| Author | Messages | |
RPMiller
Posts:34
 | | 09/30/2009 8:17 PM |
| Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003
domain. Because users will likely be shifted in and out of this policy's
requirement I have to use a group to manage the users. What I've done is
created a group that will have the restriction user policy applied to it.
I've added the users to this group, and placed the group in an OU and
applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy
applied, but when I run it for the user in the group it is not being
applied.
I am able to have the policy apply with no problems if I place the user in
the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
| | | |
| mdzikowski
Posts:74
| | 09/30/2009 8:22 PM |
| Yes, set your scope for a group.
[cid:image001.png@01CA41E1.BE247DB0]
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:14 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
| | | |
| Wornell1
Posts:21
| | 09/30/2009 8:27 PM |
| What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 09/30/2009 8:41 PM |
| This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
xxxxxxxxxxxxxxxx> wrote:
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
| | | |
| mdzikowski
Posts:74
| | 09/30/2009 8:46 PM |
| Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
| | | |
| RPMiller
Posts:34
| | 09/30/2009 8:57 PM |
| Yes, the group is in the aforementioned OU with the policy applied to the
OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine
to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>wrote:
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
> ==============================================================================
>
>
| | | |
| RPMiller
Posts:34
| | 09/30/2009 9:17 PM |
| Here is what the result is from the modeling wizard. As you can see it is
being applied to the OU and the group. I don't understand why the user isn't
getting it. I do not have any WMI filters configured, nor are there any
blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than
a group and an OU. The GPO will be applied to our entire organization to
start with, but users will be removed from the policy over time. I
personally have never tried using WMI filters, so if you experts think that
is a better option for me, can you also point me to a site that explains how
they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>wrote:
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>wrote:
>
>> Does that group reside in an OU within that Container?
>>
>>
>>
>> Run Rsop on that group and computer
>>
>>
>>
>> Also, run gpresult on a PC to see if it’s even getting the GPO …
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> *Mike Dzikowski*
>>
>> *WinTel Engineer *
>>
>> *Henry Ford Health System | OneIT*
>>
>> *2571 Product Drive | Rochester Hills, MI 48309*
>>
>> *xxxxxxxxxxxxxxxx*
>>
>> *248.853.4891*
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 3:42 PM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> This is what I have in there currently.
>>
>> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> What do you have for the Security Filtering on the Policy? Is there
>> anything on the filter that would resolve to the User?
>>
>>
>>
>> *Kevin*
>>
>> *Kevin Wornell*
>> *Office Technology Group*
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 2:14 PM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* [gptalk] Group Policy not applying to group
>>
>>
>>
>> Hello,
>>
>>
>>
>> Is it possible to apply a group policy to a user via a group in an OU?
>>
>> I need to apply an Outlook 2003 policy to some users in my Windows 2003
>> domain. Because users will likely be shifted in and out of this policy's
>> requirement I have to use a group to manage the users. What I've done is
>> created a group that will have the restriction user policy applied to it.
>> I've added the users to this group, and placed the group in an OU and
>> applied the GP to it.
>>
>> When I run the simulation wizard, it shows the OU as having the policy
>> applied, but when I run it for the user in the group it is not being
>> applied.
>>
>> I am able to have the policy apply with no problems if I place the user in
>> the OU directly, so I am wondering if this is even possible.
>>
>> Thank you in advance for any insights and help.
>>
>> Rob Miller
>>
>> *Notice of Confidentiality*
>>
>> This transmission contains information that may be confidential. It has
>> been prepared for the sole and exclusive use of the intended recipient and
>> on the basis agreed with that person. If you are not the intended recipient
>> of the message (or authorized to receive it for the intended recipient), you
>> should notify us immediately; you should delete it from your system and may
>> not disclose its contents to anyone else.
>>
>> This e-mail has come to you from Watson Wyatt & Company.
>>
>>
>>
>> ==============================================================================
>> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>>
>> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>>
>> ==============================================================================
>>
>>
>
| | | |
| Martin_Hugo
Posts:26
| | 09/30/2009 9:27 PM |
| How about applying the policy at the domain level but restricting it to apply only to members of your required group though the security filtering. Works for me.
Martin T. Hugo
Network Administrator
Hilliard City Schools
614-921-7102 (Ph)
614-771-7243 (Fax)
[cid:image001.gif@01CA41EA.9F01D2D0]Think before you print
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:18 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Helps when I attach the picture...
On Wed, Sep 30, 2009 at 1:17 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
| | | |
| JamieNelson
Posts:0
| | 09/30/2009 9:31 PM |
| Okay, maybe I read your original post wrong, but you said you applied
the GPO to the OU containing the group. The GPO has to be applied to an
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:56 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Yes, the group is in the aforementioned OU with the policy applied to
the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just
fine to the user as mentioned, when the user was in the OU and not in
the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx
248.853.4891
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas)
<xxxxxxxxxxxxxxxx> wrote:
What do you have for the Security Filtering on the Policy? Is there
anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003
domain. Because users will likely be shifted in and out of this policy's
requirement I have to use a group to manage the users. What I've done is
created a group that will have the restriction user policy applied to
it. I've added the users to this group, and placed the group in an OU
and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy
applied, but when I run it for the user in the group it is not being
applied.
I am able to have the policy apply with no problems if I place the user
in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has
been prepared for the sole and exclusive use of the intended recipient
and on the basis agreed with that person. If you are not the intended
recipient of the message (or authorized to receive it for the intended
recipient), you should notify us immediately; you should delete it from
your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
========================================================================
======
CONFIDENTIALITY NOTICE: This email contains information from the sender
that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise
protected from disclosure. This email is intended for use only by the
person or entity to whom it is addressed. If you are not the intended
recipient, any use, disclosure, copying, distribution, printing, or any
action taken in reliance on the contents of this email, is strictly
prohibited. If you received this email in error, please contact the
sending party by reply email, delete the email from your computer system
and shred any paper copies.
Note to Patients: There are a number of risks you should consider before
using e-mail to communicate with us. See our Privacy Policy and Henry
Ford My Health at www.henryford.com for more detailed information. If
you do not believe that our policy gives you the privacy and security
protection you need, do not send e-mail or Internet communications to
us.
========================================================================
======
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| RPMiller
Posts:34
| | 09/30/2009 10:05 PM |
| That was it! I need to apply it to the OU that contained all the users and
not to the OU that contained the groups. Also, thank you for the extremely
important tip of removing the Authenticated Users. I am up and running just
fine now. However, I now have another big question that I'm positive someone
will be able to help me with.
We have several dozen remote users who only connected to the network via VPN
connections. Is there a way to have them pick up this policy the next time
they connect? Is that even possible, or do they have to connect via dial up
or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
| | | |
| jeromelcruz
Posts:123
| | 09/30/2009 10:30 PM |
| Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| RPMiller
Posts:34
| | 09/30/2009 10:53 PM |
| These are all Windows XP machines. The policy is the same one I mentioned
above. It makes a change to the Advanced Email Settings in Outlook. These
changes are via the Office 2003 admin template, and as far as I'm aware make
registry setting changes. So based on what you've said it sounds like they
will get the changes after 2 hours of being connected. Am I understanding
that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>wrote:
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT**
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
| | | |
| JamieNelson
Posts:0
| | 09/30/2009 11:11 PM |
| Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the
VPN connection before they logon (pre-GINA) they'll process user policy
as if they were connected to the LAN (taking into account that some CSEs
won't process over a slow link, of course) and they'll get the settings
immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I
mentioned above. It makes a change to the Advanced Email Settings in
Outlook. These changes are via the Office 2003 admin template, and as
far as I'm aware make registry setting changes. So based on what you've
said it sounds like they will get the changes after 2 hours of being
connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L
<xxxxxxxxxxxxxxxx> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's
devices should pick it up after connecting and after being logged onto
your network for at least two hours for legacy operating systems
(Windows XP and earlier) and faster for Vista and greater operating
systems (since they 'detect' a network change state and then would
initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that
other system. For example: If the GPO pushes a User Logon script, unless
the users connect pre-GINA, the scripts will not process (this is for
commands that do not exist on the local device-what I mean is that you
could have a script that launches "Calc.exe and it'd work whether they
were on the LAN or not, but if, as usual, you execute something on the
domain...the GPO system would still attempt to launch it, but won't be
able to 'get' there-you'll see this attempt recorded in the Application
event log on older systems and in the Group Policy Event log on
Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing
IT
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users
and not to the OU that contained the groups. Also, thank you for the
extremely important tip of removing the Authenticated Users. I am up and
running just fine now. However, I now have another big question that I'm
positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via
VPN connections. Is there a way to have them pick up this policy the
next time they connect? Is that even possible, or do they have to
connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
wrote:
Okay, maybe I read your original post wrong, but you said you applied
the GPO to the OU containing the group. The GPO has to be applied to an
OU that contains all of the user accounts in the group, not just the
group itself.
Not to mention that you'll also want to remove the Authenticated Users
group from Security Filtering so the GPO only applies to the user's in
your group. Otherwise it will get applied to every object in that OU and
every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it
is being applied to the OU and the group. I don't understand why the
user isn't getting it. I do not have any WMI filters configured, nor are
there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather
than a group and an OU. The GPO will be applied to our entire
organization to start with, but users will be removed from the policy
over time. I personally have never tried using WMI filters, so if you
experts think that is a better option for me, can you also point me to a
site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
wrote:
Yes, the group is in the aforementioned OU with the policy applied to
the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just
fine to the user as mentioned, when the user was in the OU and not in
the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx
248.853.4891
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas)
<xxxxxxxxxxxxxxxx> wrote:
What do you have for the Security Filtering on the Policy? Is there
anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003
domain. Because users will likely be shifted in and out of this policy's
requirement I have to use a group to manage the users. What I've done is
created a group that will have the restriction user policy applied to
it. I've added the users to this group, and placed the group in an OU
and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy
applied, but when I run it for the user in the group it is not being
applied.
I am able to have the policy apply with no problems if I place the user
in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has
been prepared for the sole and exclusive use of the intended recipient
and on the basis agreed with that person. If you are not the intended
recipient of the message (or authorized to receive it for the intended
recipient), you should notify us immediately; you should delete it from
your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
========================================================================
======
CONFIDENTIALITY NOTICE: This email contains information from the sender
that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise
protected from disclosure. This email is intended for use only by the
person or entity to whom it is addressed. If you are not the intended
recipient, any use, disclosure, copying, distribution, printing, or any
action taken in reliance on the contents of this email, is strictly
prohibited. If you received this email in error, please contact the
sending party by reply email, delete the email from your computer system
and shred any paper copies.
Note to Patients: There are a number of risks you should consider before
using e-mail to communicate with us. See our Privacy Policy and Henry
Ford My Health at www.henryford.com for more detailed information. If
you do not believe that our policy gives you the privacy and security
protection you need, do not send e-mail or Internet communications to
us.
========================================================================
======
________________________________
Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 3:41 PM |
| I could use some additional help on this. Quick summary of where I'm at: All
the above is now working. I can simply add a user to the group and they pick
up the policy. Awesome. Yesterday, I created a new user, set up the user
profile on a laptop making sure that all policies were applied *except* the
restriction policy mentioned above. I then logged off the laptop and shut it
down. I then placed the user into the restriction group and went home. At
least an hour passed before I then turned on the laptop at home logged in as
the user and then connected to the VPN. I left the laptop running for over
two hours, but every 15 minutes or so I would launch Outlook and ensure the
VPN was still running and check to see if the policy had been applied. *It
was never applied*. I then thought that perhaps I had to disconnect from the
VPN and reconnect for the policy to get applied. That did not work. I tried
rebooting the laptop and logging back in as the user. That did not work. So,
my question is, what exactly is the normal behavior for policies for remote
users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I
need to have it work for everyone in the company. It works fine for the
local users and users in remote offices that have DCs, but I'm concerned
that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the
> VPN connection before they logon (pre-GINA) they’ll process user policy as
> if they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
| | | |
| Wornell1
Posts:21
| | 10/02/2009 4:20 PM |
| Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 4:26 PM |
| Hm... that is possible; however is a T1 considered a slow link? My bandwidth
at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
xxxxxxxxxxxxxxxx> wrote:
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
| | | |
| Wornell1
Posts:21
| | 10/02/2009 4:38 PM |
| Not sure but you have to remember that your VPN connection is only as fast as the slowest link between you and the other end of the tunnel.
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:25 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 4:45 PM |
| Yup. I got that part. I just hadn't thought that a T1 connection would
qualify as a slow link, but maybe it does?
On Fri, Oct 2, 2009 at 8:36 AM, Wornell, Kevin (Dallas) <
xxxxxxxxxxxxxxxx> wrote:
> Not sure but you have to remember that your VPN connection is only as
> fast as the slowest link between you and the other end of the tunnel.
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:25 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
| | | |
| omar
Posts:97
| | 10/02/2009 4:45 PM |
| Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they’ll process user policy as if they were connected to the LAN (taking into account that some CSEs won’t process over a slow link, of course) and they’ll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they ‘detect’ a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it’ll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device—what I mean is that you could have a script that launches “Calc.exe and it’d work whether they were on the LAN or not, but if, as usual, you execute something on the domain…the GPO system would still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems…).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you’ll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user’s in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it’s even getting the GPO …
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 4:53 PM |
| Let's assume that it is slow link detection, I wouldn't be surprised as our
hardware is getting up there in years. How do I configure the policy? I've
never dealt with slow link detection in the past, but honestly, I'm starting
to wonder if this has been the cause of other issues we've had over the
years.
So, I need to know if I am turning slow link detection on/off/or some other
adjustment, and more importantly where I would find it. I've been searching
through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>wrote:
> Group Policy Slow link detection is not just about speed.
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
> Thanks,
>
> Omar Droubi
> ------------------------------
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
>> Most likely cause is a slow link being detected and causing the policy
>> to not be applied. You could set the policy to apply even across slow links
>> by adjusting the slow link detection
>>
>>
>>
>> *To configure slow link detection *
>>
>> 1. Open the policy setting Group Policy slow link detection, located
>> in *Computer Configuration\Administrative Templates\System\Group Policy
>> processing*
>>
>> 2. In *Connection speed*, type a decimal number between *0* and *
>> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
>> second. Any connection slower than this rate is considered to be slow. To
>> disable slow link detection, enter *0* (all connections will be
>> considered to be fast).
>>
>>
>>
>>
>>
>> *Kevin*
>>
>> *Kevin Wornell*
>> *Office Technology Group*
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Friday, October 02, 2009 9:41 AM
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> I could use some additional help on this. Quick summary of where I'm at:
>> All the above is now working. I can simply add a user to the group and they
>> pick up the policy. Awesome. Yesterday, I created a new user, set up the
>> user profile on a laptop making sure that all policies were applied *
>> except* the restriction policy mentioned above. I then logged off the
>> laptop and shut it down. I then placed the user into the restriction group
>> and went home. At least an hour passed before I then turned on the laptop at
>> home logged in as the user and then connected to the VPN. I left the laptop
>> running for over two hours, but every 15 minutes or so I would launch
>> Outlook and ensure the VPN was still running and check to see if the policy
>> had been applied. *It was never applied*. I then thought that perhaps I
>> had to disconnect from the VPN and reconnect for the policy to get applied.
>> That did not work. I tried rebooting the laptop and logging back in as the
>> user. That did not work. So, my question is, what exactly is the normal
>> behavior for policies for remote users connecting through a VPN? How/when do
>> they get applied?
>>
>> This is really important as our CEO is insisting on this policy change and
>> I need to have it work for everyone in the company. It works fine for the
>> local users and users in remote offices that have DCs, but I'm concerned
>> that remote users won't pick up the policy. Any help would be appreciated.
>>
>> Thank you,
>> Rob Miller
>>
>> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
>> wrote:
>>
>> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the
>> VPN connection before they logon (pre-GINA) they’ll process user policy as
>> if they were connected to the LAN (taking into account that some CSEs won’t
>> process over a slow link, of course) and they’ll get the settings
>> immediately upon logon.
>>
>>
>>
>> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
>> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
>> http://www.dvn.com
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 4:53 PM
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> These are all Windows XP machines. The policy is the same one I mentioned
>> above. It makes a change to the Advanced Email Settings in Outlook. These
>> changes are via the Office 2003 admin template, and as far as I'm aware make
>> registry setting changes. So based on what you've said it sounds like they
>> will get the changes after 2 hours of being connected. Am I understanding
>> that correctly?
>>
>> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
>> wrote:
>>
>> Robert,
>>
>>
>>
>> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
>> devices should pick it up after connecting and after being logged onto your
>> network for at least two hours for legacy operating systems (Windows XP and
>> earlier) and faster for Vista and greater operating systems (since they
>> ‘detect’ a network change state and then would initiate an update based upon
>> that).
>>
>>
>>
>> If the policy uses other GPO sub-systems, then it’ll depend upon that
>> other system. For example: If the GPO pushes a User Logon script, unless the
>> users connect pre-GINA, the scripts will not process (this is for commands
>> that do not exist on the local device—what I mean is that you could have a
>> script that launches “Calc.exe and it’d work whether they were on the LAN or
>> not, but if, as usual, you execute something on the domain…the GPO system
>> would still attempt to launch it, but won’t be able to ‘get’ there—you’ll
>> see this attempt recorded in the Application event log on older systems and
>> in the Group Policy Event log on Vista/Windows 7 systems…).
>>
>>
>>
>> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure |
>> Boeing IT
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 2:02 PM
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> That was it! I need to apply it to the OU that contained all the users and
>> not to the OU that contained the groups. Also, thank you for the extremely
>> important tip of removing the Authenticated Users. I am up and running just
>> fine now. However, I now have another big question that I'm positive someone
>> will be able to help me with.
>>
>> We have several dozen remote users who only connected to the network via
>> VPN connections. Is there a way to have them pick up this policy the next
>> time they connect? Is that even possible, or do they have to connect via
>> dial up or something?
>>
>> Again thank you very much for your help!
>>
>> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
>> wrote:
>>
>> Okay, maybe I read your original post wrong, but you said you applied the
>> GPO to the OU containing the group. The GPO has to be applied to an OU that
>> contains all of the user accounts in the group, not just the group itself.
>>
>>
>>
>> Not to mention that you’ll also want to remove the Authenticated Users
>> group from Security Filtering so the GPO *only* applies to the user’s in
>> your group. Otherwise it will get applied to every object in that OU and
>> every OU underneath it.
>>
>>
>>
>>
>>
>> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
>> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
>> http://www.dvn.com
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 3:17 PM
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> Here is what the result is from the modeling wizard. As you can see it is
>> being applied to the OU and the group. I don't understand why the user isn't
>> getting it. I do not have any WMI filters configured, nor are there any
>> blocks to inheritance in place for this user.
>>
>> I'm wondering if perhaps a WMI filter may be a better way to go rather
>> than a group and an OU. The GPO will be applied to our entire organization
>> to start with, but users will be removed from the policy over time. I
>> personally have never tried using WMI filters, so if you experts think that
>> is a better option for me, can you also point me to a site that explains how
>> they work?
>>
>> Thank you again.
>>
>> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
>> wrote:
>>
>> Yes, the group is in the aforementioned OU with the policy applied to the
>> OU.
>>
>> I do not know what Rsop is.
>>
>> The policy is for a user account not a computer. The GPO applied just fine
>> to the user as mentioned, when the user was in the OU and not in the group.
>>
>>
>>
>> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
>> wrote:
>>
>> Does that group reside in an OU within that Container?
>>
>>
>>
>> Run Rsop on that group and computer
>>
>>
>>
>> Also, run gpresult on a PC to see if it’s even getting the GPO …
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> *Mike Dzikowski*
>>
>> *WinTel Engineer *
>>
>> *Henry Ford Health System | OneIT*
>>
>> *2571 Product Drive | Rochester Hills, MI 48309*
>>
>> *xxxxxxxxxxxxxxxx*
>>
>> *248.853.4891*
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 3:42 PM
>>
>>
>> *To:* xxxxxxxxxxxxxxxx
>>
>> *Subject:* Re: [gptalk] Group Policy not applying to group
>>
>>
>>
>> This is what I have in there currently.
>>
>> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> What do you have for the Security Filtering on the Policy? Is there
>> anything on the filter that would resolve to the User?
>>
>>
>>
>> *Kevin*
>>
>> *Kevin Wornell*
>> *Office Technology Group*
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
>> *Sent:* Wednesday, September 30, 2009 2:14 PM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* [gptalk] Group Policy not applying to group
>>
>>
>>
>> Hello,
>>
>>
>>
>> Is it possible to apply a group policy to a user via a group in an OU?
>>
>> I need to apply an Outlook 2003 policy to some users in my Windows 2003
>> domain. Because users will likely be shifted in and out of this policy's
>> requirement I have to use a group to manage the users. What I've done is
>> created a group that will have the restriction user policy applied to it.
>> I've added the users to this group, and placed the group in an OU and
>> applied the GP to it.
>>
>> When I run the simulation wizard, it shows the OU as having the policy
>> applied, but when I run it for the user in the group it is not being
>> applied.
>>
>> I am able to have the policy apply with no problems if I place the user in
>> the OU directly, so I am wondering if this is even possible.
>>
>> Thank you in advance for any insights and help.
>>
>> Rob Miller
>>
>> *Notice of Confidentiality*
>>
>> This transmission contains information that may be confidential. It has
>> been prepared for the sole and exclusive use of the intended recipient and
>> on the basis agreed with that person. If you are not the intended recipient
>> of the message (or authorized to receive it for the intended recipient), you
>> should notify us immediately; you should delete it from your system and may
>> not disclose its contents to anyone else.
>>
>> This e-mail has come to you from Watson Wyatt & Company.
>>
>>
>>
>> ==============================================================================
>>
>> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>>
>> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>>
>>
>>
>> ==============================================================================
>>
>>
>>
>>
>> *
>> ------------------------------
>> *
>>
>> *Confidentiality Warning:* This message and any attachments are intended
>> only for the use of the intended recipient(s), are confidential, and may be
>> privileged. If you are not the intended recipient, you are hereby notified
>> that any review, retransmission, conversion to hard copy, copying,
>> circulation or other use of all or any portion of this message and any
>> attachments is strictly prohibited. If you are not the intended recipient,
>> please notify the sender immediately by return e-mail, and delete this
>> message and any attachments from your system.
>>
>>
>>
>>
>>
>>
>>
>> *Notice of Confidentiality*
>>
>> This transmission contains information that may be confidential. It has
>> been prepared for the sole and exclusive use of the intended recipient and
>> on the basis agreed with that person. If you are not the intended recipient
>> of the message (or authorized to receive it for the intended recipient), you
>> should notify us immediately; you should delete it from your system and may
>> not disclose its contents to anyone else.
>>
>> This e-mail has come to you from Watson Wyatt & Company.
>>
>
>
| | | |
|
|