Discussion:
GPO not implemented, possible corrupt local profile?
(too old to reply)
Ken Montgomery
2008-05-20 13:45:03 UTC
Permalink
So I fixed my permission issue for folder redirection and it works fine, on
my test units. My deployed computers that use a group policy to do folder
redirection still do not appear to work correctly. Using gpresult shows the
policy is not being applied, even after a forced update.

But... if I delete the local stored copy of the profile on a workstation,
then log in again after I am sure the network has connected, it seems to be
better.

So I believe my question is, with a large number of these workstations to
straighten out, is there a way to do this easily? It appears the local
stored copy of the GPO and profile are not being updated as they should, that
they have possibly corrupted and have to be removed manually... is there an
easy way to accomplish this that won't be as time consuming as hands on for
each of them?

Anyone else experiencing problems similar to this?

Environment: Windows 2003 Servers, Windows 2000 Servers, 5 DC's, mixed
environment in DC's. Clients are Windows XP SP2, using GPO to do folder
redirection for desktop to controlled folders. Permissions for folder are
wide open to client and domain users, etc. Clients are Dell workstations,
various models.

Any suggestions appreciated...
Jorge Silva
2008-05-20 20:32:10 UTC
Permalink
Hi
Is that policy a new policy? If it is, I'm afraid that will only apply to
newly profiles, and won't mess with old ones.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
Ken Montgomery
2008-05-21 12:51:01 UTC
Permalink
I'm sorry to say this but if that is the way it is supposed to work,
Microsoft really had no idea how to plan for this.

When the old policy didn't take effect or work on the clients any longer, a
new policy was configured and applied. That new policy, or for that matter,
ANY policy applying to the OU should take affect on the clients ASAP. There
should be no gaps where a client can work from an 'old' policy even after a
new one is put in place... that is a major security gaff if Microsoft
designed it that way.
Post by Jorge Silva
Hi
Is that policy a new policy? If it is, I'm afraid that will only apply to
newly profiles, and won't mess with old ones.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Jorge Silva
2008-05-21 20:18:45 UTC
Permalink
-I may be wrong; I'll have to test this because I don't have 100% sure.
Now, when you say "ANY policy applying to the OU should take affect on the
clients ASAP" this isn't true, and if it was you would be very sorry, MS is
right to apply some policies only after a reboot, for example, if you do a
Software Deploy via GPO, and that policy take effect immediately, image what
would be like having 300 users or more using a giving program that suddenly
is being replaced with a new one, not a very good idea :) (this is only a
example but there's more), so, to some policies you may need to reboot the
clients or logoff and log on for obvious reasons, so be careful with that.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
Ken Montgomery
2008-05-22 11:19:00 UTC
Permalink
While it may not be effective to have them all take effect ASAP (especially
software installation), all security based policies should take effect ASAP,
otherwise how would you plug a discovered security leak. I want my policies
such as allowed software to run, denied software, backgrounds, logins, etc...
those need to take immediate action and their should be a way other than
remote reboot of the PC to make them take effect. This lack of ability to
secure your pc's within your organization against spreading threats or other
problems... well it can be disasterous... I understand the philosophy of
doing it the other way but honestly, even after 4-5 reboots and the policy
doesn't override the previous policy? That is just ridiculous... and that is
how it works now.
Post by Jorge Silva
-I may be wrong; I'll have to test this because I don't have 100% sure.
Now, when you say "ANY policy applying to the OU should take affect on the
clients ASAP" this isn't true, and if it was you would be very sorry, MS is
right to apply some policies only after a reboot, for example, if you do a
Software Deploy via GPO, and that policy take effect immediately, image what
would be like having 300 users or more using a giving program that suddenly
is being replaced with a new one, not a very good idea :) (this is only a
example but there's more), so, to some policies you may need to reboot the
clients or logoff and log on for obvious reasons, so be careful with that.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Jorge Silva
2008-05-22 12:34:00 UTC
Permalink
The policy will apply (by default) every 90 minutes (for some policies you
need a reboot), as for your problem I'll have to do some testing first.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
Loading...