Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

verry strange group policy settings

Status
Not open for further replies.
nath01

nath01

Technical User
Apr 13, 2004
74
GB
ok, i have 2 ous within my active directory OU1 contains ts/citrix settings, these are user and computer settings that lock down the desktops when logged in to TS, loopback processing is enabled to force these settings on to the user when they log in (users and comps are in ou2)

when the user logges in to TS they get all the settings from the ts lock down policy, however when they log back in to a normal pc they still get these settings even tho the group policy is not appliyed.

i have run GPMC on the users desktop and only our standard GP are appliyed, but its still got the very restrictive settings from the ts lock down policy.

not sure why it is keeping these settings if the policy is not even appliyed!

any idears?
 
Sort by date Sort by votes
Are you using roaming policies for both TS and non-TS? If you are, and the policies for both are stored in the same location, I could see that happening.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
 
Upvote 0 Downvote
yes roaming profiles are being used for the users, not TS profiles.

would it be benifishal to use seperate ts and windows roaming profiles.

also i tested this before and when using TS profile it still picked up all the settings from the standard profile, is this correct? or should it have a fresh profile?
 
Upvote 0 Downvote
It should revert, however, when the computer boots, in the registry as windows starts to load all the settings from the TS OU are still active, as the machine continues to load windows, the network connection is made, if this connection is slow, or non existant, then the new (normal standard profiles) will either not be applied yet, or fail on this policy cycle. Same for the users.

There is a setting called Wait For Network. This bascially makes sure a full conneciton has been established before letting you log on with what is essentially a cached profile. By default, this is Disabled. Meaning that you cnan logon to a machine with a domain account without a connection to the DC, and will still behave exactly as normal, (aside from any net connections you may need for other actions / other server services etc), this is based on the concept that you have previously loged on to the issolated machine with this particular user, creating a local profile.

To enable this setting, (which is a policy and will need to be distributed and applied by the clients before it will work) navigate to Computer Configuration > Admin Templates > System > Logon > Always Wait For Network at Computer Start and Logon.

This means that the user logon will not complete until the network connection has been verified and the policies started to apply.


This is the solution to my take on your problem, however from what I read, your problem is either what i have understood, (this being the possible)solution, or you actually meant something completely different from what I understood (by the means of what is actually causing this problem)


If you logon, you get restricted settings, do a run > GPUpdate /forced, reboot, logon/......do you get the same overly restricted system?

Hope this helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
If you logon, you get restricted settings, do a run > GPUpdate /forced, reboot, logon/......do you get the same overly restricted system?


yes it is still the restriced system, even after a GP update /force and a reboot. its very strange

even on GPMC it shows that the policys are not instaleed at all which is strange. only thing i can track it down to is the roaming profile, weather this is keeping the settings for some reason. im going to do some testing on this and use seperate profiles for ts and desktop sessions and see what affect this has.
 
Upvote 0 Downvote
IF you use seperate profiles, this should, unless you have some terrible bug somewhere, deffinate fix your issue.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Upvote 0 Downvote
these are user and computer settings that lock down the desktops when logged in to TS"

Some of the settings are user settings as in "under the user part of the GPO"? These will apply to the user object in active directory, reguardless of where it is a local logon or TS logon.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
the settings only appliy when in as TS, (the GP is appliyed to the TS server with loopback enabled so it will appliy the comp settings too), as the user and computer is in a dif ou withouth that GP it will not appliy when they log on to a normal pc
 
Upvote 0 Downvote
agree with ncotton. seperate the TS profile from the roaming profile.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
448
technome
technome
telecotek1
  • Locked
  • Question
strange DNS issue
Replies
1
Views
440
telecotek1
telecotek1
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
439
rrmcguire
rrmcguire
cybtech
  • Locked
  • Question
Strange issue with Robocopy
Replies
3
Views
331
SamBones
SamBones
DTGMI
  • Locked
  • Question
Strange 2008 R2 AD login lockouts!
Replies
1
Views
198
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top