Group Policy not applying if problem with mandatory profile
Hi there,
We have a well locked down group policy that has been protecting our systems for some time (Windows 2003 domain - XP SP2 clients).
We have recently started applying a mandatory profile to the students to change some settings that are not GP enabled and to speed up the setting up of new profiles.
Unfortunately there are occasionally problems loading this profile and if that happens it attempts to load a default profile. In this case the group policy is not applied to the student and they have access to everything. Obviously they dont have permissions to do harm to other computers or the servers but they can make a mess of the one they are on.
Looking back through posts on here I have enabled the GP settings to log students off if the roaming profile does not load properly, but this does not seem to have made a difference.
Has anyone had any experience of this? Any thoughts what to do?
Cheers
Jonathan
Re: Group Policy not applying if problem with mandatory profile
If they are running as limited users then they should not even be able to muck up the computer they are logging on to.
Re: Group Policy not applying if problem with mandatory prof
They are running as limited users, but without the GP they have access to the C drive and all the desktop settings etc. So far they have only mucked about with desktop colurs etc, but the teachers want to know why they can suddenly do this when it was banned before. Without the GP applied they will also be able to run all the programs that are currently banned.
Also, I learned a long time ago that it is better to have many layers of security. While I believe they cannot do any damage, I would rather them not have access to begin with. I am just confused as to why it would not apply the group policy to their new temporary profile when it was applying OK before...
Jonathan
Re: Group Policy not applying if problem with mandatory profile
When the mandatory profile was created, where the permissions on it changed to Everyone using the 'Copy To' utility?
Re: Group Policy not applying if problem with mandatory prof
Yes - the madatory profile itself is working fine - we have over 1000 students and it has been working for two weeks, it is just that yesterday and today (with no changes being made) one or two children have failed to pick up the profile and receieved the default one instead. This would be fine if the GP was then applied, but it seems to stop the GP as well.
Jonathan
Re: Group Policy not applying if problem with mandatory profile
Are you using redirected folders in the GPo concerned?
I have been looking into this just lately and i'm sure iread that there is an issue with using mandatroy profiles and redirected folders......especially if you redirect My Documents'
Any one else heard this?
Re: Group Policy not applying if problem with mandatory prof
I have redirected folders on one of my year groups - but it is one of the other year groups that these students have been in!
Thanks for the thought though - I will have an investigate around.
Jonathan
Re: Group Policy not applying if problem with mandatory profile
Can you not make it "super mandatory"?
Re: Group Policy not applying if problem with mandatory profile
Quote:
Originally Posted by SpuffMonkey
Can you not make it "super mandatory"?
I would love to :D Any hints....
Jonathan
Re: Group Policy not applying if problem with mandatory profile
There is an option in AD GPO that logs off the user automatically af the application of the profile errors out.
Policy > Computer Configuration > Administrative Templates > System > User Profiles > Log Users off when roaming profile fails
This should kick the users off if the mandatory profile fails to load properly so they can't mess with anything. They can then just log in again to regain access so long as it grabs the mandatory profile the next time.
Re: Group Policy not applying if problem with mandatory profile
Re: Group Policy not applying if problem with mandatory prof
Quote:
Originally Posted by Kyle
Are you using redirected folders in the GPo concerned?
I have been looking into this just lately and i'm sure iread that there is an issue with using mandatroy profiles and redirected folders......especially if you redirect My Documents'
Any one else heard this?
This will certainly fail if the registry permissions in the mandatory profile have not been changed. This is the same reason that will also cause GP to not take effect.
Re: Group Policy not applying if problem with mandatory prof
Ok - thanks for all the responses. I have set the Group Policy setting and started to change the mandatory profiles to Super Manditory (I said I believed in belt and braces!). This has done the trick on my test account, I will let you know if there are any problems with rolling out to the rest of the school.
Many thanks again
Jonathan
Re: Group Policy not applying if problem with mandatory profile
What are the benifits of Super Mandatory?
Re: Group Policy not applying if problem with mandatory prof
Quote:
This will certainly fail if the registry permissions in the mandatory profile have not been changed. This is the same reason that will also cause GP to not take effect.
I am intrigued by this,. can you explain in more detail AJ. Your quote above seems to be a friar description of a lot of problems i am experiencing.
