none
GPO Security Filter: Security Group with Multiple Security groups within won't apply GPO settings to defined users.

    Question

  • Hello,

    I think I've hit a road block; I know GPO pretty well but what I'm finding is the Security Filter doesn't seem to be applying a GPO with a Security Group that is inside of the Security Filter for the GPO.

    Now I think I'm compounding the issue by being a bit lazy because the security group called "company workforce group" has about 12 security groups of different departments that each have the users of each department within them.

    I'm hoping I can just do it this way since we have over 1500 users and for me to add each user to a single security group is going to be painful; unless hopefully someone her knows a easier way to import users in a mass add to a security group, I've heard power-shell can do it I just don't know how to script it.

    However I really hope by having all of these security groups within the master security group it will work, unless I can just add all 12 security groups directly for the Security Filter and have it apply in this manner.

    any feedback would be helpful. :)

    Tuesday, November 19, 2013 1:16 PM

Answers

All replies

  • Am 19.11.2013 14:16, schrieb OoDeathmageoO:
    > I think I've hit a road block; I know GPO pretty well but what I'm
    > finding is the Security Filter doesn't seem to be applying a GPO with a
    > Security Group that is inside of the Security Filter for the GPO.
    >
    > Now I think I'm compounding the issue by being a bit lazy because the
    > security group called "company workforce group" has about 12 security
    > groups of different departments that each have the users of each
    > department within them.
    >
     
    Nesting groups works perfectly with group policy - what doesn't work in
    your case? Did you run "gpresult /v report.html" and analyze report.html
    for the contained "group membership" list? And check the "denied GPOs"
    section for the "reason" column.
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, November 19, 2013 2:03 PM
  • Hi Martin,

    Well here is the problem. I'm a bit perplexed to say the least.

    The GPO works fine if I use authenticated users but if I use this custom security group it doesn't seem to apply; I checked delegation and it's set to 'read' and 'apply group policy' but the settings don't seem to be sticking. Right now for this to bypass certain department I'm having to use block inheritance, but this is only temporary since this disabled the domain level GPO which is not good.

    I remember the gpresult command; I just don't use it much, I'll give it a check.

    What also weird is I ran Group Policy Modelling and the policy in question was the winning policy for the users in question and seems to work but it's just not applying; I'm only doing this also in the 'User Config' and not 'Computer Config'. There is a separate Terminal Server GPO setup specifically for the Terminal Servers.

    Also, one last thing for clarification, on the Terminal Server GPO I added the clause , MFFTS6$ to the security filter and it seemed to apply better for the Terminal Server specifically; what exactly does the hidden share icon do that so drastic in this application?

    Tuesday, November 19, 2013 2:12 PM
  • Martin,

    Here maybe this makes sense to you.


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 11/19/2013 at 9:50:02 AM



    RSOP data for DOMAIN\testacct on MFFTS6 : Logging Mode
    -------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.1.7601
    Site Name:                   N/A
    Roaming Profile:             \\MFFfs1.MFF.com\profiles\testacct.DOMAIN.V2
    Local Profile:               C:\Users\testacct
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=testacct,OU=Production,OU=MFF Middletown,OU=President Container,DC=MFF,DC=com
        Last time Group Policy was applied: 11/19/2013 at 8:18:45 AM
        Group Policy was applied from:      MFFDC4.MFF.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DOMAIN
        Domain Type:                        Windows 2000
        
        Applied Group Policy Objects
        -----------------------------
            Terminal Server Policy
            Software Deployment
            President Container Policy
            Default Domain Policy
            Software Deployment
            President Container Policy
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            WSUS
                Filtering:  Disabled (GPO)

            BESA User Rights
                Filtering:  Not Applied (Empty)

            WSUS
                Filtering:  Disabled (GPO)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            BESA User Rights
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            Remote Desktop Users
            BUILTIN\Users
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Terminal Services User
            MicroMain
            MgmntDocs
            Medium Mandatory Level
            
        The user has the following security privileges
        ----------------------------------------------


        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\Wizard\Downlevel Browse
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceRunOnStartMenu
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
                    Value:       8, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\LockTaskbar
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Cached Mode\Enable
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\*
                    Value:       48, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                    Value:       48, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuNetworkPlaces
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceStartMenuLogOff
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoDragToolbar
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
                    Value:       0, 0, 4, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoResize
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: President Container Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ServerList
                    Value:       0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\ProfileQuotaMessage
                    Value:       89, 0, 111, 0, 117, 0, 32, 0, 104, 0, 97, 0, 118, 0, 101, 0, 32, 0, 101, 0, 120, 0, 99, 0, 101, 0, 101, 0, 100, 0, 101, 0, 100, 0, 32, 0, 121, 0, 111, 0, 117, 0, 114, 0, 32, 0, 112, 0, 114, 0, 111, 0, 102, 0, 105, 0, 108, 0, 101, 0, 32, 0, 115, 0, 116, 0, 111, 0, 114, 0, 97, 0, 103, 0, 101, 0, 32, 0, 115, 0, 112, 0, 97, 0, 99, 0, 101, 0, 46, 0, 32, 0, 66, 0, 101, 0, 102, 0, 111, 0, 114, 0, 101, 0, 32, 0, 121, 0, 111, 0, 117, 0, 32, 0, 99, 0, 97, 0, 110, 0, 32, 0, 108, 0, 111, 0, 103, 0, 32, 0, 111, 0, 102, 0, 102, 0, 44, 0, 32, 0, 121, 0, 111, 0, 117, 0, 32, 0, 110, 0, 101, 0, 101, 0, 100, 0, 32, 0, 116, 0, 111, 0, 32, 0, 109, 0, 111, 0, 118, 0, 101, 0, 32, 0, 100, 0, 101, 0, 115, 0, 107, 0, 116, 0, 111, 0, 112, 0, 32, 0, 105, 0, 116, 0, 101, 0, 109, 0, 115, 0, 32, 0, 116, 0, 111, 0, 32, 0, 121, 0, 111, 0, 117, 0, 114, 0, 32, 0, 89, 0, 32, 0, 100, 0, 114, 0, 105, 0, 118, 0, 101, 0, 46, 0, 32, 0, 84, 0, 104, 0, 97, 0, 110, 0, 107, 0, 32, 0, 121, 0, 111, 0, 117, 0, 44, 0, 32, 0, 83, 0, 121, 0, 115, 0, 116, 0, 101, 0, 109, 0, 32, 0, 65, 0, 100, 0, 109, 0, 105, 0, 110, 0, 105, 0, 115, 0, 116, 0, 114, 0, 97, 0, 116, 0, 111, 0, 114, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1402
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\IncludeRegInProQuota
                    State:       disabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Explorer\NoStartMenuRecordedTV
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccessMode
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809
                    Value:       3, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClearRecentDocsOnExit
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Persistent
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
                    Value:       128, 238, 54, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyGames
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\System\ExcludeProfileDirs
                    Value:       77, 0, 121, 0, 32, 0, 77, 0, 117, 0, 115, 0, 105, 0, 99, 0, 59, 0, 32, 0, 77, 0, 121, 0, 32, 0, 86, 0, 105, 0, 100, 0, 101, 0, 111, 0, 115, 0, 59, 0, 32, 0, 77, 0, 121, 0, 32, 0, 80, 0, 105, 0, 99, 0, 116, 0, 117, 0, 114, 0, 101, 0, 115, 0, 59, 0, 32, 0, 77, 0, 117, 0, 115, 0, 105, 0, 99, 0, 59, 0, 32, 0, 80, 0, 105, 0, 99, 0, 116, 0, 117, 0, 114, 0, 101, 0, 115, 0, 59, 0, 32, 0, 86, 0, 105, 0, 100, 0, 101, 0, 111, 0, 115, 0, 0, 0
                    State:       Enabled

                GPO: Software Deployment
                    KeyName:     Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Programs\NoWindowsMarketplace
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage
                    State:       disabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f1996189-a4ad-4cea-b217-22bd9953250b}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00
                    Value:       0, 0, 3, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\WarnUser
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Explorer\NoBalloonFeatureAdvertisements
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\WarnUserTimeout
                    Value:       92, 3, 0, 0
                    State:       Enabled

                GPO: President Container Policy
                    KeyName:     Software\Policies\Microsoft\Windows\NetCache\NoCacheViewer
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                    Value:       48, 0, 0, 0
                    State:       Enabled

     

    Tuesday, November 19, 2013 3:02 PM
  •     GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f1996189-a4ad-4cea-b217-22bd9953250b}\Description
                    Value:       68, 0, 111, 0, 110, 0, 39, 0, 116, 0, 32, 0, 97, 0, 108, 0, 108, 0, 111, 0, 119, 0, 32, 0, 101, 0, 120, 0, 101, 0, 99, 0, 117, 0, 116, 0, 97, 0, 98, 0, 108, 0, 101, 0, 115, 0, 32, 0, 116, 0, 111, 0, 32, 0, 114, 0, 117, 0, 110, 0, 32, 0, 102, 0, 114, 0, 111, 0, 109, 0, 32, 0, 37, 0, 65, 0, 112, 0, 112, 0, 68, 0, 97, 0, 116, 0, 97, 0, 37, 0, 46, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
                    Value:       63, 0, 63, 0, 63, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice
                    State:       disabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\NoVisualStyleChoice
                    State:       disabled

                GPO: MMF Boxes Policy
                    KeyName:     Software\Policies\Microsoft\MMC\RestrictToPermittedSnapins
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
                    Value:       128, 238, 54, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{3c88f264-3727-42a8-b9ac-ecc970e09e0b}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Explorer\NoStartMenuHomegroup
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
                    Value:       50, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\Start Page
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 119, 0, 119, 0, 119, 0, 46, 0, 103, 0, 111, 0, 111, 0, 103, 0, 108, 0, 101, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Explorer\NoStartMenuVideos
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MMF Boxes Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
                    State:       disabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\Restricted
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxProfileSize
                    Value:       128, 132, 30, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\InForest
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoAddRemoveToolbar
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\DriverSearching\DontPromptForWindowsUpdate
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{3c88f264-3727-42a8-b9ac-ecc970e09e0b}\Description
                    Value:       68, 0, 111, 0, 110, 0, 39, 0, 116, 0, 32, 0, 97, 0, 108, 0, 108, 0, 111, 0, 119, 0, 32, 0, 101, 0, 120, 0, 101, 0, 99, 0, 117, 0, 116, 0, 97, 0, 98, 0, 108, 0, 101, 0, 115, 0, 32, 0, 116, 0, 111, 0, 32, 0, 114, 0, 117, 0, 110, 0, 32, 0, 102, 0, 114, 0, 111, 0, 109, 0, 32, 0, 105, 0, 109, 0, 109, 0, 101, 0, 100, 0, 105, 0, 97, 0, 116, 0, 101, 0, 32, 0, 115, 0, 117, 0, 98, 0, 102, 0, 111, 0, 108, 0, 100, 0, 101, 0, 114, 0, 115, 0, 32, 0, 111, 0, 102, 0, 32, 0, 37, 0, 65, 0, 112, 0, 112, 0, 68, 0, 97, 0, 116, 0, 97, 0, 37, 0, 46, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoRedock
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMBalloonTip
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab
                    State:       disabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktopCleanupWizard
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\TrustedServers
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableProfileQuota
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetworkConnections
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Terminal Server Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoNotification
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
                    Value:       0, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                GPO: Terminal Server Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   N/A
                                       
                GPO: Terminal Server Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory not moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   %HOMESHARE%%HOMEPATH%
                                       
                GPO: Terminal Server Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory not moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   My Pictures
                                       
                GPO: Terminal Server Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory not moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   My Music
                                       
                GPO: Terminal Server Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Not Exclusive Rights
                        Move Type:         Contents of Local Directory not moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   My Videos
                                       
            Internet Explorer Browser User Interface
            ----------------------------------------
                GPO: Terminal Server Policy
                    Large Animated Bitmap Name:      N/A
                    Large Custom Logo Bitmap Name:   N/A
                    Title BarText:                   N/A
                    UserAgent Text:                  N/A
                    Delete existing toolbar buttons: No

            Internet Explorer Connection
            ----------------------------
                HTTP Proxy Server:   N/A
                Secure Proxy Server: N/A
                FTP Proxy Server:    N/A
                Gopher Proxy Server: N/A
                Socks Proxy Server:  N/A
                Auto Config Enable:  No
                Enable Proxy:        No
                Use same Proxy:      No

            Internet Explorer URLs
            ----------------------
                GPO: Terminal Server Policy
                    Home page URL:           N/A
                    Search page URL:         N/A
                    Online support page URL: N/A

            Internet Explorer Security
            --------------------------
                Always Viewable Sites:     N/A
                Password Override Enabled: False

                GPO: Terminal Server Policy
                    Import the current Content Ratings Settings:      No
                    Import the current Security Zones Settings:       No
                    Import current Authenticode Security Information: No
                    Enable trusted publisher lockdown:                No

            Internet Explorer Programs
            --------------------------
                GPO: Terminal Server Policy
                    Import the current Program Settings: Yes
    Tuesday, November 19, 2013 3:04 PM
  • Martin,

    this is weird now, since running gpresults, the policy seems have have applied.

    I wonder why it was so slow to take? - I used the gpupdate /force command and it still seemed like it was broken.

    Tuesday, November 19, 2013 3:22 PM
  •  
    >      The user is a part of the following security groups
    >      ---------------------------------------------------
    >          Domain Users
    >          Everyone
    >          Remote Desktop Users
    >          BUILTIN\Users
    >          REMOTE INTERACTIVE LOGON
    >          NT AUTHORITY\INTERACTIVE
    >          NT AUTHORITY\Authenticated Users
    >          This Organization
    >          LOCAL
    >          Terminal Services User
    >          MicroMain
    >          MgmntDocs
    >          Medium Mandatory Level
     
    This should be enough to answer your question. You made a user gpo and
    you put a group in the security filter that contains other groups the
    user is a member of. Is this group listed here?
     
    And since you mentioned terminal servers: Did you enable loopback "merge
    mode"??? If yes, make sure the computer account has read access to the
    GPO or it won't apply.
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, November 19, 2013 3:32 PM
  • durrrr.... *slams head on desk* ^ that was the issue.

    BTW - were is Merge Mode?


    Tuesday, November 19, 2013 4:46 PM
  • Hi,

    Thanks for posting in the forum.

    Based on the current question, please understand that you could configure User Group Policy loopback processing mode under Computer Configuration\Administrative Templates\System\Group Policy in GPMC. If you configure the Loopback to merge mode, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.

    For details about Loopback processing, please refer to the following article.

    Loopback processing with merge or replace

    http://technet.microsoft.com/en-us/library/abe2b1a9-975f-4b2f-b771-9e6a903e97db

    User Group Policy loopback processing mode

    http://technet.microsoft.com/en-us/library/cc978513.aspx

    Windows Server: Understand “User Group Policy Loopback Processing Mode”

    http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Wednesday, November 20, 2013 3:09 AM
  •  
    > durrrr.... *slams head on desk* ^ that was the issue.
     
    :-)))
     
    > BTW - were is Merge Mode?
     
    In addition to the MSFT links Andy postet (these are somewhat "hard" to
    understand..."):
     
     
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, November 20, 2013 8:19 AM