Questions

Group Policy problem on 2003 network

Tags:
+
0 Votes
Locked

Group Policy problem on 2003 network

robsoni
All of a sudden my group policy is not being applied to new network users. I can copy a working OU object but the policies will not carry over to the new user. I've tried recreating policies etc but with no luck.

The main problem I'm having is that the shared desktop will not load up and new users tend to have more rights than they should - (being able to store docs on their desktop etc)The drives are mapped ok but this comes from a logon script.

I'm using roaming profiles but will be turning these off as soon as possible and going with folder redirection etc. Can anyone suggest
any kind of diagnostic I can try to see if the AD is ok and pinpoint the problem or a patch to ensure that usesr can at least pick up the shared desktop.

thanks

thanks
  • +
    0 Votes
    IC-IT

    What do you mean by you can copy an OU object?
    Your new users should be in a common or by functional grouping OU. The GPO should already be linked to that OU.
    If you add a new user OU, then all you should need to do is link the GPO to that OU.

    How/(from) where is the Desktop being presented?
    Do they have permissions to that location or to the startup script?

    +
    0 Votes
    robsoni

    Thanks for the reply.

    If I create a new user from the template I started with (in the OU)it is not picking up the desktop and does not have the correct securty applied. If I copy a user(within the same OU) who's account is working propery and change the name/logon etc it still does not work.

    The desktop is a shared folder and is configured through a GPO - user config - folder redirection. This GPO is the one that is attached to all my users. I've tried recreating the shared desktop folder and editing the GPO to pick up its new location but its not working. Permissions are the same as they have been so I'm confused as to why its stopped working.

    +
    0 Votes
    christianshiflet

    From a desktop while logged in as a problem user (one who is not getting the policy applied) open a command prompt and type "GPRESULT". Let us know what that returns. I just recently had this issue. The policy was being blocked by av software for new users.

    +
    0 Votes
    robsoni

    The GPRESULT for a both (working and none working) users is identical.

    +
    0 Votes

    AV

    robsoni

    I've also now tried disabling the AV on a machine and creating a new user etc but with no success.

    +
    0 Votes
    Screen Gems

    are you using a script to create the account and specify the OU the account should be placed in?

    or are you simply creating an account in Active Directory under Active Directory Users and Computers?

    If you are creating the account in Active Directory Users and Computers, the account is automatically placed in the domain default Users OU. If the GPO is linked to a different OU, then you have to move the user account out of the domain default Users OU to the OU that has the GPO linked to it.

    +
    0 Votes
    robsoni

    The accounts are created in Active Directory Users and Computers. The users are in the correct OU and have the correct GPO attached.

    If I want to create a new user in an existing OU containing users who are not having problems.- new user and fill in details etc or copy an existing users account and change name etc.

    This does not work - the new users have problems I described. This means that I can have both working and none working users in the same OU who are meant to have exactly the same accounts.

    Basically there have been no major changes on my network but AD seems to have stopped working. No major Updates etc either.

    +
    0 Votes
    john.light

    C:\WINDOWS\Debug\UserMode\userenv.log

    Should show any problems.

    +
    0 Votes

    CMD

    Wizard-09

    Run a gpupdate from the command line, or use the gpupdate command in CMD to look for any issues, create a new OU, copy the GPO and apply it to the new OU add a user see how that goes for you also.

    Hope this helps.

    +
    0 Votes
    mike

    try sfc /scannow to insure the windows files are intact (in the run box). If there is a problem, it will ask you for the install cd/dvd

    +
    0 Votes
    bulk

    Hi,

    I realise that you are copying a "template" user that is already in the correct OU, and are therefore copying any group memberships etc from the template to the new user, but be sure that the new user(and template) has not somehow lost permissions to read and apply the GPO(s).

    Close examination of the output from GPRESULT will show the GPO's applied, or filitered out by security.

    RS

    +
    0 Votes
    robsoni

    I managed to get the folder redirection policy working again although I'm still looking in to the cause.
    I ended up recreating the fdeploy.ini configuration setting file by copying one of the eraliest working versions.

    The strange thing is that the sequence goes:

    old policy - works fine

    recent policy (copied from old)- doesnt work

    brand new policy -doesnt work

    new policy with fdeploy.ini rebuilt from old policy - works fine

    There were no event clues with this one and the logs seemed fine so I'm confused as to why these files would somehow corrupt or just stop working. Thanks for the help.

  • +
    0 Votes
    IC-IT

    What do you mean by you can copy an OU object?
    Your new users should be in a common or by functional grouping OU. The GPO should already be linked to that OU.
    If you add a new user OU, then all you should need to do is link the GPO to that OU.

    How/(from) where is the Desktop being presented?
    Do they have permissions to that location or to the startup script?

    +
    0 Votes
    robsoni

    Thanks for the reply.

    If I create a new user from the template I started with (in the OU)it is not picking up the desktop and does not have the correct securty applied. If I copy a user(within the same OU) who's account is working propery and change the name/logon etc it still does not work.

    The desktop is a shared folder and is configured through a GPO - user config - folder redirection. This GPO is the one that is attached to all my users. I've tried recreating the shared desktop folder and editing the GPO to pick up its new location but its not working. Permissions are the same as they have been so I'm confused as to why its stopped working.

    +
    0 Votes
    christianshiflet

    From a desktop while logged in as a problem user (one who is not getting the policy applied) open a command prompt and type "GPRESULT". Let us know what that returns. I just recently had this issue. The policy was being blocked by av software for new users.

    +
    0 Votes
    robsoni

    The GPRESULT for a both (working and none working) users is identical.

    +
    0 Votes

    AV

    robsoni

    I've also now tried disabling the AV on a machine and creating a new user etc but with no success.

    +
    0 Votes
    Screen Gems

    are you using a script to create the account and specify the OU the account should be placed in?

    or are you simply creating an account in Active Directory under Active Directory Users and Computers?

    If you are creating the account in Active Directory Users and Computers, the account is automatically placed in the domain default Users OU. If the GPO is linked to a different OU, then you have to move the user account out of the domain default Users OU to the OU that has the GPO linked to it.

    +
    0 Votes
    robsoni

    The accounts are created in Active Directory Users and Computers. The users are in the correct OU and have the correct GPO attached.

    If I want to create a new user in an existing OU containing users who are not having problems.- new user and fill in details etc or copy an existing users account and change name etc.

    This does not work - the new users have problems I described. This means that I can have both working and none working users in the same OU who are meant to have exactly the same accounts.

    Basically there have been no major changes on my network but AD seems to have stopped working. No major Updates etc either.

    +
    0 Votes
    john.light

    C:\WINDOWS\Debug\UserMode\userenv.log

    Should show any problems.

    +
    0 Votes

    CMD

    Wizard-09

    Run a gpupdate from the command line, or use the gpupdate command in CMD to look for any issues, create a new OU, copy the GPO and apply it to the new OU add a user see how that goes for you also.

    Hope this helps.

    +
    0 Votes
    mike

    try sfc /scannow to insure the windows files are intact (in the run box). If there is a problem, it will ask you for the install cd/dvd

    +
    0 Votes
    bulk

    Hi,

    I realise that you are copying a "template" user that is already in the correct OU, and are therefore copying any group memberships etc from the template to the new user, but be sure that the new user(and template) has not somehow lost permissions to read and apply the GPO(s).

    Close examination of the output from GPRESULT will show the GPO's applied, or filitered out by security.

    RS

    +
    0 Votes
    robsoni

    I managed to get the folder redirection policy working again although I'm still looking in to the cause.
    I ended up recreating the fdeploy.ini configuration setting file by copying one of the eraliest working versions.

    The strange thing is that the sequence goes:

    old policy - works fine

    recent policy (copied from old)- doesnt work

    brand new policy -doesnt work

    new policy with fdeploy.ini rebuilt from old policy - works fine

    There were no event clues with this one and the logs seemed fine so I'm confused as to why these files would somehow corrupt or just stop working. Thanks for the help.