I wish I had a nickel for every time I solved a problem by explaining it to someone else. Verbalizing it or putting it on paper (or virtually so...) has such a tendency to make you walk the steps.
That's why I wanted to see the USERENV log. I suspected that you might be dealing with a Profile problem, and not a GPO after all. But, it's all a process of elimination, and I thought we'd get the GPO either in or out. Glad it's all resolved.... Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, June 23, 2005 9:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group policy question Rick; I sent you the file offlist. I just rebooted the machine and still have the same problem. Back to the drawing board... I wanted to run gpresult, but since I can't get to anything on the machine... :-) I did run it using PSExec from another machine while I was logged in as the new user. I don't see the lockdown policy mentioned, but it's still in effect. In my GPMC, the policy is shown as "all settings disabled". Wait; wait; wait... OK. I figured it out. When I did the initial lockdown, I logged in as a test user and verified that I couldn't get to anything. Once that was complete, I copied that user's profile to the default user profile. I just tried copying one of the old administrator-level profiles to the new account profile and it works fine. It's not the GPO that's doing the lockdown; it's the profile. I wonder how I would have figured THAT out without knowing what I tend to do with user profiles... Thanks! ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Thursday, June 23, 2005 6:17 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Group policy question > > Charlie, > > Can you post the rest of the USERENV log? There should be > some more lines > after the: > > USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished. > > For all intents and purposes, the call CheckForGPOsToRemove > does exactly > what it says. They next line enumerates the GPOs that need > to be removed > for the profile/principal that is logging on. > > However, I can't determine (because of the missing lines) > what happened at > this point. > > You should see an enumeration of the GPOs that are candidates > to remove, and > then the next lines should indicate more enumeration and > removal, or that > there are no more old GPOs. > > Plus, there should be some flags or the report of clearing > the 'dirty bit'. > > Shoot those out to us, and let's see what's what. I'd > restart it - if you > can do it without affecting production to a great degree. > > Rick > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Thursday, June 23, 2005 7:33 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Group policy question > > I have a application mode W2K terminal server that people use > to access > an application. As an administrator, I need to access more stuff on it > than the application, so we use either a direct console login or a > DameWare session. I have recently created some new admin accounts as I > work to reducing the rights on all domain administrators' normal > accounts. > I found that when I log in to the console as a newly created > account, I > get a locked down desktop, even as an admin on that server and/or a > domain admin. If I use an old account even if it's a > user-level account, > I get a normal desktop. > > We have two GPs that affect the OU the server is in (aside from the > default domain policy). One is a TermSrv lockdown which > prohibits pretty > much anything except the LOB app that needs to run. The other is a > administrator access policy that allows full access for users in the > domain admins group. > > I've determined that the TermSrv lockdown policy is being > applied to the > new accounts, even if I disable it, thus causing my problem. In my > troubleshooting efforts, I've cranked up userenv logging, and get the > following in my log: > USERENV(e8.8338) 17:04:15:113 ProcessGPOs: Processing > extension Registry > USERENV(e8.8338) 17:04:15:113 CheckForGPOsToRemove: GPO <TermServer > Lockdown> needs to be removed > USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished. > > I can't find anything that references the "CheckForGPOsToRemove" line, > so I don't know what it's trying to do or if it's failing. I've run > secedit/refreshpolicy machine/user_policy /enforce with no > effect. I am > considering a reboot to see if it will fix the issue. > > Anyone know what the "CheckForGPOsToRemove" section means? > Thanks! > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/