Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2003 AD Policy Not Working ?

Status
Not open for further replies.

Lockstock2SB

Technical User
Oct 29, 2001
53
GB
Hi There

I've got a strange issue with my OU policy. But first here is my setup :

- 2003 R2 Server PDC (DNS, AD)
- 2 x 2003 R2 Member Servers - PS4, R01 Rollup Pack. Load balanced.
- 2003 R2 Member Server (TS and Citrix Licensing Server)

- 1 Farm publishing IE and a few other bespoke applications

I have 2 OU's setup. One for the citix admins and one for citrix users. Each OU has a seperate policy that overides the default domain policy.

The policies set things such as default homepage and slight customisation on the IE interface for the users (locking it down). Nothing too complicated.

However now for some reason the admins policy doesnt seem to be applying. I have deleted my profile from both servers and the pdc itself and then logon to a citrix server. When i get the desktop up its grey instead of blue and although the icons all look right the IE policy hasnt loaded. I get the IE Enhanced security default page and the search box is set for MSN (when it should be google).

I dont get any profile errors on logon.

I have created some new internet users yesterday and upon logon these look like they are getting their policy ok ! so its only the one OU thats having issues.

Any ideas why the policy isnt being applied? From what i can tell everything looks ok. The only thing thats changed recently was i added the 2nd server into the farm.

Thanks in advance for your help !

Steve
 
Lockstock2SB,
I would do a RSOP and see what policies are being applied.
Here is the registry key to enable loggin on userint:

Userenv Logging
Because Userenv tracks the Group Policy engine and registry-based Group Policy, it is the most frequently used log file for Group Policy troubleshooting. Userenv is especially useful in a Windows 2003 environment because you don't have the benefit of using Resultant Set of Policy (RSoP). Most of the questions that RSoP answers, are in the userenv log.

To use userenv.log you need to first enable verbose logging.

To enable verbose logging

1. Log onto the client computer as the administrator and run Regedit.

2. Locate the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

3. Right click Winlogon, select New, and then click DWORD Value.

4. Enter the following name for the DWORD Value: UserEnvDebugLevel.

5. Enter 30002 as the hexadecimal value. This writes the userenv into userenv.log, located in the \%windir%\debug directory.

6. Run "gpupdate /force" to ensure a full listing of total Group Policy processing.


Hope that helps.

 
Thanks Enigma99 for your reply ! :)

I will try your suggestion as soon as possible and post back the outcome.

Much appreciated.

Thanks

Steve
 
Followed the regedit to start the logging but nothing happened ? I did do a gpresult and the results look ok ??

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 14/01/2008 at 17:37:24


RSOP data for DOMAIN\u90527 on CTRX4 : Logging Mode
-----------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Standard Editi
on
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile: \\CTRXPDC\PROFILES$\U90527
Local Profile: E:\USER PROFILES\u90527
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=CTRX4,CN=Computers,DC=DOMAIN,DC=COM
Last time Group Policy was applied: 14/01/2008 at 16:59:50
Group Policy was applied from: ctrxpdc.DOMAIN.COM
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Local Group Policy

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
CTRX4$
Domain Computers


USER SETTINGS
--------------
CN=U90527,OU=Citrix_Admins,DC=DOMAIN,DC=COM
Last time Group Policy was applied: 14/01/2008 at 17:26:05
Group Policy was applied from: ctrxpdc.DOMAIN.COM
Group Policy slow link threshold: 500 kbps
Domain Name: DOMAIN
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Citrix Admins Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Web Loanware
Domain Admins
Citrix_Admins

<END>

Any ideas ? The citrix_admins policy looks like its being applied which is correct - but none of the policy is being applied when i log in?

I also noted it says its a windows 2000 domain ? is that right bearing in mine its 2003/AD !?

Cheers

Steve
 
In the GPMC, verify that the security filtering includes the security groups that you want and the Servers on which it should apply also.

FRED

Fred

You have only one life, enjoy it !!!
 
Also check GPOs applied to the OU that contains the Citrix servers. Is the machine policy, Loopback, Replace set? Which OU are the Citrix servers in, the Users OU? Or under the same tree of OUs?

eric@stepneymarsh.com
Stepney Marsh Systems
 
according to your gpresult, the Citrix admins Policy looks to be applied. I see that you're applying a GPO on your user accounts.

For terminal/citrix servers, best practice is... put all of your terminal servers into 1 OU. On this OU, link a GPO that contains all of the computer settings that you want applied (you may have done this already).

Regarding your users... if they have a policy applied to them, that you also want applied to them when they log into your terminal servers, as Eric mentions, you should enable loopback processing, in the GPO applied to your Terminal servers OU.

See link...

 
Hi all,

thanks for the feedback to date. I am run off my feet at the moment doing some DR stuff but i will get back to you on this as soon as i can :)

Thanks again

Steve
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top