GPO Start menu redirects for different OUs

[TimRegester]

I have a school network where for a year the GPOs worked correctly. The GPO for the curriculum OU redirected the start menu and removed the start menu settings like run etc that I did not want users to use. The Start menu was held in sysvol on the server. All clients are XP Pro and the server was Windows Server 2003 Std.

Now I have 11 laptops, obviously I cannot use the Start menu off the server as there are different apps and wireless tools etc and the start menu would be unavailable when offline.

I tested and tested but still have yet to find a consistent solution. All laptop users are admin on their laptop otherwise they cannot use certain hardware and plug in printers at home.

I moved all the desktops to an OU within the curriculum OU and all Laptops to another OU. I created a GPO for each and ensured the Desktop OU had the same settings as the Curriculum GPO. Removed the settings from the original GPO that are in the Desktop GPO. This all worked, there was no change in start menu behaviour.

I then started on the laptops and changed the start menu settings to be as per out of the box, and amended the start menus for default user and all users on the Laptop. But the results are not as expected. Some users get "empty" for the start - programs some get the redirected start menu some get all the start menus one on top of another. How do I solve this?

I am using loopback replace mode in the GPO, should I change to merge mode? Why do the redirected start menus persist when the laptop is offline? How can I make this consistent? Is my desktops OU GPO not working correctly and the old Curriculum GPO settings still apply.

RSOP has not yielded any help at all the GPOs are being applied in the right order and should work. I have looked at MS 328008 and 231287 and they say what I have done should work.

I am wary of changing GPO settings since one attempt locked everyone out until I reversed it (do ot know why), so I need to be very sure. btw I have no test network which is a pain and not ideal but when is life ideal.

 

[aftertaf]

how many servers do you have?

how long did you wait (if more than 1 server) for the changes to replicate?

have you tried gpupdate on the clients?

try to detail a tree of your relevent OU structure and GPOs linked to each... and if there is anything in default domain policy that you have changed.

Aftertaf (david)
MCSA 2003

 

[aftertaf]

and don't worry.... it'll get sorted out...
it worked for a year, you wont have to format anything

Aftertaf (david)
MCSA 2003

 

[TimRegester]

I have one server and 40 odd clients. The policy refresh is set to 15 minutes gpupdate made no difference.

Structure is as follows.

Domain - GPO for domain level settings etc no changes here at all relating to interface. Some network wide changes.
|
-- Curriculum contains all users GPO applies hardware irrelevent user config settings etc.
|
-- Desktops contains all desktop computers applies redirect settings to control user interface and start menu redirects in loopback replace mode, works as defined.
-- Laptops contains all laptop computers applies user interface settings, no start menu redirects. loopback replace mode. inconsistent results no laptop works as planned. certainly not as I understand it should.

Do you need more detail?

 

[aftertaf]

So, when it worked before, the GPO that did the work was linked to the Curriculum OU, and in this OU were the user objects and the workstation objects...

and the changes you have made are:
-2 new OUs, to separate the 2 types of workstation objects
-creation of new GPOs on each new OU, with the intention of doing the same as the one GPO did before on the original OU.

is that right?

are you using the GPMC tool for GPOs, or right-click on OUs to manage GPOs? if not using GPMC, get hold of it pretty sharply, itll help you deal with this problem a lot better, makes things a lot clearer, trust me on this!!

and as for the loopback mode...
if the user objects in the parent OU do not have conflicting GPO settings applied to them, what you have defined in the user config part of the GPOs applied to the PCs in the child OUs should be applied, whatever the loopback method. the merge/replace mode is in case of conflicting settings...



and a final point.
"All laptop users are admin on their laptop", i am right in believing they are admin only on the local machine and not on the domain....

something is working right anyway, cos you say for Desktops it works fine.
have you checked the permissions on the Laptop GPO concerning the users? Does a user for whom the desktops GPO applies have all the problems you mention when he logs on to a laptop?


if you have copied or recreated the same settings in new GPOs for each workstation OU, you needn't do that. You can link a GPO to different OUs, if both OUs need the same GPO applied.... A GPO is not linked and stored exclusively in its OU...

let me know if youre not using GPMC... ill explain why you should get it...

Aftertaf (david)
MCSA 2003

 

[TimRegester]

I am using GPMC and there is a different GPO for each OU, I copied the original Curriculum OU twice then delinked edited the desktop and laptop GPOs according to the different settings for each OU. Then I removed each of these GPO settings from the curriculum OU GPO thus there should be no conflicts. The settings in question should only be those gained from the desktop and laptop OUs.

I am wondering if, because the laptops are used off the network and therefore use latent GPO settings gained from the last time the laptop was connected, this is what is causing the GPOs not to work properly.

Should I start from scratch for the Laptop OU GPO and if so how do I remove these latent settings on each laptop? I have tried GPupdate but to no avail in the past.

 

[aftertaf]

try deactivating the gpo linked to the desktop ou, then rebooting a laptop.

if the curriculum gpo specifies a setting and it conflicts with a gpo set on a child OU, it will be overridden.

can you export & paste the settings from the problem GPO?

googling for the 'when not connected' issue, hmmmmm......

Aftertaf (david)
MCSA 2003

 

[aftertaf]

silly question, but you have tried
Gpupdate /force
?

Aftertaf (david)
MCSA 2003

 

[aftertaf]

ive searched all over, i cant find any info about laptops when not connected to domain....

unless you set up the laptops for users to use a local user account when not connected.....


Aftertaf (david)
MCSA 2003

 

[aftertaf]

on the drive home, had an idea.
no guarantees, but it might work.

Set the local machine policy on a laptop with settings different to your GPO.
When on the domain, the local policies are overridden by GPO, but when you're not connected to the domain, it may process local machine settings and override latent GPO settings.

worth a try...

Aftertaf (david)
MCSA 2003

 

[TimRegester]

I am on site next week so will try suggestions then.

I have the GPOs in html format may post them on web and link to here.

The local GPO issue sounds like a support nightmare but I will try it.

I am wondering if SP2 on XP is part of the issue. Whole new bag of worms opened. They had SP2 before they joined the domain so no GPOs were applied until after SP2. Whereas the desktops that have SP2 work ok but had the GPO settings before then.