| Author | Messages | |
omar
Posts:97
 | | 10/02/2009 5:03 PM |
| 1.
Create a new GPO called DisableSlowLinkDetectionGPO
2.
Configure the Security Filtering to apply this to the one computer account you want to applied to-a nd remove the authenticated users group
3.
Open the policy for editing
4.
Navigate to computer configuration\policies\Administrative Templates\System\Group Policy\
5.
Open the setting "Group Policy Slow Link Detection, configure the setting as disabled and save the changes.
6.
Next I would link that policy to the domain or OU as desired- but remember that we only are applying this to the one computer account.
7.
Reboot that PC on the network, check to see that the policy was applied using gpresult or RSOP- then take that machine off the network, connect to the VPN and see if the policy applied- Now keep in mind that you may need to change something in the policy or add a new policy before you connect to the VPN and wait to see if the policies will apply normally or not.
Here is a link with the registry keys you can use also to disable slow link detection directly on the affected PC- http://support.microsoft.com/kb/910206
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 8:52 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they’ll process user policy as if they were connected to the LAN (taking into account that some CSEs won’t process over a slow link, of course) and they’ll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they ‘detect’ a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it’ll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device—what I mean is that you could have a script that launches “Calc.exe and it’d work whether they were on the LAN or not, but if, as usual, you execute something on the domain…the GPO system would still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems…).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you’ll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user’s in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it’s even getting the GPO …
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| Wornell1
Posts:21
| | 10/02/2009 5:40 PM |
| To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| omar
Posts:97
| | 10/02/2009 6:09 PM |
| Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they’ll process user policy as if they were connected to the LAN (taking into account that some CSEs won’t process over a slow link, of course) and they’ll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they ‘detect’ a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it’ll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device—what I mean is that you could have a script that launches “Calc.exe and it’d work whether they were on the LAN or not, but if, as usual, you execute something on the domain…the GPO system would still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems…).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you’ll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user’s in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it’s even getting the GPO …
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 7:14 PM |
| This is great information. Thank you Kevin. Based on what I've just read,
the default slow link speed is 500kb, so in truth a T1 actually can be a
slow link if you are getting a lot of traffic. I've enabled the disabling of
the detection--gotta' love that--and I'll test it out over the weekend.
Thanks again to everyone for getting me pointed in the right direction.
On Fri, Oct 2, 2009 at 10:05 AM, Omar Droubi <xxxxxxxxxxxxxxxx>wrote:
> Kevin is correct.
>
> To actually disable slow link detection- you enable the policy setting and
> set the rate to "0"
>
> If you disable the setting - nothing changes.
>
> thanks Kevin for the correction.
>
> Omar
> ------------------------------
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 9:37 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:53 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Let's assume that it is slow link detection, I wouldn't be surprised as our
> hardware is getting up there in years. How do I configure the policy? I've
> never dealt with slow link detection in the past, but honestly, I'm starting
> to wonder if this has been the cause of other issues we've had over the
> years.
>
> So, I need to know if I am turning slow link detection on/off/or some other
> adjustment, and more importantly where I would find it. I've been searching
> through the GPO Management console and I haven't found it yet.
>
> Thank you for the clarification Omar. Every little bit helps.
>
> On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>
> wrote:
>
> Group Policy Slow link detection is not just about speed.
>
>
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
>
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
>
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
>
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
>
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
>
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
>
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
>
>
> Thanks,
>
>
> Omar Droubi
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
| | | |
| dmarelia
Posts:441
| | 10/02/2009 7:17 PM |
| Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 7:43 PM |
| Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
> Keep in mind that you have to disable this under both Computer
> Configuration and User Configuration—as SLD occurs for both computer and
> user.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Omar Droubi
> *Sent:* Friday, October 02, 2009 10:05 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
>
>
> Kevin is correct.
>
>
>
> To actually disable slow link detection- you enable the policy setting and
> set the rate to "0"
>
>
>
> If you disable the setting - nothing changes.
>
>
>
> thanks Kevin for the correction.
>
>
>
> Omar
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 9:37 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:53 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Let's assume that it is slow link detection, I wouldn't be surprised as our
> hardware is getting up there in years. How do I configure the policy? I've
> never dealt with slow link detection in the past, but honestly, I'm starting
> to wonder if this has been the cause of other issues we've had over the
> years.
>
> So, I need to know if I am turning slow link detection on/off/or some other
> adjustment, and more importantly where I would find it. I've been searching
> through the GPO Management console and I haven't found it yet.
>
> Thank you for the clarification Omar. Every little bit helps.
>
> On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>
> wrote:
>
> Group Policy Slow link detection is not just about speed.
>
>
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
>
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
>
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
>
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
>
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
>
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
>
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
>
>
> Thanks,
>
>
> Omar Droubi
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
| | | |
| dmarelia
Posts:441
| | 10/02/2009 8:03 PM |
| You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 10/02/2009 8:26 PM |
| That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for
the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
> You don’t have to, but if you want reliable behavior over slow links, its
> not a bad idea. However, your call. If you only care about user policy, then
> disable it under User Configuration.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 11:43 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Do I have to do it under both even if the policy is for User only?
>
> On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> Keep in mind that you have to disable this under both Computer
> Configuration and User Configuration—as SLD occurs for both computer and
> user.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Omar Droubi
> *Sent:* Friday, October 02, 2009 10:05 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
>
>
> Kevin is correct.
>
>
>
> To actually disable slow link detection- you enable the policy setting and
> set the rate to "0"
>
>
>
> If you disable the setting - nothing changes.
>
>
>
> thanks Kevin for the correction.
>
>
>
> Omar
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 9:37 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:53 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Let's assume that it is slow link detection, I wouldn't be surprised as our
> hardware is getting up there in years. How do I configure the policy? I've
> never dealt with slow link detection in the past, but honestly, I'm starting
> to wonder if this has been the cause of other issues we've had over the
> years.
>
> So, I need to know if I am turning slow link detection on/off/or some other
> adjustment, and more importantly where I would find it. I've been searching
> through the GPO Management console and I haven't found it yet.
>
> Thank you for the clarification Omar. Every little bit helps.
>
> On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>
> wrote:
>
> Group Policy Slow link detection is not just about speed.
>
>
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
>
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
>
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
>
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
>
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
>
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
>
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
>
>
> Thanks,
>
>
> Omar Droubi
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
| | | |
| jeromelcruz
Posts:123
| | 10/03/2009 1:31 AM |
| Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 12/13/2009 9:24 PM |
| I really need the groups help again. I am still not getting a result with
the GPO being applied via the VPN connection. I am currently on the phone
with MS tech support and they are hinting at this not even being possible.
Before I continue I need to clarify to make sure that we are on the same
page, so here is the process:
1) User logs in using their standard user account, but are connecting to the
Internet locally via their local network, i.e. home, coffee shop, etc., so
they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30
minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly,
so my question is, is the above process supposed to work? From all the above
comments I assume that it is working for many of you already, and that the
answer is yes. If so, can anyone shoot me a link to a Microsoft article that
states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>wrote:
> Robert,
>
>
>
> To see what the GPO sub-systems are actually doing ‘under the hood’ so to
> speak, activate verbose policy processing (for all OS’es prior to Windows
> Vista) and look at the userenv.log file. There you will see exactly how the
> system is behaving ‘speed-wise’ (no matter what the configured settings are)
> and you’ll see whether or not the GPOs are really being applied or not.
>
>
>
> *221833 How to enable user environment debug logging in retail builds of
> Windows*
>
> http://support.microsoft.com/kb/221833
>
>
>
> Then, you’ll find the following to be ‘excellent’ tutorials (Mark Ramey –
> MS Directory Services Team) on how to read that file:
>
>
>
> *Understanding How to Read a Userenv Log – Part 1*
>
>
> http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
>
>
>
> *Understanding How to Read a Userenv Log – Part 2*
>
>
> http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
>
>
>
> As well, I’d also highly recommend:
>
> *Interpreting Userenv Log Files **(Error and Return Codes noted in UserEnv
> are listed here!!!!)*
> http://technet.microsoft.com/en-us/library/cc786775.aspx
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Infrastructure
> Architecture | IT Infrastructure | Boeing IT**
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 12:25 PM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks
> for the heads up. I will disable both.
>
> On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> You don’t have to, but if you want reliable behavior over slow links, its
> not a bad idea. However, your call. If you only care about user policy, then
> disable it under User Configuration.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 11:43 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Do I have to do it under both even if the policy is for User only?
>
> On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> Keep in mind that you have to disable this under both Computer
> Configuration and User Configuration—as SLD occurs for both computer and
> user.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Omar Droubi
> *Sent:* Friday, October 02, 2009 10:05 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
>
>
> Kevin is correct.
>
>
>
> To actually disable slow link detection- you enable the policy setting and
> set the rate to "0"
>
>
>
> If you disable the setting - nothing changes.
>
>
>
> thanks Kevin for the correction.
>
>
>
> Omar
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 9:37 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:53 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Let's assume that it is slow link detection, I wouldn't be surprised as our
> hardware is getting up there in years. How do I configure the policy? I've
> never dealt with slow link detection in the past, but honestly, I'm starting
> to wonder if this has been the cause of other issues we've had over the
> years.
>
> So, I need to know if I am turning slow link detection on/off/or some other
> adjustment, and more importantly where I would find it. I've been searching
> through the GPO Management console and I haven't found it yet.
>
> Thank you for the clarification Omar. Every little bit helps.
>
> On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>
> wrote:
>
> Group Policy Slow link detection is not just about speed.
>
>
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
>
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
>
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
>
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
>
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
>
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
>
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
>
>
> Thanks,
>
>
> Omar Droubi
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
| | | |
| jeromelcruz
Posts:123
| | 12/13/2009 9:27 PM |
| Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| dmarelia
Posts:441
| | 12/13/2009 9:30 PM |
| Robert-
Jerry might be right about the ICMP issue. By default, if an ICMP ping btw client and DC fails, then all GP processing will fail. You should actually see this in the Application event log, in the form of a failure event for source Userenv.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 1:54 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
I did up until about an hour ago when I whacked the profile I was testing. I can create another one tomorrow.
I'm just using the standard VPN connection through the network properties. Nothing special there.
Ah, good to know about the range. When I do a force, I see data transfer through the pipe, but no changes are applied.
Thank you for that link. That is exactly what I was looking for. I wonder if perhaps the Outlook policy that I am using falls under that "...the rest are not..." category? It is a change to the Advanced Email Options to turn off the automatic name search functionality. It seems like it is a registry change, especially since I did find the registry key that would make the change as well, but I prefer to use a policy since it is able to be easily removed.
Thank you again for your help!
On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| jeromelcruz
Posts:123
| | 12/16/2009 1:15 PM |
| Did you ever get a verbose UserEnv.log file (and UserEnv.bak file)from a remotely connecting device to look at? Can you post?
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Monday, October 12, 2009 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Believe it or not, I am still trying to get this to work. I've been talking to Microsoft Technical support since last week and they have not been able to get it to work. Now they are telling me that it is by design that this will not work.
I am now turning back to you all in the hopes that you can give me some concrete evidence that this really does work because at this point, I'm starting to think that it is a bunch of smoke and mirrors. I find it hard to believe that Microsoft would have built the policy system to not work for remote users by design, yet that is what I am being told--either the user has to log in directly or use the Connect Using Dial-up option on the login screen, which for my users is not an option.
Any advice would be vastly appreciated. I have already turned on the policy and it is working perfectly for all my local users, but remote users are still not having it applied regardless of gpupdate /force being run or waiting for the 2 hour time period to elapse.
Oh, and regarding Jerry's comment about ICMP, remote users can ping just fine through the VPN and visa versa.
Rob Miller
On Tue, Oct 6, 2009 at 4:23 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert-
Jerry might be right about the ICMP issue. By default, if an ICMP ping btw client and DC fails, then all GP processing will fail. You should actually see this in the Application event log, in the form of a failure event for source Userenv.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 1:54 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I did up until about an hour ago when I whacked the profile I was testing. I can create another one tomorrow.
I'm just using the standard VPN connection through the network properties. Nothing special there.
Ah, good to know about the range. When I do a force, I see data transfer through the pipe, but no changes are applied.
Thank you for that link. That is exactly what I was looking for. I wonder if perhaps the Outlook policy that I am using falls under that "...the rest are not..." category? It is a change to the Advanced Email Options to turn off the automatic name search functionality. It seems like it is a registry change, especially since I did find the registry key that would make the change as well, but I prefer to use a policy since it is able to be easily removed.
Thank you again for your help!
On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| RPMiller
Posts:34
| | 12/16/2009 1:15 PM |
| Sure did. I had to send them to Microsoft as well. I actually have two of
them. One contains the information for a remote user that runs gpupdate
/force and waits for the two hours to elapse. The second is for a user that
logs in directly to the network and the policy applies correctly.
I've attached them.
Hope this helps, and thank you again.
Rob
PS Had to resend. Due to file size constraints I had to zip them.
On Mon, Oct 12, 2009 at 11:03 AM, Cruz, Jerome L
<xxxxxxxxxxxxxxxx>wrote:
> Did you ever get a verbose UserEnv.log file (and UserEnv.bak file)from a
> remotely connecting device to look at? Can you post?
>
>
>
> *Jerry *
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Monday, October 12, 2009 10:59 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Believe it or not, I am still trying to get this to work. I've been talking
> to Microsoft Technical support since last week and they have not been able
> to get it to work. Now they are telling me that it is by design that this
> will not work.
>
> I am now turning back to you all in the hopes that you can give me some
> concrete evidence that this really does work because at this point, I'm
> starting to think that it is a bunch of smoke and mirrors. I find it hard to
> believe that Microsoft would have built the policy system to not work for
> remote users by design, yet that is what I am being told--either the user
> has to log in directly or use the Connect Using Dial-up option on the login
> screen, which for my users is not an option.
>
> Any advice would be vastly appreciated. I have already turned on the policy
> and it is working perfectly for all my local users, but remote users are
> still not having it applied regardless of gpupdate /force being run or
> waiting for the 2 hour time period to elapse.
>
> Oh, and regarding Jerry's comment about ICMP, remote users can ping just
> fine through the VPN and visa versa.
>
> Rob Miller
>
> On Tue, Oct 6, 2009 at 4:23 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert-
>
> Jerry might be right about the ICMP issue. By default, if an ICMP ping btw
> client and DC fails, then all GP processing will fail. You should actually
> see this in the Application event log, in the form of a failure event for
> source Userenv.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Tuesday, October 06, 2009 1:54 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I did up until about an hour ago when I whacked the profile I was testing.
> I can create another one tomorrow.
>
> I'm just using the standard VPN connection through the network properties.
> Nothing special there.
>
> Ah, good to know about the range. When I do a force, I see data transfer
> through the pipe, but no changes are applied.
>
> Thank you for that link. That is exactly what I was looking for. I wonder
> if perhaps the Outlook policy that I am using falls under that "...the rest
> are not..." category? It is a change to the Advanced Email Options to turn
> off the automatic name search functionality. It seems like it is a registry
> change, especially since I did find the registry key that would make the
> change as well, but I prefer to use a policy since it is able to be easily
> removed.
>
> Thank you again for your help!
>
> On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Do you have a verbose UserEnv log from an affected device (attempting to
> connect via VPN) that you can share with this community?
>
>
>
> Does the VPN client support ICMP (for pinging the Dc)? Some of them do not…
> (they operate much higher up the stack so, by design, they ‘cannot ever’
> support pinging).
>
>
>
> BTW: It is NOT (90 minutes give *or take* 30 minutes)… It is 90 minutes
> with a random 0-30 minute offset. So the ‘range’ is 90-120 minutes, but you
> can always perform a ‘GPUpdate /Force’ command to apply (or refresh) the
> settings manually. So what happens to a test device when you connect using
> VPN and then try the ‘GPUpdate /Force’ command?
>
>
>
> Articles: There are many. Here’s one:
> http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
>
> * *
>
> *Jerry*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Tuesday, October 06, 2009 11:39 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I really need the groups help again. I am still not getting a result with
> the GPO being applied via the VPN connection. I am currently on the phone
> with MS tech support and they are hinting at this not even being possible.
> Before I continue I need to clarify to make sure that we are on the same
> page, so here is the process:
>
> 1) User logs in using their standard user account, but are connecting to
> the Internet locally via their local network, i.e. home, coffee shop, etc.,
> so they are not logging into the company network.
> 2) The user launches the VPN connection
> 3) Eventually the policy should be applied (90 minutes give or take 30
> minutes). This is where the process fails.
>
> If the user logs in directly to the network, the policy applies perfectly,
> so my question is, is the above process supposed to work? From all the above
> comments I assume that it is working for many of you already, and that the
> answer is yes. If so, can anyone shoot me a link to a Microsoft article that
> states that this should be working?
>
> Rob
>
> On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> To see what the GPO sub-systems are actually doing ‘under the hood’ so to
> speak, activate verbose policy processing (for all OS’es prior to Windows
> Vista) and look at the userenv.log file. There you will see exactly how the
> system is behaving ‘speed-wise’ (no matter what the configured settings are)
> and you’ll see whether or not the GPOs are really being applied or not.
>
>
>
> *221833 How to enable user environment debug logging in retail builds of
> Windows*
>
> http://support.microsoft.com/kb/221833
>
>
>
> Then, you’ll find the following to be ‘excellent’ tutorials (Mark Ramey –
> MS Directory Services Team) on how to read that file:
>
>
>
> *Understanding How to Read a Userenv Log – Part 1*
>
>
> http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
>
>
>
> *Understanding How to Read a Userenv Log – Part 2*
>
>
> http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
>
>
>
> As well, I’d also highly recommend:
>
> *Interpreting Userenv Log Files **(Error and Return Codes noted in UserEnv
> are listed here!!!!)*
> http://technet.microsoft.com/en-us/library/cc786775.aspx
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Infrastructure
> Architecture | IT Infrastructure | Boeing IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 12:25 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks
> for the heads up. I will disable both.
>
> On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> You don’t have to, but if you want reliable behavior over slow links, its
> not a bad idea. However, your call. If you only care about user policy, then
> disable it under User Configuration.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 11:43 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Do I have to do it under both even if the policy is for User only?
>
> On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> wrote:
>
> Keep in mind that you have to disable this under both Computer
> Configuration and User Configuration—as SLD occurs for both computer and
> user.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Omar Droubi
> *Sent:* Friday, October 02, 2009 10:05 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
>
>
> Kevin is correct.
>
>
>
> To actually disable slow link detection- you enable the policy setting and
> set the rate to "0"
>
>
>
> If you disable the setting - nothing changes.
>
>
>
> thanks Kevin for the correction.
>
>
>
> Omar
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 9:37 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Group Policy not applying to group
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 10:53 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Let's assume that it is slow link detection, I wouldn't be surprised as our
> hardware is getting up there in years. How do I configure the policy? I've
> never dealt with slow link detection in the past, but honestly, I'm starting
> to wonder if this has been the cause of other issues we've had over the
> years.
>
> So, I need to know if I am turning slow link detection on/off/or some other
> adjustment, and more importantly where I would find it. I've been searching
> through the GPO Management console and I haven't found it yet.
>
> Thank you for the clarification Omar. Every little bit helps.
>
> On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx>
> wrote:
>
> Group Policy Slow link detection is not just about speed.
>
>
>
> What is really going on behind the scenes- at least on XP- and I got this
> from MS and from the networking group sniffing some packets- in case I get
> it wrong- it has been about 4 years.
>
>
>
> Anyway- there is the windows logo bitmap file- and this file is broken up
> into several smaller chunks and is sent/received by the GPO client to check
> for slow link detection- and we found that one issue that was causing this
> to break was that these packets were fragmented packets- and this was
> blocked by the network switches, firewalls and vpn device.
>
>
>
> Once we configured the switches between the VPN device(hardware VPN) the
> VPN network and the production net where the DCs were hosted- we were good
> to go and slow link detection was working correctly and VPN users were
> indeed getting policies applied.
>
>
>
> This is a big effort to make this work- but other options can include
> disabling slow link detection entirely or setting a post connection script
> that runs gpupdate /force.
>
>
>
> now I believe that gpupdate /force must somehow exclude slow link
> detection- but you may want to take a notebook pc on the VPN and run the
> Gpupdate /force to see if that really applies the policies.
>
>
>
> If that works- then you just need to figure out how to apply that post
> connection script without redeploying a custom/new VPN client to the entire
> company- or you can drop it to targetted users.
>
>
>
> hope that helps and if Darren or someone else can clarify or modify what I
> stated about the slow link detection- I want to know-so I can get it right.
>
>
>
> Thanks,
>
>
> Omar Droubi
> ------------------------------
>
> *From:* xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On
> Behalf Of Robert Miller [xxxxxxxxxxxxxxxx]
> *Sent:* Friday, October 02, 2009 8:25 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Hm... that is possible; however is a T1 considered a slow link? My
> bandwidth at home is 25mb up and down, but my work only has a T1.
>
> On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> Most likely cause is a slow link being detected and causing the policy to
> not be applied. You could set the policy to apply even across slow links by
> adjusting the slow link detection
>
>
>
> *To configure slow link detection *
>
> 1. Open the policy setting Group Policy slow link detection, located
> in *Computer Configuration\Administrative Templates\System\Group Policy
> processing*
>
> 2. In *Connection speed*, type a decimal number between *0* and *
> 4,294,967,200* (0xFFFFFFA0) to indicate a transfer rate in kilobits per
> second. Any connection slower than this rate is considered to be slow. To
> disable slow link detection, enter *0* (all connections will be considered
> to be fast).
>
>
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Friday, October 02, 2009 9:41 AM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> I could use some additional help on this. Quick summary of where I'm at:
> All the above is now working. I can simply add a user to the group and they
> pick up the policy. Awesome. Yesterday, I created a new user, set up the
> user profile on a laptop making sure that all policies were applied *
> except* the restriction policy mentioned above. I then logged off the
> laptop and shut it down. I then placed the user into the restriction group
> and went home. At least an hour passed before I then turned on the laptop at
> home logged in as the user and then connected to the VPN. I left the laptop
> running for over two hours, but every 15 minutes or so I would launch
> Outlook and ensure the VPN was still running and check to see if the policy
> had been applied. *It was never applied*. I then thought that perhaps I
> had to disconnect from the VPN and reconnect for the policy to get applied.
> That did not work. I tried rebooting the laptop and logging back in as the
> user. That did not work. So, my question is, what exactly is the normal
> behavior for policies for remote users connecting through a VPN? How/when do
> they get applied?
>
> This is really important as our CEO is insisting on this policy change and
> I need to have it work for everyone in the company. It works fine for the
> local users and users in remote offices that have DCs, but I'm concerned
> that remote users won't pick up the policy. Any help would be appreciated.
>
> Thank you,
> Rob Miller
>
> On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN
> connection before they logon (pre-GINA) they’ll process user policy as if
> they were connected to the LAN (taking into account that some CSEs won’t
> process over a slow link, of course) and they’ll get the settings
> immediately upon logon.
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 4:53 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> These are all Windows XP machines. The policy is the same one I mentioned
> above. It makes a change to the Advanced Email Settings in Outlook. These
> changes are via the Office 2003 admin template, and as far as I'm aware make
> registry setting changes. So based on what you've said it sounds like they
> will get the changes after 2 hours of being connected. Am I understanding
> that correctly?
>
> On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Robert,
>
>
>
> As long as the policy is ‘security’ or ‘registry’ based, your VPN user’s
> devices should pick it up after connecting and after being logged onto your
> network for at least two hours for legacy operating systems (Windows XP and
> earlier) and faster for Vista and greater operating systems (since they
> ‘detect’ a network change state and then would initiate an update based upon
> that).
>
>
>
> If the policy uses other GPO sub-systems, then it’ll depend upon that other
> system. For example: If the GPO pushes a User Logon script, unless the users
> connect pre-GINA, the scripts will not process (this is for commands that do
> not exist on the local device—what I mean is that you could have a script
> that launches “Calc.exe and it’d work whether they were on the LAN or not,
> but if, as usual, you execute something on the domain…the GPO system would
> still attempt to launch it, but won’t be able to ‘get’ there—you’ll see this
> attempt recorded in the Application event log on older systems and in the
> Group Policy Event log on Vista/Windows 7 systems…).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | IT Infrastructure | Boeing
> IT
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:02 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> That was it! I need to apply it to the OU that contained all the users and
> not to the OU that contained the groups. Also, thank you for the extremely
> important tip of removing the Authenticated Users. I am up and running just
> fine now. However, I now have another big question that I'm positive someone
> will be able to help me with.
>
> We have several dozen remote users who only connected to the network via
> VPN connections. Is there a way to have them pick up this policy the next
> time they connect? Is that even possible, or do they have to connect via
> dial up or something?
>
> Again thank you very much for your help!
>
> On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
> wrote:
>
> Okay, maybe I read your original post wrong, but you said you applied the
> GPO to the OU containing the group. The GPO has to be applied to an OU that
> contains all of the user accounts in the group, not just the group itself.
>
>
>
> Not to mention that you’ll also want to remove the Authenticated Users
> group from Security Filtering so the GPO *only* applies to the user’s in
> your group. Otherwise it will get applied to every object in that OU and
> every OU underneath it.
>
>
>
>
>
> *Jamie Nelson* | Sr. Administrator | BI&T Infrastructure-Intel | *Devon
> Energy Corporation* | Work: 405.552.8054 | Mobile: 405.248.7963 |
> http://www.dvn.com
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:17 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> Here is what the result is from the modeling wizard. As you can see it is
> being applied to the OU and the group. I don't understand why the user isn't
> getting it. I do not have any WMI filters configured, nor are there any
> blocks to inheritance in place for this user.
>
> I'm wondering if perhaps a WMI filter may be a better way to go rather than
> a group and an OU. The GPO will be applied to our entire organization to
> start with, but users will be removed from the policy over time. I
> personally have never tried using WMI filters, so if you experts think that
> is a better option for me, can you also point me to a site that explains how
> they work?
>
> Thank you again.
>
> On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx>
> wrote:
>
> Yes, the group is in the aforementioned OU with the policy applied to the
> OU.
>
> I do not know what Rsop is.
>
> The policy is for a user account not a computer. The GPO applied just fine
> to the user as mentioned, when the user was in the OU and not in the group.
>
>
>
> On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx>
> wrote:
>
> Does that group reside in an OU within that Container?
>
>
>
> Run Rsop on that group and computer
>
>
>
> Also, run gpresult on a PC to see if it’s even getting the GPO …
>
>
>
>
>
>
>
> Regards,
>
>
>
> *Mike Dzikowski*
>
> *WinTel Engineer *
>
> *Henry Ford Health System | OneIT*
>
> *2571 Product Drive | Rochester Hills, MI 48309*
>
> *xxxxxxxxxxxxxxxx*
>
> *248.853.4891*
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 3:42 PM
>
>
> *To:* xxxxxxxxxxxxxxxx
>
> *Subject:* Re: [gptalk] Group Policy not applying to group
>
>
>
> This is what I have in there currently.
>
> On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <
> xxxxxxxxxxxxxxxx> wrote:
>
> What do you have for the Security Filtering on the Policy? Is there
> anything on the filter that would resolve to the User?
>
>
>
> *Kevin*
>
> *Kevin Wornell*
> *Office Technology Group*
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Robert Miller
> *Sent:* Wednesday, September 30, 2009 2:14 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Group Policy not applying to group
>
>
>
> Hello,
>
>
>
> Is it possible to apply a group policy to a user via a group in an OU?
>
> I need to apply an Outlook 2003 policy to some users in my Windows 2003
> domain. Because users will likely be shifted in and out of this policy's
> requirement I have to use a group to manage the users. What I've done is
> created a group that will have the restriction user policy applied to it.
> I've added the users to this group, and placed the group in an OU and
> applied the GP to it.
>
> When I run the simulation wizard, it shows the OU as having the policy
> applied, but when I run it for the user in the group it is not being
> applied.
>
> I am able to have the policy apply with no problems if I place the user in
> the OU directly, so I am wondering if this is even possible.
>
> Thank you in advance for any insights and help.
>
> Rob Miller
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
> ==============================================================================
>
> CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
>
>
>
> ==============================================================================
>
>
>
>
> *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
> *Notice of Confidentiality*
>
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient and
> on the basis agreed with that person. If you are not the intended recipient
> of the message (or authorized to receive it for the intended recipient), you
> should notify us immediately; you should delete it from your system and may
> not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
>
>
>
>
>
>
>
>
>
>
>
| | | |
| Wornell1
Posts:21
| | 12/16/2009 1:15 PM |
| Darren,
I thought that is the ping failed no 'new' settings or changes in settings would be applied but all existing settings would still be applied. Is this not correct?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, October 06, 2009 6:23 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy not applying to group
Robert-
Jerry might be right about the ICMP issue. By default, if an ICMP ping btw client and DC fails, then all GP processing will fail. You should actually see this in the Application event log, in the form of a failure event for source Userenv.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 1:54 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
I did up until about an hour ago when I whacked the profile I was testing. I can create another one tomorrow.
I'm just using the standard VPN connection through the network properties. Nothing special there.
Ah, good to know about the range. When I do a force, I see data transfer through the pipe, but no changes are applied.
Thank you for that link. That is exactly what I was looking for. I wonder if perhaps the Outlook policy that I am using falls under that "...the rest are not..." category? It is a change to the Advanced Email Options to turn off the automatic name search functionality. It seems like it is a registry change, especially since I did find the registry key that would make the change as well, but I prefer to use a policy since it is able to be easily removed.
Thank you again for your help!
On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| rwalker76
Posts:8
| | 12/16/2009 1:15 PM |
| This may or may not help, but we had an almost identical situation a few months ago. Remote VPN users were not getting GPO changes, although a gpupdate /force appeared to go through correctly.
We use a Cisco VPN concentrator and a mix of software and hardware VPN clients. The problem did turn out to be ICMP being at least partially blocked. Like yourselves we could successfully ping, but our network guys had blocked other ICMP traffic. Once this was allowed through again everything worked perfectly.
If you want more details feel free to email me direct and I'll find out exactly what was changed tomorrow. Unfortunately all our Network team have gone home early - isn't local government great...!
Richard.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: 12 October 2009 19:56
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Sure did. I had to send them to Microsoft as well. I actually have two of them. One contains the information for a remote user that runs gpupdate /force and waits for the two hours to elapse. The second is for a user that logs in directly to the network and the policy applies correctly.
I've attached them.
Hope this helps, and thank you again.
Rob
PS Had to resend. Due to file size constraints I had to zip them.
On Mon, Oct 12, 2009 at 11:03 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Did you ever get a verbose UserEnv.log file (and UserEnv.bak file)from a remotely connecting device to look at? Can you post?
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Monday, October 12, 2009 10:59 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Believe it or not, I am still trying to get this to work. I've been talking to Microsoft Technical support since last week and they have not been able to get it to work. Now they are telling me that it is by design that this will not work.
I am now turning back to you all in the hopes that you can give me some concrete evidence that this really does work because at this point, I'm starting to think that it is a bunch of smoke and mirrors. I find it hard to believe that Microsoft would have built the policy system to not work for remote users by design, yet that is what I am being told--either the user has to log in directly or use the Connect Using Dial-up option on the login screen, which for my users is not an option.
Any advice would be vastly appreciated. I have already turned on the policy and it is working perfectly for all my local users, but remote users are still not having it applied regardless of gpupdate /force being run or waiting for the 2 hour time period to elapse.
Oh, and regarding Jerry's comment about ICMP, remote users can ping just fine through the VPN and visa versa.
Rob Miller
On Tue, Oct 6, 2009 at 4:23 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert-
Jerry might be right about the ICMP issue. By default, if an ICMP ping btw client and DC fails, then all GP processing will fail. You should actually see this in the Application event log, in the form of a failure event for source Userenv.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 1:54 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I did up until about an hour ago when I whacked the profile I was testing. I can create another one tomorrow.
I'm just using the standard VPN connection through the network properties. Nothing special there.
Ah, good to know about the range. When I do a force, I see data transfer through the pipe, but no changes are applied.
Thank you for that link. That is exactly what I was looking for. I wonder if perhaps the Outlook policy that I am using falls under that "...the rest are not..." category? It is a change to the Advanced Email Options to turn off the automatic name search functionality. It seems like it is a registry change, especially since I did find the registry key that would make the change as well, but I prefer to use a policy since it is able to be easily removed.
Thank you again for your help!
On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
________________________________
This e-mail message has been scanned for Viruses and Content
________________________________
######################################################################################
Warning
Please note that whilst this e-mail and any attachments originate from Calderdale MBC,
the views expressed may not necessarily represent the views of Calderdale MBC.
This e-mail and any attachments may contain information that is privileged,
confidential or otherwise protected from disclosure.
They must not be used by, or copied or disclosed to persons other than the intended recipient.
Any liability (in negligence or otherwise) arising from any third party acting, or refraining from acting,
on any information contained in this e-mail is excluded.
If you have received this e-mail in error please inform the sender and delete the e-mail.
E-mail can never be 100% secure. Please bear this in mind and carry out such virus and other checks, as you consider appropriate.
Calderdale MBC accepts no responsibility in this regard.
Copyright of this e-mail and any attachments belongs to Calderdale MBC.
Should you communicate with anyone at Calderdale MBC by e-mail, you consent to the
Council monitoring, recording and reading any such correspondence.
######################################################################################
| | | |
| dmarelia
Posts:441
| | 12/16/2009 1:15 PM |
| Robert-
I looked through the log and I do see both computer and user background GP processing occurring correctly. What policies exactly are you trying to deliver?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Robert Miller
Sent: Monday, October 12, 2009 11:56 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy not applying to group
Sure did. I had to send them to Microsoft as well. I actually have two of them. One contains the information for a remote user that runs gpupdate /force and waits for the two hours to elapse. The second is for a user that logs in directly to the network and the policy applies correctly.
I've attached them.
Hope this helps, and thank you again.
Rob
PS Had to resend. Due to file size constraints I had to zip them.
On Mon, Oct 12, 2009 at 11:03 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Did you ever get a verbose UserEnv.log file (and UserEnv.bak file)from a remotely connecting device to look at? Can you post?
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Monday, October 12, 2009 10:59 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Believe it or not, I am still trying to get this to work. I've been talking to Microsoft Technical support since last week and they have not been able to get it to work. Now they are telling me that it is by design that this will not work.
I am now turning back to you all in the hopes that you can give me some concrete evidence that this really does work because at this point, I'm starting to think that it is a bunch of smoke and mirrors. I find it hard to believe that Microsoft would have built the policy system to not work for remote users by design, yet that is what I am being told--either the user has to log in directly or use the Connect Using Dial-up option on the login screen, which for my users is not an option.
Any advice would be vastly appreciated. I have already turned on the policy and it is working perfectly for all my local users, but remote users are still not having it applied regardless of gpupdate /force being run or waiting for the 2 hour time period to elapse.
Oh, and regarding Jerry's comment about ICMP, remote users can ping just fine through the VPN and visa versa.
Rob Miller
On Tue, Oct 6, 2009 at 4:23 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert-
Jerry might be right about the ICMP issue. By default, if an ICMP ping btw client and DC fails, then all GP processing will fail. You should actually see this in the Application event log, in the form of a failure event for source Userenv.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 1:54 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I did up until about an hour ago when I whacked the profile I was testing. I can create another one tomorrow.
I'm just using the standard VPN connection through the network properties. Nothing special there.
Ah, good to know about the range. When I do a force, I see data transfer through the pipe, but no changes are applied.
Thank you for that link. That is exactly what I was looking for. I wonder if perhaps the Outlook policy that I am using falls under that "...the rest are not..." category? It is a change to the Advanced Email Options to turn off the automatic name search functionality. It seems like it is a registry change, especially since I did find the registry key that would make the change as well, but I prefer to use a policy since it is able to be easily removed.
Thank you again for your help!
On Tue, Oct 6, 2009 at 12:44 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Do you have a verbose UserEnv log from an affected device (attempting to connect via VPN) that you can share with this community?
Does the VPN client support ICMP (for pinging the Dc)? Some of them do not... (they operate much higher up the stack so, by design, they 'cannot ever' support pinging).
BTW: It is NOT (90 minutes give or take 30 minutes)... It is 90 minutes with a random 0-30 minute offset. So the 'range' is 90-120 minutes, but you can always perform a 'GPUpdate /Force' command to apply (or refresh) the settings manually. So what happens to a test device when you connect using VPN and then try the 'GPUpdate /Force' command?
Articles: There are many. Here's one: http://technet.microsoft.com/en-us/library/cc786341(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc786341%28WS.10%29.aspx>
Jerry
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Tuesday, October 06, 2009 11:39 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I really need the groups help again. I am still not getting a result with the GPO being applied via the VPN connection. I am currently on the phone with MS tech support and they are hinting at this not even being possible. Before I continue I need to clarify to make sure that we are on the same page, so here is the process:
1) User logs in using their standard user account, but are connecting to the Internet locally via their local network, i.e. home, coffee shop, etc., so they are not logging into the company network.
2) The user launches the VPN connection
3) Eventually the policy should be applied (90 minutes give or take 30 minutes). This is where the process fails.
If the user logs in directly to the network, the policy applies perfectly, so my question is, is the above process supposed to work? From all the above comments I assume that it is working for many of you already, and that the answer is yes. If so, can anyone shoot me a link to a Microsoft article that states that this should be working?
Rob
On Fri, Oct 2, 2009 at 5:29 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
To see what the GPO sub-systems are actually doing 'under the hood' so to speak, activate verbose policy processing (for all OS'es prior to Windows Vista) and look at the userenv.log file. There you will see exactly how the system is behaving 'speed-wise' (no matter what the configured settings are) and you'll see whether or not the GPOs are really being applied or not.
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833
Then, you'll find the following to be 'excellent' tutorials (Mark Ramey - MS Directory Services Team) on how to read that file:
Understanding How to Read a Userenv Log - Part 1
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log - Part 2
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
As well, I'd also highly recommend:
Interpreting Userenv Log Files (Error and Return Codes noted in UserEnv are listed here!!!!)
http://technet.microsoft.com/en-us/library/cc786775.aspx
Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 12:25 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That suggests, "it wouldn't hurt if you did, and is a good idea." Thanks for the heads up. I will disable both.
On Fri, Oct 2, 2009 at 12:02 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
You don't have to, but if you want reliable behavior over slow links, its not a bad idea. However, your call. If you only care about user policy, then disable it under User Configuration.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 11:43 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Do I have to do it under both even if the policy is for User only?
On Fri, Oct 2, 2009 at 11:16 AM, Darren Mar-Elia <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Keep in mind that you have to disable this under both Computer Configuration and User Configuration-as SLD occurs for both computer and user.
Darren
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Omar Droubi
Sent: Friday, October 02, 2009 10:05 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
Kevin is correct.
To actually disable slow link detection- you enable the policy setting and set the rate to "0"
If you disable the setting - nothing changes.
thanks Kevin for the correction.
Omar
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Wornell, Kevin (Dallas) [xxxxxxxxxxxxxxxx]
Sent: Friday, October 02, 2009 9:37 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] Group Policy not applying to group
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 10:53 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Let's assume that it is slow link detection, I wouldn't be surprised as our hardware is getting up there in years. How do I configure the policy? I've never dealt with slow link detection in the past, but honestly, I'm starting to wonder if this has been the cause of other issues we've had over the years.
So, I need to know if I am turning slow link detection on/off/or some other adjustment, and more importantly where I would find it. I've been searching through the GPO Management console and I haven't found it yet.
Thank you for the clarification Omar. Every little bit helps.
On Fri, Oct 2, 2009 at 8:45 AM, Omar Droubi <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Group Policy Slow link detection is not just about speed.
What is really going on behind the scenes- at least on XP- and I got this from MS and from the networking group sniffing some packets- in case I get it wrong- it has been about 4 years.
Anyway- there is the windows logo bitmap file- and this file is broken up into several smaller chunks and is sent/received by the GPO client to check for slow link detection- and we found that one issue that was causing this to break was that these packets were fragmented packets- and this was blocked by the network switches, firewalls and vpn device.
Once we configured the switches between the VPN device(hardware VPN) the VPN network and the production net where the DCs were hosted- we were good to go and slow link detection was working correctly and VPN users were indeed getting policies applied.
This is a big effort to make this work- but other options can include disabling slow link detection entirely or setting a post connection script that runs gpupdate /force.
now I believe that gpupdate /force must somehow exclude slow link detection- but you may want to take a notebook pc on the VPN and run the Gpupdate /force to see if that really applies the policies.
If that works- then you just need to figure out how to apply that post connection script without redeploying a custom/new VPN client to the entire company- or you can drop it to targetted users.
hope that helps and if Darren or someone else can clarify or modify what I stated about the slow link detection- I want to know-so I can get it right.
Thanks,
Omar Droubi
________________________________
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller [xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>]
Sent: Friday, October 02, 2009 8:25 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Hm... that is possible; however is a T1 considered a slow link? My bandwidth at home is 25mb up and down, but my work only has a T1.
On Fri, Oct 2, 2009 at 8:15 AM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Most likely cause is a slow link being detected and causing the policy to not be applied. You could set the policy to apply even across slow links by adjusting the slow link detection
To configure slow link detection
1. Open the policy setting Group Policy slow link detection, located in Computer Configuration\Administrative Templates\System\Group Policy processing
2. In Connection speed, type a decimal number between 0 and 4,294,967,200 (0xFFFFFFA0) to indicate a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. To disable slow link detection, enter 0 (all connections will be considered to be fast).
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Friday, October 02, 2009 9:41 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
I could use some additional help on this. Quick summary of where I'm at: All the above is now working. I can simply add a user to the group and they pick up the policy. Awesome. Yesterday, I created a new user, set up the user profile on a laptop making sure that all policies were applied except the restriction policy mentioned above. I then logged off the laptop and shut it down. I then placed the user into the restriction group and went home. At least an hour passed before I then turned on the laptop at home logged in as the user and then connected to the VPN. I left the laptop running for over two hours, but every 15 minutes or so I would launch Outlook and ensure the VPN was still running and check to see if the policy had been applied. It was never applied. I then thought that perhaps I had to disconnect from the VPN and reconnect for the policy to get applied. That did not work. I tried rebooting the laptop and logging back in as the user. That did not work. So, my question is, what exactly is the normal behavior for policies for remote users connecting through a VPN? How/when do they get applied?
This is really important as our CEO is insisting on this policy change and I need to have it work for everyone in the company. It works fine for the local users and users in remote offices that have DCs, but I'm concerned that remote users won't pick up the policy. Any help would be appreciated.
Thank you,
Rob Miller
On Wed, Sep 30, 2009 at 3:10 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yep, 2 hours, give or take. Or as Jerry mentioned, if they initiate the VPN connection before they logon (pre-GINA) they'll process user policy as if they were connected to the LAN (taking into account that some CSEs won't process over a slow link, of course) and they'll get the settings immediately upon logon.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 4:53 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
These are all Windows XP machines. The policy is the same one I mentioned above. It makes a change to the Advanced Email Settings in Outlook. These changes are via the Office 2003 admin template, and as far as I'm aware make registry setting changes. So based on what you've said it sounds like they will get the changes after 2 hours of being connected. Am I understanding that correctly?
On Wed, Sep 30, 2009 at 2:28 PM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Robert,
As long as the policy is 'security' or 'registry' based, your VPN user's devices should pick it up after connecting and after being logged onto your network for at least two hours for legacy operating systems (Windows XP and earlier) and faster for Vista and greater operating systems (since they 'detect' a network change state and then would initiate an update based upon that).
If the policy uses other GPO sub-systems, then it'll depend upon that other system. For example: If the GPO pushes a User Logon script, unless the users connect pre-GINA, the scripts will not process (this is for commands that do not exist on the local device-what I mean is that you could have a script that launches "Calc.exe and it'd work whether they were on the LAN or not, but if, as usual, you execute something on the domain...the GPO system would still attempt to launch it, but won't be able to 'get' there-you'll see this attempt recorded in the Application event log on older systems and in the Group Policy Event log on Vista/Windows 7 systems...).
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:02 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
That was it! I need to apply it to the OU that contained all the users and not to the OU that contained the groups. Also, thank you for the extremely important tip of removing the Authenticated Users. I am up and running just fine now. However, I now have another big question that I'm positive someone will be able to help me with.
We have several dozen remote users who only connected to the network via VPN connections. Is there a way to have them pick up this policy the next time they connect? Is that even possible, or do they have to connect via dial up or something?
Again thank you very much for your help!
On Wed, Sep 30, 2009 at 1:29 PM, Nelson, Jamie <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Okay, maybe I read your original post wrong, but you said you applied the GPO to the OU containing the group. The GPO has to be applied to an OU that contains all of the user accounts in the group, not just the group itself.
Not to mention that you'll also want to remove the Authenticated Users group from Security Filtering so the GPO only applies to the user's in your group. Otherwise it will get applied to every object in that OU and every OU underneath it.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:17 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
Here is what the result is from the modeling wizard. As you can see it is being applied to the OU and the group. I don't understand why the user isn't getting it. I do not have any WMI filters configured, nor are there any blocks to inheritance in place for this user.
I'm wondering if perhaps a WMI filter may be a better way to go rather than a group and an OU. The GPO will be applied to our entire organization to start with, but users will be removed from the policy over time. I personally have never tried using WMI filters, so if you experts think that is a better option for me, can you also point me to a site that explains how they work?
Thank you again.
On Wed, Sep 30, 2009 at 12:55 PM, Robert Miller <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Yes, the group is in the aforementioned OU with the policy applied to the OU.
I do not know what Rsop is.
The policy is for a user account not a computer. The GPO applied just fine to the user as mentioned, when the user was in the OU and not in the group.
On Wed, Sep 30, 2009 at 12:46 PM, Dzikowski, Michael <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Does that group reside in an OU within that Container?
Run Rsop on that group and computer
Also, run gpresult on a PC to see if it's even getting the GPO ...
Regards,
Mike Dzikowski
WinTel Engineer
Henry Ford Health System | OneIT
2571 Product Drive | Rochester Hills, MI 48309
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
248.853.4891
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 3:42 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Group Policy not applying to group
This is what I have in there currently.
On Wed, Sep 30, 2009 at 12:26 PM, Wornell, Kevin (Dallas) <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
What do you have for the Security Filtering on the Policy? Is there anything on the filter that would resolve to the User?
Kevin
Kevin Wornell
Office Technology Group
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Robert Miller
Sent: Wednesday, September 30, 2009 2:14 PM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] Group Policy not applying to group
Hello,
Is it possible to apply a group policy to a user via a group in an OU?
I need to apply an Outlook 2003 policy to some users in my Windows 2003 domain. Because users will likely be shifted in and out of this policy's requirement I have to use a group to manage the users. What I've done is created a group that will have the restriction user policy applied to it. I've added the users to this group, and placed the group in an OU and applied the GP to it.
When I run the simulation wizard, it shows the OU as having the policy applied, but when I run it for the user in the group it is not being applied.
I am able to have the policy apply with no problems if I place the user in the OU directly, so I am wondering if this is even possible.
Thank you in advance for any insights and help.
Rob Miller
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health at www.henryford.com<http://www.henryford.com> for more detailed information. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
==============================================================================
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
|
|