GPO was working, but not anymore...

michelle

Distinguished
Apr 1, 2004
93
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I recently created a GPO in an OU on a Win2k DC. Initially, everything was working splendidly. In addition to the GPO, I created a VBScript to map network drives, printers, etc. Initially, I placed this file on the client machine and modified the GPO option "run this program when a user logs in" to point to the file. However, I then decided to place the file on the server, rather than having to copy it onto each client. So, I copied the file onto the server and modifed the GPO to point to this file. Since then, the GPO hasn't worked.

When I run gpresult from the client, I get the following:
The following GPOs were not applied because they were filtered out
ACNLogin
Filtering: Denied (Security)

We are using XP Pro clients and a Win2k DC in this particular domain. Also, users are logging on to the client machines using accounts from another domain, so that we don't have to recreate the user accounts in the other domain.

To my knowledge, other than the fact that I copied the script file from the XP client on to the Win2k DC, nothing else has changed. Like I said, until I copied this file and repointed the GPO, things seemed to work fine. When I realized that the GPO was no longer working, I repointed the GPO back to the script on the client, but it made no difference.

I have since tried modifying the GPO to treat this script file as a bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but am still getting the same result when I run gpresult.

Any help would be most appreciated!

--
Michelle Corella
Network Administrator
New Mexico State University
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The message indicates that the policy has been filtered. Check the security
settings of the GPO to make sure that the appropriate groups have access to
it. By default authenticated users have read and apply group policy.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


"Michelle" <corella@zianet.com.123> wrote in message
news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> I recently created a GPO in an OU on a Win2k DC. Initially, everything
was working splendidly. In addition to the GPO, I created a VBScript to map
network drives, printers, etc. Initially, I placed this file on the client
machine and modified the GPO option "run this program when a user logs in"
to point to the file. However, I then decided to place the file on the
server, rather than having to copy it onto each client. So, I copied the
file onto the server and modifed the GPO to point to this file. Since then,
the GPO hasn't worked.
>
> When I run gpresult from the client, I get the following:
> The following GPOs were not applied because they were filtered out
> ACNLogin
> Filtering: Denied (Security)
>
> We are using XP Pro clients and a Win2k DC in this particular domain.
Also, users are logging on to the client machines using accounts from
another domain, so that we don't have to recreate the user accounts in the
other domain.
>
> To my knowledge, other than the fact that I copied the script file from
the XP client on to the Win2k DC, nothing else has changed. Like I said,
until I copied this file and repointed the GPO, things seemed to work fine.
When I realized that the GPO was no longer working, I repointed the GPO back
to the script on the client, but it made no difference.
>
> I have since tried modifying the GPO to treat this script file as a
bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but
am still getting the same result when I run gpresult.
>
> Any help would be most appreciated!
>
> --
> Michelle Corella
> Network Administrator
> New Mexico State University
 

michelle

Distinguished
Apr 1, 2004
93
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The security settings are correct. Authenticated users have read and apply group policy...


--
Michelle Corella
Network Administrator
New Mexico State University


"Tim Hines [MSFT]" wrote:

> The message indicates that the policy has been filtered. Check the security
> settings of the GPO to make sure that the appropriate groups have access to
> it. By default authenticated users have read and apply group policy.
>
>
> --
> Tim Hines, MCSE, MCSA
> Windows 2000 Directory Services
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Michelle" <corella@zianet.com.123> wrote in message
> news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > I recently created a GPO in an OU on a Win2k DC. Initially, everything
> was working splendidly. In addition to the GPO, I created a VBScript to map
> network drives, printers, etc. Initially, I placed this file on the client
> machine and modified the GPO option "run this program when a user logs in"
> to point to the file. However, I then decided to place the file on the
> server, rather than having to copy it onto each client. So, I copied the
> file onto the server and modifed the GPO to point to this file. Since then,
> the GPO hasn't worked.
> >
> > When I run gpresult from the client, I get the following:
> > The following GPOs were not applied because they were filtered out
> > ACNLogin
> > Filtering: Denied (Security)
> >
> > We are using XP Pro clients and a Win2k DC in this particular domain.
> Also, users are logging on to the client machines using accounts from
> another domain, so that we don't have to recreate the user accounts in the
> other domain.
> >
> > To my knowledge, other than the fact that I copied the script file from
> the XP client on to the Win2k DC, nothing else has changed. Like I said,
> until I copied this file and repointed the GPO, things seemed to work fine.
> When I realized that the GPO was no longer working, I repointed the GPO back
> to the script on the client, but it made no difference.
> >
> > I have since tried modifying the GPO to treat this script file as a
> bonified "login" script (i.e., placed it in the \netlogon share, i.e.), but
> am still getting the same result when I run gpresult.
> >
> > Any help would be most appreciated!
> >
> > --
> > Michelle Corella
> > Network Administrator
> > New Mexico State University
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Since the defaults are ok then there may be a deny set for an object. An
explicit deny overrides any other permissions that a group or user may have.
Based on gpresult, an object has been given an explicit deny on the ACNlogin
policy. Review the GPO permissions and determine which group has been
denied

--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


"Michelle" <corella@zianet.com.123> wrote in message
news:272F3E20-964B-4EE5-9C19-E0B7270BFC4A@microsoft.com...
> The security settings are correct. Authenticated users have read and
apply group policy...
>
>
> --
> Michelle Corella
> Network Administrator
> New Mexico State University
>
>
> "Tim Hines [MSFT]" wrote:
>
> > The message indicates that the policy has been filtered. Check the
security
> > settings of the GPO to make sure that the appropriate groups have access
to
> > it. By default authenticated users have read and apply group policy.
> >
> >
> > --
> > Tim Hines, MCSE, MCSA
> > Windows 2000 Directory Services
> >
> > =====================================================
> > When responding to posts, please "Reply to Group" via
> > your newsreader so that others may learn and benefit
> > from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> > "Michelle" <corella@zianet.com.123> wrote in message
> > news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > > I recently created a GPO in an OU on a Win2k DC. Initially,
everything
> > was working splendidly. In addition to the GPO, I created a VBScript to
map
> > network drives, printers, etc. Initially, I placed this file on the
client
> > machine and modified the GPO option "run this program when a user logs
in"
> > to point to the file. However, I then decided to place the file on the
> > server, rather than having to copy it onto each client. So, I copied
the
> > file onto the server and modifed the GPO to point to this file. Since
then,
> > the GPO hasn't worked.
> > >
> > > When I run gpresult from the client, I get the following:
> > > The following GPOs were not applied because they were filtered out
> > > ACNLogin
> > > Filtering: Denied (Security)
> > >
> > > We are using XP Pro clients and a Win2k DC in this particular domain.
> > Also, users are logging on to the client machines using accounts from
> > another domain, so that we don't have to recreate the user accounts in
the
> > other domain.
> > >
> > > To my knowledge, other than the fact that I copied the script file
from
> > the XP client on to the Win2k DC, nothing else has changed. Like I
said,
> > until I copied this file and repointed the GPO, things seemed to work
fine.
> > When I realized that the GPO was no longer working, I repointed the GPO
back
> > to the script on the client, but it made no difference.
> > >
> > > I have since tried modifying the GPO to treat this script file as a
> > bonified "login" script (i.e., placed it in the \netlogon share, i.e.),
but
> > am still getting the same result when I run gpresult.
> > >
> > > Any help would be most appreciated!
> > >
> > > --
> > > Michelle Corella
> > > Network Administrator
> > > New Mexico State University
> >
> >
> >
 

michelle

Distinguished
Apr 1, 2004
93
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I do have deny set for all of the administrator groups. However, Authenticated Users and Domain Users are set to read and apply group policy.


--
Michelle Corella
Network Administrator
New Mexico State University


"Tim Hines [MSFT]" wrote:

> Since the defaults are ok then there may be a deny set for an object. An
> explicit deny overrides any other permissions that a group or user may have.
> Based on gpresult, an object has been given an explicit deny on the ACNlogin
> policy. Review the GPO permissions and determine which group has been
> denied
>
> --
> Tim Hines, MCSE, MCSA
> Windows 2000 Directory Services
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Michelle" <corella@zianet.com.123> wrote in message
> news:272F3E20-964B-4EE5-9C19-E0B7270BFC4A@microsoft.com...
> > The security settings are correct. Authenticated users have read and
> apply group policy...
> >
> >
> > --
> > Michelle Corella
> > Network Administrator
> > New Mexico State University
> >
> >
> > "Tim Hines [MSFT]" wrote:
> >
> > > The message indicates that the policy has been filtered. Check the
> security
> > > settings of the GPO to make sure that the appropriate groups have access
> to
> > > it. By default authenticated users have read and apply group policy.
> > >
> > >
> > > --
> > > Tim Hines, MCSE, MCSA
> > > Windows 2000 Directory Services
> > >
> > > =====================================================
> > > When responding to posts, please "Reply to Group" via
> > > your newsreader so that others may learn and benefit
> > > from your issue.
> > > =====================================================
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > >
> > >
> > > "Michelle" <corella@zianet.com.123> wrote in message
> > > news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > > > I recently created a GPO in an OU on a Win2k DC. Initially,
> everything
> > > was working splendidly. In addition to the GPO, I created a VBScript to
> map
> > > network drives, printers, etc. Initially, I placed this file on the
> client
> > > machine and modified the GPO option "run this program when a user logs
> in"
> > > to point to the file. However, I then decided to place the file on the
> > > server, rather than having to copy it onto each client. So, I copied
> the
> > > file onto the server and modifed the GPO to point to this file. Since
> then,
> > > the GPO hasn't worked.
> > > >
> > > > When I run gpresult from the client, I get the following:
> > > > The following GPOs were not applied because they were filtered out
> > > > ACNLogin
> > > > Filtering: Denied (Security)
> > > >
> > > > We are using XP Pro clients and a Win2k DC in this particular domain.
> > > Also, users are logging on to the client machines using accounts from
> > > another domain, so that we don't have to recreate the user accounts in
> the
> > > other domain.
> > > >
> > > > To my knowledge, other than the fact that I copied the script file
> from
> > > the XP client on to the Win2k DC, nothing else has changed. Like I
> said,
> > > until I copied this file and repointed the GPO, things seemed to work
> fine.
> > > When I realized that the GPO was no longer working, I repointed the GPO
> back
> > > to the script on the client, but it made no difference.
> > > >
> > > > I have since tried modifying the GPO to treat this script file as a
> > > bonified "login" script (i.e., placed it in the \netlogon share, i.e.),
> but
> > > am still getting the same result when I run gpresult.
> > > >
> > > > Any help would be most appreciated!
> > > >
> > > > --
> > > > Michelle Corella
> > > > Network Administrator
> > > > New Mexico State University
> > >
> > >
> > >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Michelle-
So if you have a user who is in one of those Administrator groups as well
as, obviously, in Authenticated Users, then the Deny will win out over any
Allows that you have for Auth. Users. Just in case you weren't taking that
into account.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Michelle" <corella@zianet.com.123> wrote in message
news:063F72EC-5DFA-4E22-885D-75A1A8C72C49@microsoft.com...
> I do have deny set for all of the administrator groups. However,
Authenticated Users and Domain Users are set to read and apply group policy.
>
>
> --
> Michelle Corella
> Network Administrator
> New Mexico State University
>
>
> "Tim Hines [MSFT]" wrote:
>
> > Since the defaults are ok then there may be a deny set for an object.
An
> > explicit deny overrides any other permissions that a group or user may
have.
> > Based on gpresult, an object has been given an explicit deny on the
ACNlogin
> > policy. Review the GPO permissions and determine which group has been
> > denied
> >
> > --
> > Tim Hines, MCSE, MCSA
> > Windows 2000 Directory Services
> >
> > =====================================================
> > When responding to posts, please "Reply to Group" via
> > your newsreader so that others may learn and benefit
> > from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> > "Michelle" <corella@zianet.com.123> wrote in message
> > news:272F3E20-964B-4EE5-9C19-E0B7270BFC4A@microsoft.com...
> > > The security settings are correct. Authenticated users have read and
> > apply group policy...
> > >
> > >
> > > --
> > > Michelle Corella
> > > Network Administrator
> > > New Mexico State University
> > >
> > >
> > > "Tim Hines [MSFT]" wrote:
> > >
> > > > The message indicates that the policy has been filtered. Check the
> > security
> > > > settings of the GPO to make sure that the appropriate groups have
access
> > to
> > > > it. By default authenticated users have read and apply group
policy.
> > > >
> > > >
> > > > --
> > > > Tim Hines, MCSE, MCSA
> > > > Windows 2000 Directory Services
> > > >
> > > > =====================================================
> > > > When responding to posts, please "Reply to Group" via
> > > > your newsreader so that others may learn and benefit
> > > > from your issue.
> > > > =====================================================
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > >
> > > >
> > > > "Michelle" <corella@zianet.com.123> wrote in message
> > > > news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > > > > I recently created a GPO in an OU on a Win2k DC. Initially,
> > everything
> > > > was working splendidly. In addition to the GPO, I created a
VBScript to
> > map
> > > > network drives, printers, etc. Initially, I placed this file on the
> > client
> > > > machine and modified the GPO option "run this program when a user
logs
> > in"
> > > > to point to the file. However, I then decided to place the file on
the
> > > > server, rather than having to copy it onto each client. So, I
copied
> > the
> > > > file onto the server and modifed the GPO to point to this file.
Since
> > then,
> > > > the GPO hasn't worked.
> > > > >
> > > > > When I run gpresult from the client, I get the following:
> > > > > The following GPOs were not applied because they were filtered
out
> > > > > ACNLogin
> > > > > Filtering: Denied (Security)
> > > > >
> > > > > We are using XP Pro clients and a Win2k DC in this particular
domain.
> > > > Also, users are logging on to the client machines using accounts
from
> > > > another domain, so that we don't have to recreate the user accounts
in
> > the
> > > > other domain.
> > > > >
> > > > > To my knowledge, other than the fact that I copied the script file
> > from
> > > > the XP client on to the Win2k DC, nothing else has changed. Like I
> > said,
> > > > until I copied this file and repointed the GPO, things seemed to
work
> > fine.
> > > > When I realized that the GPO was no longer working, I repointed the
GPO
> > back
> > > > to the script on the client, but it made no difference.
> > > > >
> > > > > I have since tried modifying the GPO to treat this script file as
a
> > > > bonified "login" script (i.e., placed it in the \netlogon share,
i.e.),
> > but
> > > > am still getting the same result when I run gpresult.
> > > > >
> > > > > Any help would be most appreciated!
> > > > >
> > > > > --
> > > > > Michelle Corella
> > > > > Network Administrator
> > > > > New Mexico State University
> > > >
> > > >
> > > >
> >
> >
> >
 

michelle

Distinguished
Apr 1, 2004
93
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Sure, but for a "normal" user (i.e., a user who is not a member of Administrators), it should work, right??

--
Michelle Corella
Network Administrator
New Mexico State University


"Darren Mar-Elia" wrote:

> Michelle-
> So if you have a user who is in one of those Administrator groups as well
> as, obviously, in Authenticated Users, then the Deny will win out over any
> Allows that you have for Auth. Users. Just in case you weren't taking that
> into account.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "Michelle" <corella@zianet.com.123> wrote in message
> news:063F72EC-5DFA-4E22-885D-75A1A8C72C49@microsoft.com...
> > I do have deny set for all of the administrator groups. However,
> Authenticated Users and Domain Users are set to read and apply group policy.
> >
> >
> > --
> > Michelle Corella
> > Network Administrator
> > New Mexico State University
> >
> >
> > "Tim Hines [MSFT]" wrote:
> >
> > > Since the defaults are ok then there may be a deny set for an object.
> An
> > > explicit deny overrides any other permissions that a group or user may
> have.
> > > Based on gpresult, an object has been given an explicit deny on the
> ACNlogin
> > > policy. Review the GPO permissions and determine which group has been
> > > denied
> > >
> > > --
> > > Tim Hines, MCSE, MCSA
> > > Windows 2000 Directory Services
> > >
> > > =====================================================
> > > When responding to posts, please "Reply to Group" via
> > > your newsreader so that others may learn and benefit
> > > from your issue.
> > > =====================================================
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > >
> > >
> > > "Michelle" <corella@zianet.com.123> wrote in message
> > > news:272F3E20-964B-4EE5-9C19-E0B7270BFC4A@microsoft.com...
> > > > The security settings are correct. Authenticated users have read and
> > > apply group policy...
> > > >
> > > >
> > > > --
> > > > Michelle Corella
> > > > Network Administrator
> > > > New Mexico State University
> > > >
> > > >
> > > > "Tim Hines [MSFT]" wrote:
> > > >
> > > > > The message indicates that the policy has been filtered. Check the
> > > security
> > > > > settings of the GPO to make sure that the appropriate groups have
> access
> > > to
> > > > > it. By default authenticated users have read and apply group
> policy.
> > > > >
> > > > >
> > > > > --
> > > > > Tim Hines, MCSE, MCSA
> > > > > Windows 2000 Directory Services
> > > > >
> > > > > =====================================================
> > > > > When responding to posts, please "Reply to Group" via
> > > > > your newsreader so that others may learn and benefit
> > > > > from your issue.
> > > > > =====================================================
> > > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > >
> > > > >
> > > > > "Michelle" <corella@zianet.com.123> wrote in message
> > > > > news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > > > > > I recently created a GPO in an OU on a Win2k DC. Initially,
> > > everything
> > > > > was working splendidly. In addition to the GPO, I created a
> VBScript to
> > > map
> > > > > network drives, printers, etc. Initially, I placed this file on the
> > > client
> > > > > machine and modified the GPO option "run this program when a user
> logs
> > > in"
> > > > > to point to the file. However, I then decided to place the file on
> the
> > > > > server, rather than having to copy it onto each client. So, I
> copied
> > > the
> > > > > file onto the server and modifed the GPO to point to this file.
> Since
> > > then,
> > > > > the GPO hasn't worked.
> > > > > >
> > > > > > When I run gpresult from the client, I get the following:
> > > > > > The following GPOs were not applied because they were filtered
> out
> > > > > > ACNLogin
> > > > > > Filtering: Denied (Security)
> > > > > >
> > > > > > We are using XP Pro clients and a Win2k DC in this particular
> domain.
> > > > > Also, users are logging on to the client machines using accounts
> from
> > > > > another domain, so that we don't have to recreate the user accounts
> in
> > > the
> > > > > other domain.
> > > > > >
> > > > > > To my knowledge, other than the fact that I copied the script file
> > > from
> > > > > the XP client on to the Win2k DC, nothing else has changed. Like I
> > > said,
> > > > > until I copied this file and repointed the GPO, things seemed to
> work
> > > fine.
> > > > > When I realized that the GPO was no longer working, I repointed the
> GPO
> > > back
> > > > > to the script on the client, but it made no difference.
> > > > > >
> > > > > > I have since tried modifying the GPO to treat this script file as
> a
> > > > > bonified "login" script (i.e., placed it in the \netlogon share,
> i.e.),
> > > but
> > > > > am still getting the same result when I run gpresult.
> > > > > >
> > > > > > Any help would be most appreciated!
> > > > > >
> > > > > > --
> > > > > > Michelle Corella
> > > > > > Network Administrator
> > > > > > New Mexico State University
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
 

michelle

Distinguished
Apr 1, 2004
93
0
18,630
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well, I think we figured it out! Evidently, a Windows 2000 Server requires a separate "loopback" policy to cause the "real" GPO to enforce the user configurations. I had the loopback option enabled in my GPO, but until a separate loopback policy was created, it didn't work. Now it works fine...

Still don't understand why the GPO initially worked without the additional policy, but I guess that's just one of life's little mysteries :)

Anyway, thanks for your help...
Michelle


--
Michelle Corella
Network Administrator
New Mexico State University


"Michelle" wrote:

> Sure, but for a "normal" user (i.e., a user who is not a member of Administrators), it should work, right??
>
> --
> Michelle Corella
> Network Administrator
> New Mexico State University
>
>
> "Darren Mar-Elia" wrote:
>
> > Michelle-
> > So if you have a user who is in one of those Administrator groups as well
> > as, obviously, in Authenticated Users, then the Deny will win out over any
> > Allows that you have for Auth. Users. Just in case you weren't taking that
> > into account.
> >
> > --
> > Darren Mar-Elia
> > MS-MVP-Windows Management
> > http://www.gpoguy.com
> >
> >
> >
> > "Michelle" <corella@zianet.com.123> wrote in message
> > news:063F72EC-5DFA-4E22-885D-75A1A8C72C49@microsoft.com...
> > > I do have deny set for all of the administrator groups. However,
> > Authenticated Users and Domain Users are set to read and apply group policy.
> > >
> > >
> > > --
> > > Michelle Corella
> > > Network Administrator
> > > New Mexico State University
> > >
> > >
> > > "Tim Hines [MSFT]" wrote:
> > >
> > > > Since the defaults are ok then there may be a deny set for an object.
> > An
> > > > explicit deny overrides any other permissions that a group or user may
> > have.
> > > > Based on gpresult, an object has been given an explicit deny on the
> > ACNlogin
> > > > policy. Review the GPO permissions and determine which group has been
> > > > denied
> > > >
> > > > --
> > > > Tim Hines, MCSE, MCSA
> > > > Windows 2000 Directory Services
> > > >
> > > > =====================================================
> > > > When responding to posts, please "Reply to Group" via
> > > > your newsreader so that others may learn and benefit
> > > > from your issue.
> > > > =====================================================
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > >
> > > >
> > > > "Michelle" <corella@zianet.com.123> wrote in message
> > > > news:272F3E20-964B-4EE5-9C19-E0B7270BFC4A@microsoft.com...
> > > > > The security settings are correct. Authenticated users have read and
> > > > apply group policy...
> > > > >
> > > > >
> > > > > --
> > > > > Michelle Corella
> > > > > Network Administrator
> > > > > New Mexico State University
> > > > >
> > > > >
> > > > > "Tim Hines [MSFT]" wrote:
> > > > >
> > > > > > The message indicates that the policy has been filtered. Check the
> > > > security
> > > > > > settings of the GPO to make sure that the appropriate groups have
> > access
> > > > to
> > > > > > it. By default authenticated users have read and apply group
> > policy.
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Tim Hines, MCSE, MCSA
> > > > > > Windows 2000 Directory Services
> > > > > >
> > > > > > =====================================================
> > > > > > When responding to posts, please "Reply to Group" via
> > > > > > your newsreader so that others may learn and benefit
> > > > > > from your issue.
> > > > > > =====================================================
> > > > > > This posting is provided "AS IS" with no warranties, and confers no
> > > > rights.
> > > > > >
> > > > > >
> > > > > > "Michelle" <corella@zianet.com.123> wrote in message
> > > > > > news:CBB0EF05-3425-4696-8ED4-A7D17AF87BCE@microsoft.com...
> > > > > > > I recently created a GPO in an OU on a Win2k DC. Initially,
> > > > everything
> > > > > > was working splendidly. In addition to the GPO, I created a
> > VBScript to
> > > > map
> > > > > > network drives, printers, etc. Initially, I placed this file on the
> > > > client
> > > > > > machine and modified the GPO option "run this program when a user
> > logs
> > > > in"
> > > > > > to point to the file. However, I then decided to place the file on
> > the
> > > > > > server, rather than having to copy it onto each client. So, I
> > copied
> > > > the
> > > > > > file onto the server and modifed the GPO to point to this file.
> > Since
> > > > then,
> > > > > > the GPO hasn't worked.
> > > > > > >
> > > > > > > When I run gpresult from the client, I get the following:
> > > > > > > The following GPOs were not applied because they were filtered
> > out
> > > > > > > ACNLogin
> > > > > > > Filtering: Denied (Security)
> > > > > > >
> > > > > > > We are using XP Pro clients and a Win2k DC in this particular
> > domain.
> > > > > > Also, users are logging on to the client machines using accounts
> > from
> > > > > > another domain, so that we don't have to recreate the user accounts
> > in
> > > > the
> > > > > > other domain.
> > > > > > >
> > > > > > > To my knowledge, other than the fact that I copied the script file
> > > > from
> > > > > > the XP client on to the Win2k DC, nothing else has changed. Like I
> > > > said,
> > > > > > until I copied this file and repointed the GPO, things seemed to
> > work
> > > > fine.
> > > > > > When I realized that the GPO was no longer working, I repointed the
> > GPO
> > > > back
> > > > > > to the script on the client, but it made no difference.
> > > > > > >
> > > > > > > I have since tried modifying the GPO to treat this script file as
> > a
> > > > > > bonified "login" script (i.e., placed it in the \netlogon share,
> > i.e.),
> > > > but
> > > > > > am still getting the same result when I run gpresult.
> > > > > > >
> > > > > > > Any help would be most appreciated!
> > > > > > >
> > > > > > > --
> > > > > > > Michelle Corella
> > > > > > > Network Administrator
> > > > > > > New Mexico State University
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >