Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Group Policy Issues 2003

  • 16-09-2010 2:12pm
    #1
    Registered Users, Registered Users 2 Posts: 94 ✭✭


    Background:
    Two Servers (running Win2K3 R2), one is DC in a 150 user domain running DHCP,DNS,AD. The other is a file and print server.

    Problem:
    I can't connect to any network printer from users in a certain group. The error says that 'a policy is in effect which is preventing you connecting to this print queue'. This has started happening since I installed GPMC snap-in. I installed the snap in, and designed my own policy, but it seems they are being out-ruled by an old policy.

    I have checked in the GPMC and the only policies are:
    1. Defauly Domain Policy
    2. Default Domain Controller Policy
    3. My Policy
    I have disabled all policies, and even deleted my own one, but there still seems to be a policy in place. Certain things are disabled, like network connection properties etc. I also checked the root of where the policies are stored (sysvol) and there are no policies showing in there.

    There was an IT company contracted here a few years back, and I believe it's one of their policies still going. The previous IT company (X for examples) have a shared folder (c:\x) where logon scripts and policies are stored, but I dont know how to access the policies here as they won't show up in GPMC.

    Sorry, a bit long winded, but this is getting very frustrating. Any ideas please?


Comments

  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    Am I corrent in saying that it only happens to users in a certain group?

    What happens when one of those Users logs into a PC, where the policy is working? Does it work?

    From a PC where the User cant connect.
    Run\cmd\Gpresult

    Do the same for a user that CAN connect. Try to find any differences in the policies being applied - Looks for names

    Under Applied Group Policy Objects are all the Correct Policies being applied?

    Under The following GPOs were not applied because they were filtered out are any policies not being applied?


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    I have disabled all policies, and even deleted my own one, but there still seems to be a policy in place. Certain things are disabled, like network connection properties etc. I also checked the root of where the policies are stored (sysvol) and there are no policies showing in there.

    I would caution against making any further random changes until you figure out whats wrong. Its very easy to make GPOs troubleshooting into a bigger mess than you initially thought.

    You need to watch out for stuff like refresh rate, how often the policies are being applied, when they are being applied, Policy tattooing and such.
    There was an IT company contracted here a few years back, and I believe it's one of their policies still going. The previous IT company (X for examples) have a shared folder (c:\x) where logon scripts and policies are stored, but I dont know how to access the policies here as they won't show up in GPMC.

    When did this problem show up, what exactly were you (someone) doing or trying to do?

    Its very easy to see if a GPOs is being applied or not, its also easy to see if what each policy is in fact doing. The polices in the C:x folder could be backups or copies, if they are not showing up under Group Policy Objects they I wouldnt worry about them too much.

    The Gpresult on two PCs for working / non working will tell you a lot

    Post back results. You can PM if you feels its confidential, but its easier to share with the masses


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    As you've removed a policy though, might be worth seeing whether there's a difference between gpresult before and after giving gpupdate a manual kick on your test desktop to tell it to update.
    gpresult /r
    gpupdate /force
    gpresult /r
    


  • Registered Users, Registered Users 2 Posts: 94 ✭✭joe2687


    H:\>gpresult

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2
    Copyright (C) Microsoft Corp. 1981-2001
    Created On 16/09/2010 at 17:06:26

    RSOP results for xxxxDOMAIN\staff on xxx-STAFF-2 : Logging Mode
    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: xxxxxDOMAIN
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\staff
    Connected over a slow link?: No

    COMPUTER SETTINGS
    CN=MCS-STAFF-2,CN=Computers,DC=xxxxxDomain,DC=local
    Last time Group Policy was applied: 16/09/2010 at 15:29:47
    Group Policy was applied from: server1.xxxxxDomain.local
    Group Policy slow link threshold: 500 kbps
    Applied Group Policy Objects
    N/A
    The following GPOs were not applied because they were filtered out
    Local Group Policy
    Filtering: Not Applied (Empty)
    The computer is a part of the following security groups:
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    xxx-STAFF-2$
    Domain Computers

    USER SETTINGS
    CN=Staff,OU=Staff,OU=xxxxx School,DC=xxxxxDomain,DC=local
    Last time Group Policy was applied: 16/09/2010 at 17:00:11
    Group Policy was applied from: server1.xxxxxDomain.local
    Group Policy slow link threshold: 500 kbps
    Applied Group Policy Objects
    N/A
    The following GPOs were not applied because they were filtered out
    Local Group Policy
    Filtering: Not Applied (Empty)
    The user is a part of the following security groups:
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL
    Staff Group

    As for the problem, it seemed to coincide with the installing of the GPMC snap-in. I work in a college, and the reason I wanted to create a new Policy is to limit students from doing certain things (like grabbing photos and using them as their desktop etc). I created my own group policy and applied it (i have triple checked the settings), but as I said a policy seems to be over-riding it.

    Also worth noting as regards the printer problem, when I log onto the machine as Administrator and add the printer, the student account will be allowed add the printer also.


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    Your Gpresult doesnt show anything.
    As for the problem, it seemed to coincide with the installing of the GPMC snap-in. I work in a college, and the reason I wanted to create a new Policy is to limit students from doing certain things (like grabbing photos and using them as their desktop etc). I created my own group policy and applied it (i have triple checked the settings), but as I said a policy seems to be over-riding it.

    Have you removed your own Policy and forced the previous policy settings? Under GPMC, Right click on the Policy and make sure its "Enforced"

    Go back to a troubled PC, do Gpupdate /force, log off, log in as user then try again.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭Static M.e.


    By the way, did you "Enforce" the policy you made?

    You could have inevitable over written the print settings from a previous policy.

    Worst case create a new policy and try that.

    Under User Configuration, Administrative Templates, Control Panel, Printers, set the "Point and Print Restrictions" to disabled (i think, check the settings) apply policy


Advertisement