Policy not applying

[Palagast]

I have a user policy which I want to apply on a certain group of computers. To do this, I have a created an OU [blue]Computers[/blue] and an OU [blue]Users[/blue]. I put the (Windows XP) computer in the [blue]Computers[/blue] OU and the user in the [blue]Users[/blue] OU. I want the policy explicitly applied to all users who log in on the computers in the OU [blue]Computers[/blue], because this is a different set of pc's than the rest of my network.
So.. I apply the policy to the [blue]Computers[/blue] OU and make sure that the "User Group Policy loopback processing mode" is turned on, so the User-Configuration is applied as well. The policy is has read and apply as rights to "Authenticated Users" and deny apply to administrators. The user I'm trying this all out with is not an administrator.
When I log on with my test user, the policy simply doesn't work, not a single element of it.
Am I missing something here?
Thanks in advance for any advice.

 

[ReddLefty]

I'm not sure which policy your trying to apply, but User Policies only apply to USERS and Computer Policies only apply to COMPUTERS... even if a policy can have both, they only work for their respected section.

If you modify a policy in the "User Configuration" and apply it to a Computer, nothing will happen.. which is normal, since you must apply "Computer Configuration" to Computers and "User Configuration" will apply only to users.





"In space, nobody can hear you click..."

 

[kmcferrin]

Correct. User policies only go to users, Computer policies only go to computers. I don't know of a way to make a user policy that is applied only when the user logs into a specific PC.

The user loopback processing that you mentioned is specific to terminal server and doesn't work for workstation logins.

 

[Palagast]

Reddlefty, kmcferrin, thanks for your replies.
I'm sorry but I have explained the situation slightly wrong. The computer I'm using is a Citrix server and because of that I'm under the impression that the loopback setting should work as I stated: applying a user configuration policy on a terminal server so that every user that logs on to it gets the policy.
...but still it isn't.

 

[ReddLefty]

It makes no difference if Citrix or not...the policies still apply as above. If you want everyone logging onto that computer to have a policy, you have two choices:

A) You apply a Computer Configuration policy to the Citrix Server

or

B) You apply a User Configuration Policy to ALL users that may log onto that server. To do so, you would have to isolate the users into their own OU.



"In space, nobody can hear you click..."

 

[ReddLefty]

Option B is not entirely true, kind of think of it: You can actually create a group and add the users you want and use the group to apply the User Configuration policy, but the rule still applies: it only works for users.



"In space, nobody can hear you click..."

 

[puffingbear]

It's my understading of the 2 halves of the GPOs that..

If you apply a "User Configuration" to an OU containing Computers then the policy should apply to any user logging onto a computer in that OU.

Likewise apply a "Computer configuration" to an OU containing Users and when that user logs onto any computer the policy is applied.

The GPO system is far more flexible than you'd think.

 

[Palagast]

Puffingbear:
I don't think that is the case. What would the loopback policy be of use for then? I quote from the explanation:

Applies alternate user policies when a user logs on to a computer affected by this policy.

This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used.

ReddLefty: The specific problem I'm facing now is that I have a Citrix network with win98 clients. The policies I have don't apply to those clients. Some time ago, I added some Windows XP machines which do get those policies and I don't want that (people can't access their local discs, can't shutdown etc, the reasons are obvious). So far it was sufficient to apply the policy on all users, but now it needs to be applied only to those guys who are logged in on Citrix. I've tried applying it to the special user "Terminal Server User" without succes.

 

[kmcferrin]

Puffingbear, you're incorrect. The policies defined for a container apply to the objects in the container. If you set a user policy on an OU of computers nothing will happen. Even if a user from a different OU logs into a computer in that OU, the user object itself is not a part of that OU and therefore will not get the policy applied.

The only thing that I'm not 100% sure on is if you create a local user on the PC that is a member of the OU. I don't expect that the policy would be applied to that local user, but since that computer can be considered a container as well, it might be possible.