Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » GPO attached to one user? strange
GPO attached to one user? strange [message #163630] Thu, 04 June 2009 06:46 Go to next message
Luke Chalmers  is currently offline Luke Chalmers
Messages: 5
Registered: August 2009
Junior Member
Hello,

I am not sure which group to ask this question to but here goes.

I have one user in a domian environment that seems to have a group policy
attached to the profile and I don't know why.

A little history....

I have setup a terminal server which has a group policy (not local) attached
to the computer and users of a terminal server group have permissions to the
computer and the group policy. When users log into the terminal server a
group policy is applied and all works ok and when they log onto their laptop
the default domain policy is applied which is the way I want it.

One user seems to get the terminal server group policy applied on his laptop
which is really strange. He has logged onto another laptop and again the
group policy applies itself again. The group policy is quite locked down so
for everyday use on the laptop it is quite annoying.

I have removed him from the the group which I created which was for all
terminal server users which has permissions to the locked down GPO but even
then when the user logs in it still seems to be applied.

There must some permission somewhere where he has permission to this GPO. Is
there a way of searching permissions on a GPO in any way? How would you go
about it?

Many thanks,

Luke
Re: GPO attached to one user? strange [message #163633 is a reply to message #163630] Thu, 04 June 2009 06:50 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Luke,

On the OU where the TS are located are there also the user accounts in? Do
you use loopback processing on the GPO used for the TS? Please check this
ones about loopback policy which should be used for TS users.
http://support.microsoft.com/kb/231287

http://technet.microsoft.com/en-us/library/cc757470(WS.10).aspx

http://support.microsoft.com/kb/260370

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> I am not sure which group to ask this question to but here goes.
>
> I have one user in a domian environment that seems to have a group
> policy attached to the profile and I don't know why.
>
> A little history....
>
> I have setup a terminal server which has a group policy (not local)
> attached to the computer and users of a terminal server group have
> permissions to the computer and the group policy. When users log into
> the terminal server a group policy is applied and all works ok and
> when they log onto their laptop the default domain policy is applied
> which is the way I want it.
>
> One user seems to get the terminal server group policy applied on his
> laptop which is really strange. He has logged onto another laptop and
> again the group policy applies itself again. The group policy is quite
> locked down so for everyday use on the laptop it is quite annoying.
>
> I have removed him from the the group which I created which was for
> all terminal server users which has permissions to the locked down GPO
> but even then when the user logs in it still seems to be applied.
>
> There must some permission somewhere where he has permission to this
> GPO. Is there a way of searching permissions on a GPO in any way? How
> would you go about it?
>
> Many thanks,
>
> Luke
>
Re: GPO attached to one user? strange [message #163635 is a reply to message #163633] Thu, 04 June 2009 07:20 Go to previous messageGo to next message
Luke Chalmers  is currently offline Luke Chalmers
Messages: 5
Registered: August 2009
Junior Member
Meinolf,

Thanks for the prompt reply. I have an OU container call Terminal Services
and this just has the server which acts as the terminal server. If I
right-click on the container, I can go into the group policy management
console. From their, I can see the group policy and it is applied to the
following security groups.

Server [computer]
System
Domain\terminal services

As mentioned if I remove the user from the Domain\terminal services group
then the group policy seems to apply to his laptop.

I know about the lopp processing and it is enabled on the terminal services
group policy.

It's very strange as it is only one user?!?!



"Meinolf Weber [MVP-DS]" wrote:

> Hello Luke,
>
> On the OU where the TS are located are there also the user accounts in? Do
> you use loopback processing on the GPO used for the TS? Please check this
> ones about loopback policy which should be used for TS users.
> http://support.microsoft.com/kb/231287
>
> http://technet.microsoft.com/en-us/library/cc757470(WS.10).aspx
>
> http://support.microsoft.com/kb/260370
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hello,
> >
> > I am not sure which group to ask this question to but here goes.
> >
> > I have one user in a domian environment that seems to have a group
> > policy attached to the profile and I don't know why.
> >
> > A little history....
> >
> > I have setup a terminal server which has a group policy (not local)
> > attached to the computer and users of a terminal server group have
> > permissions to the computer and the group policy. When users log into
> > the terminal server a group policy is applied and all works ok and
> > when they log onto their laptop the default domain policy is applied
> > which is the way I want it.
> >
> > One user seems to get the terminal server group policy applied on his
> > laptop which is really strange. He has logged onto another laptop and
> > again the group policy applies itself again. The group policy is quite
> > locked down so for everyday use on the laptop it is quite annoying.
> >
> > I have removed him from the the group which I created which was for
> > all terminal server users which has permissions to the locked down GPO
> > but even then when the user logs in it still seems to be applied.
> >
> > There must some permission somewhere where he has permission to this
> > GPO. Is there a way of searching permissions on a GPO in any way? How
> > would you go about it?
> >
> > Many thanks,
> >
> > Luke
> >
>
>
>
Re: GPO attached to one user? strange [message #163646 is a reply to message #163635] Thu, 04 June 2009 09:10 Go to previous message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
Luke Chalmers <LukeChalmers@discussions.microsoft.com> wrote:
> Meinolf,
>
> Thanks for the prompt reply. I have an OU container call Terminal
> Services and this just has the server which acts as the terminal
> server. If I right-click on the container, I can go into the group
> policy management console.

Sounds like you're just going into GP editor. Download and install the Group
Policy Management Console w/SP1 on your DC. This is a much better way to see
who has what.

> From their, I can see the group policy and
> it is applied to the following security groups.
>
> Server [computer]
> System
> Domain\terminal services
>
> As mentioned if I remove the user from the Domain\terminal services
> group then the group policy seems to apply to his laptop.

Group policy doesn't apply to *groups*, though.
>
> I know about the lopp processing and it is enabled on the terminal
> services group policy.
>
> It's very strange as it is only one user?!?!

Have the user run an rsop.msc while logged into the laptop.
>
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Luke,
>>
>> On the OU where the TS are located are there also the user accounts
>> in? Do you use loopback processing on the GPO used for the TS?
>> Please check this ones about loopback policy which should be used
>> for TS users. http://support.microsoft.com/kb/231287
>>
>> http://technet.microsoft.com/en-us/library/cc757470(WS.10).aspx
>>
>> http://support.microsoft.com/kb/260370
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>>> Hello,
>>>
>>> I am not sure which group to ask this question to but here goes.
>>>
>>> I have one user in a domian environment that seems to have a group
>>> policy attached to the profile and I don't know why.
>>>
>>> A little history....
>>>
>>> I have setup a terminal server which has a group policy (not local)
>>> attached to the computer and users of a terminal server group have
>>> permissions to the computer and the group policy. When users log
>>> into the terminal server a group policy is applied and all works ok
>>> and when they log onto their laptop the default domain policy is
>>> applied which is the way I want it.
>>>
>>> One user seems to get the terminal server group policy applied on
>>> his laptop which is really strange. He has logged onto another
>>> laptop and again the group policy applies itself again. The group
>>> policy is quite locked down so for everyday use on the laptop it is
>>> quite annoying.
>>>
>>> I have removed him from the the group which I created which was for
>>> all terminal server users which has permissions to the locked down
>>> GPO but even then when the user logs in it still seems to be
>>> applied.
>>>
>>> There must some permission somewhere where he has permission to this
>>> GPO. Is there a way of searching permissions on a GPO in any way?
>>> How would you go about it?
>>>
>>> Many thanks,
>>>
>>> Luke
Previous Topic:EARN MORE THAN 18000$ WITH CJ JOBS
Next Topic:Migrating 2 domains onto one server
Goto Forum:
  


Current Time: Tue Aug 22 14:48:29 EDT 2017

Total time taken to generate the page: 0.06664 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software