirection policies, but you
could try turning off this feature for testing. Information on this is
available at:

305293 Description of the Windows XP Professional Fast Logon Optimization
http://support.microsoft.com/?id=305293

Are there any errors in the application log on the client machine
(specifically userenv 1000 events)? If so, group policy may not be
applying.

If you have more than one domain controller, find out which domain
controller the client is using for authentication (you can use "set l" at
the command line). Make sure that this domain controller shows the user/s
in this new OU. If it shows the user in the old OU, you have a replication
problem.

--
Seth Scruggs [MSFT]
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

I have a flat AD Tree, Domain.net, then my Organizational Units. I have

an OU that contains all of my users (AllUsers) and an OU that contains all
computers (AllComps). AllUsers has a login script assigned in the User
Configuration/Windows Settings. I have four users that I would like to
experiment with. I've created a new OU (TestUsers) on the same level as
AllUsers and moved them into this container. This new container has a
little different login script but for all intents and purposes is the same.

When I put myself into this TestUsers, the script executes fine. When any

of the four other "normal" users login, they still execute the old script.
It's as if they never moved from the AllUsers container. The only real
caveat is that all four of these users are located at the other end of a
frame relay circuit. It's almost as if they're not getting "updated".
However, I've made changes to the Login Notice and their machine DO reflect
those changes. The fact that they can login and authenticate to the network
should indicate that they can see my domain. Why would the changes I've
made in Active Directory not affect them?

 

[Cary Shultz [A.D. MVP]]

Set,

You have just provided me with the link for which I have been looking the
last nine days.

Thank you!

Cary

Hi Jacques -

Are your test clients using Windows XP or Windows 2000?

If you only see this problem on Windows XP, this behavior could be caused by
Fast Logon Optimization. I believe that this setting only change the
behavior of Software Installation and Folder Redirection policies, but you
could try turning off this feature for testing. Information on this is
available at:

305293 Description of the Windows XP Professional Fast Logon Optimization
http://support.microsoft.com/?id=305293

Are there any errors in the application log on the client machine
(specifically userenv 1000 events)? If so, group policy may not be
applying.

If you have more than one domain controller, find out which domain
controller the client is using for authentication (you can use "set l" at
the command line). Make sure that this domain controller shows the user/s
in this new OU. If it shows the user in the old OU, you have a replication
problem.

--
Seth Scruggs [MSFT]
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

I have a flat AD Tree, Domain.net, then my Organizational Units. I have

an OU that contains all of my users (AllUsers) and an OU that contains all
computers (AllComps). AllUsers has a login script assigned in the User
Configuration/Windows Settings. I have four users that I would like to
experiment with. I've created a new OU (TestUsers) on the same level as
AllUsers and moved them into this container. This new container has a
little different login script but for all intents and purposes is the same.

When I put myself into this TestUsers, the script executes fine. When

any
of the four other "normal" users login, they still execute the old script.
It's as if they never moved from the AllUsers container. The only real
caveat is that all four of these users are located at the other end of a
frame relay circuit. It's almost as if they're not getting "updated".
However, I've made changes to the Login Notice and their machine DO reflect
those changes. The fact that they can login and authenticate to the network
should indicate that they can see my domain. Why would the changes I've
made in Active Directory not affect them?

Thank you in advance for any and all help.