help getting group policy to apply

[patrichek]

Hi,
I've been reading the threads about applying group policy and I'm pulling my hair out!
I want to add vbscript for mapping drives and printers, I've tested these vbs's and they work when i click on the manually. I can't get group policy to apply them to my domain users/computers. I've tried setting it under different OUs, made sure the security is set to read and apply, applied them to both users and computers (separately) without any luck.
they apply on my dcs (2) when i logon no problem. 1 question i have is where should the sysvol be located? I have 1 on the c drive of the server and one on another shared drive on that same server...?
any ideas?
thank you

 

[Jimboticus]

Hi patricheck,

I'm having similar problems getting my logon scripts to run(I assume your doing the mapping in a logon script). Though I can not solve your problem perhaps you can benefit from what I've discovered so far. First, what I do know is that the easiest way to find where to put the scripts (sysvol) is to go to the Active Directory console, select properties for the OU you want to apply the scripts to, click the group policies tab, select the one you want and hit edit. Under User config.\Windows Settings\Scripts select logon, then show files. Paste your script there and then use the add button to add it to the GPO. This whole subject is well described here:

http://www.serverwatch.com/tutorials/article.php/1474241

so that's the easiest way to make sure your using the right directory.Now on to my problem (which may be yours). If my OU contains only groups containing users, and not the users themselves, the GPOs do not seem to apply. For example, say I have users a, b, and c who are part of OU "old". I create a new group called "group" which a, b, and c are members of. I add this group to a new OU called "new" and apply a GP to it. THIS POLICY IS NOT APPLIED TO a, b, and c. However, if I put c directly into "new" the policy is applied to him.

I don't know if you are having similar problems, hopefully not but if you are perhaps someone else can help us.

Good luck.

 

[bazzert]

Shouldn't the logon file be in \\servername\netlogon directory for the script to be applied. I use a kix file to do the same and these are applied by batch file that checks OS, all located in netlogon directory

As for the problem of GP and users as part of different groups are you sure the policy isn't being applied remember the most restrictive policy will be applied.

 

[Jimboticus]

bazzert,

I could be wrong here, but I'm pretty sure that if you want to use the logon scripts with group policy objects, they have to be in a very specific directory(something like:\\2000trainers.com\SysVol\2000trainers.com\Policies\{50695D20-8924-4861-8B3F-B6982A8818B2}\User\Scripts\Logon
), check out the link I put in my previous response for more specifics. He's trying to use the GPO's to apply specific logon scripts to users based on their Group Policy.

Now, as to the next question about wether the policies are being applied, I have made some interresting discoveries. I downloaded a program from Microsoft called gpresult (check it out, it's pretty usefull, especially in conjunction with gpupdate) which; when run on a client, can tell you which gpo's are being applied to your account and which OU's as well. This has confirmed that the account I'm testing with is not being included in the new OU (The one with the group Policy), despite the fact that I have created a group(with my test account in it)in the OU. So basically, yes I'm sure they aren't being applied, and I'm also now sure that the account isn't even being included in the new OU.

Thanks

 

[Jimboticus]

OOPS, my bad, the accound IS in the group, but the policy is not applied.

BTW I have edited the policy security settings and specifically included the account with read and apply.

sorry

 

[Celestil]

I don't know from the thread if you were able to solve the problem and lets see if this walkthough helps. Let's assume your VBScript has all conditional statements for all drive mappings regarless of where the user is in the domain/OU/Group Membership(That way we only need one logon script for the domain).

Click Start/Programs/Administrative Tools/AD Users & Computers
Right mouse-click on domain name and click Properties
Click Group Policy Tab
Create new Group Policy called "Domain Logon Script"
Click Edit
Open User Configuration\Windows Settings\Scripts\Logon
Click Add
Browse to your logon VBScript. It will automatically be copied to the proper AD Group Policy directory
Click OK
(It is possible your GP is being blocked by the "Block Policy Inheritance" option in another GP. You can click on "Options" to set the "No Override" option. This will insure the GP is applied.

Lastly, it is entirely possible you did everything correctly but you are having another issue with GP that is unrelated to what you are doing. Exmaine the Event Log of your server and test client. If the GP is not being applied due to another error you will see it in the log. Get the Event ID and go to

http://www.eventid.net

and you will be provided with suggestions on fixing the error.

Lastly, if you could help me out with my issue I would appreciate it.

http://www.tek-tips.com/viewthread.cfm?qid=978094&page=1

 

[bazzert]

Jimboticus I believe your correct. The user profile runs a batch file that calls a kix file that comtrols all drive mappings and printer allocation by checking machine name.

IIRC group policy is appled at machine startup.

A lot of the group policy items are controlled through a piece of software called Ranger (education environment) with this you can restict drives, apps, web site access, no right click etc. Though we still use group policy to totally deny internet access, delete profile on exit, apply background etc.

All the clients for students have 2 items in the start menu, programs for that room and logoff, they can't access C drive, floppy or CD drive, they can only access server shares allocated with Ranger.

 

[cvconnelly]

The easiest way to get a handle on group policy is to download the Group Policy Management Console provided by Microsoft. It is a free tool and makes administering the policy easy. It will only run on Windows XP or Server 2003, but you CAN use it to administer a Windows 2000 domain without any problems. I do it every day at work. You can find an article that talks more about it here

http://combobulate.com/modules.php?...le=article&sid=15&mode=thread&order=0&thold=0