Still need help with GPO's

  • Thread starter Thread starter dbouton
  • Start date Start date
D

dbouton

WinXP SP1 clients, Win server 2003 SP1.

I am having problems still with certain users not getting their group
policies. It seems to be isolated to one OU. If I move them out of
the OU into a known working one it is ok. But I'm having trouble
figuring out the cause. DNS is ok (again it works in another OU). I
do not have any filtering and am not blocking inheritance. I have just
one user policy which is on the OU above which is applying fine to
other OU's. If I run gpresult it says the user does not have rsop
data. If I run rsop.msc I get invalid namespace. I loaded GPMC on the
machine and the user can see all the policies and I can get to the
appropriate sysvol directories.

Any ideas where to go from here? The policy is a simple one just
setting the user proxy name and port and homepage. Thanks in advance
for any help.

Dawn
 
dbouton said:
WinXP SP1 clients, Win server 2003 SP1.

I am having problems still with certain users not getting
their group
policies. It seems to be isolated to one OU. If I move them
out of
the OU into a known working one it is ok. But I'm having
trouble
figuring out the cause. DNS is ok (again it works in another
OU). I
do not have any filtering and am not blocking inheritance. I
have just
one user policy which is on the OU above which is applying
fine to
other OU's. If I run gpresult it says the user does not have
rsop
data. If I run rsop.msc I get invalid namespace. I loaded
GPMC on the
machine and the user can see all the policies and I can get to
the
appropriate sysvol directories.

Any ideas where to go from here? The policy is a simple one
just
setting the user proxy name and port and homepage. Thanks in
advance
for any help.

Dawn
Click to expand...

Hi,

Have you tried just moving your users out, deleting the OU. Creating a
new one and moving your users back in?

Cheers,

Lara
 
lforbes said:
Hi,

Have you tried just moving your users out, deleting the OU. Creating a
new one and moving your users back in?

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-help-GPO-ftopict365281.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
Click to expand...
http://www.windowsforumz.com/eform.php?p=1177715

Hi Lara - I found my own problem so thought I would share in case
someone else makes the same mistake. There was security set on the OU
that denied too much access. I had to give read and all works fine
now. Not sure how it originally got set so restrictive but I'm
assuming when it was trying to secure as much as possible and we got a
little too secure. Thank you for the helpful suggestion though.

Dawn
 
dbouton said:
 > > WinXP SP1 clients, Win server 2003 SP1.
 > >
 > > I am having problems still with certain users not
getting
 > > their group
 > > policies. It seems to be isolated to one OU. If I
move them
 > > out of
 > > the OU into a known working one it is ok. But I'm
having
 > > trouble
 > > figuring out the cause. DNS is ok (again it works
in another
 > > OU). I
 > > do not have any filtering and am not blocking
inheritance. I
 > > have just
 > > one user policy which is on the OU above which is
applying
 > > fine to
 > > other OU's. If I run gpresult it says the user
does not have
 > > rsop
 > > data. If I run rsop.msc I get invalid namespace.
I loaded
 > > GPMC on the
 > > machine and the user can see all the policies and I
can get to
 > > the
 > > appropriate sysvol directories.
 > >
 > > Any ideas where to go from here? The policy is a
simple one
 > > just
 > > setting the user proxy name and port and homepage.
Thanks in
 > > advance
 > > for any help.
 > >
 > > Dawn
abuse:
http://www.windowsforumz.com/eform.php?p=1177715

Hi Lara - I found my own problem so thought I would share in
case
someone else makes the same mistake. There was security set
on the OU
that denied too much access. I had to give read and all works
fine
now. Not sure how it originally got set so restrictive but
I'm
assuming when it was trying to secure as much as possible and
we got a
little too secure. Thank you for the helpful suggestion
though.

Dawn
Click to expand...

Hi,

I am glad you figured it out. Personally I don’t set security on OU’s
at all except with "delegation" of control and then I use the
wizard. Basically unless you have lots of different people accessing
AD there is no reason to restrict it with permissions.

Cheers,

Lara
 
Hi Lara,

Actually what happened in this case was the wizard was used to delegate
control for a small set of "technicians" that needed very limited
control for the whole domain. There is an administrative OU that they
are not allowed access so they were given deny access. At some point
these users were moved to a sub OU of the administrative OU basically
denying access to themselves which would not allow them to read the
policies. I agree that if it can be avoided setting security on OU's
can get you in trouble! Especially when more then one person
administrates the domain. Thanks again.

Dawn
 
Back
Top