Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy Problem

Status
Not open for further replies.
davetherave100

davetherave100

Technical User
May 14, 2002
65
0
0
GB
We have a strange problem with group policy on a win2k server. Created an OU with 1500 users in it and then applied a scenario group policy..appstation user settings. Worked fine!. then came to add more users into the OU and the settings were not applied, although not entirely! ie display restrictions. Set up another OU and applied kiosk policy to it. Then moved an original user fron the first OU into it..worked fine, when the newly created user from the first OU was moved into the second OU...again ddint use kiosk settings. Tried logging onto a clean machine to see if any policy settings were still in the registry but again the same.
So at present we have users in the same OU that have entirely different restrictions on them!
Any help will be most appreciated
 
Sort by date Sort by votes
Check for replication issue if you have more than one DC.
Also, type the following command on client computers to force a policy refresh:
secedit /refreshpolicy user_policy /enforce to refresh user's security policies
secedit /refreshpolicy machine_policy /enforce to refresh computer's security policies
 
Upvote 0 Downvote
Try this, at the root of C, create a notepad document, and place this line in it. Save it as PolicyRefresh.cmd. Throw it on your desktop of the server for easy access. Nifty little tool.

secedit /refreshpolicy machine_policy /enforce Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Work consists of whatever a body is obliged to do.
Play consists of whatever a body is not obliged to do."
Mark Twain (1835-1910); US writer.
 
Upvote 0 Downvote
Thanks for the input but i had always run secedit on the server and client pc. It seems that some part of the policy is sticking with the profile.. all our users are set to use the same mandatory profile. After spending some time with the problem today it stands as on one pc when a user logs in he gets all the restrictions, create another user in the same OU..again no problems. At that point i thought i had cured it with creating a new profile...but then these same users logged onto another pc and we get the same problem. None of the restrictions applied in the policy are applied apart from restricted desktop. Only one DC and dns seems fine, thought it may be something to do with static or dhcp, as the second pc was on dhcp...changed it to static but still no change. After seeing one pc work fine with 3 users and another pc have problems we thought it was the buil....but then at the start it was 2 users on the same pc so maybe we havent yet solved things :-(
 
Upvote 0 Downvote
Have all the users that are to be affected by the GPO been given read and apply group policy permissions in the permissions on the GPO?
Are the PC's that dont get the GPO in a different OU that has block policy inheritance set?
 
Upvote 0 Downvote
Take a look at the event viewer on the client computers. "Sometimes" the reason is clear why the policies are not applied.
 
Upvote 0 Downvote
Tried some of the above suggestions but to no avail..it seems now that the problem lies in the ntuser.dat file in the profile.
If a new user is created and a profile set up all is well.If that profile is altered and then renamed to a .man file it seems that it somehow gets messed up and then only allows one user to have the gpo applied. If the user who doesnt get the policy is given a new profile then the policy is then applied again ok.
So at the moment we look like creating 4000 seperate profiles with associated shares needing to be created, and changed to the user to point to the path...lots of work!!! :-(
Has anyone had expierience of a mandatory profile being shared on 2000 along side a gpo. We used a similar setup on nt4 and it did work.
Also we created the 1500 users so far using addusers.exe...is there any way of creating home directories and setting shares to them with permissions?
 
Upvote 0 Downvote
Denying Install rights to Power User Group?
Or Creating a custom group like Power Users, but without install rights?

Small network, 1 DC / FS running Win2k Server. 5 WS running Win 2k pro.

I have an application that uses Btrieve, the program runs locally on each WS, but shares data files on the Server.

If the user is a member of the Users group, the program will not run.

If I change the user to the Power Users group, all works fine.
My problem is, I don't wnat the users to have the full authority of a power user, ie: install AOL, etc......

any ideas?

 
Upvote 0 Downvote
Solution and explanation:
AD= Bound to fail (to many objects :) )
NDS (Edirectory)= Everything should be OK.

(just for fun) :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Question
Problem with PDFs in IIS
Replies
1
Views
246
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
144
suncit
suncit
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
55
maybeimaleo
maybeimaleo
MoJHK
  • Locked
  • Question
ESXI server upload problem
Replies
3
Views
62
hairlessupportmonkey
hairlessupportmonkey
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
78
rrmcguire
rrmcguire

Part and Inventory Search

Sponsor

Back
Top