Server 2008 R2 GPO not working in Workgroup environment

Topic

New Reply

Good morning.

I hope some one can realy help me out on this one as i have no idee what to do any more. I have a server 2008 R2 with around 200 users on it, I have NO DOMAIN so running workgroup, and my users RDP to the server. So on all of our other servers the setup is the same. Ok so basicaly i just run mmc, group policy object and browse to Non-Administrators as i only want the restrictions to take effect on the users.

It worked for over a year now, and now it doesnt work any more. I have noted that by deleteing the gpo on non-admins the users have complete access to everything, and i do set up alot of restrictions, like run, contronpannel, hide all drives from my computer and alot more. basicaly they can only use the shortcuts i place on their profile desktop. Any help on this matter would be greatly apreciated. Only some of the gpo’s take effect the rest are just ignored, correct me if i am wrong but this looks like the gpo are just being overwritten?

If I need to give any more info please let me know i will be more than happy to supply all the info needed to get this problem resolved. Thanx in advance!

Ps. i have spent alot of time on google still unable to resolve.

Reply | Quote

Replies

GPOs are applied in order, with the last applied having the highest priority – it may change any previous setting. If you have a high priority GPO that grants lots of access then it may be the cause.

I use GPRESULT to see the order.

cheers, Paul

Reply | Quote

Hay Paul

Thank you for responding to my post, I am learing server enviroment little by little every day.. but can you please be so kind as to teach me something new. I have attached the gpreport.html for you to take a look at it.

I cannot see any thing wrong? I compared the results with my other servers and to my untrained eye everything looks fine, in the report i can even see that the policy is active and successfull but when i log on, i can still access run, controlpannel, c drive in my computer..

Hope I can get this sorted out as soon as posible before any of the users cause damge to my system.

You can find the gpresults link here

Reply | Quote

That is an odd one. You only have one GPO and it seems to have the correct settings.
I’d create a new user and RDP as that user to see if the GPO is correctly applied. If so you could delete the local profile of the users to allow them to pick up the correct one – you will lose any changes they have made on that profile.

cheers, Paul

Reply | Quote

Creating a new user does not work, i have tried that already, the results are the same, what i dont understand is that my other server are all setup the same way and yet they dont have this problem. is there any other setting that could posibly effect the policies? something like security rights on a file or something?

Reply | Quote

It sounds like an issue with that server where the GPO is not actually applied. Can you create a new user and a new GPO and test that the GPO is applied? If that’s OK you could export / import the old GPO into a new GPO.

cheers, Paul

Reply | Quote

Ok i have done that, now the thing that is the most confusing is the following: I have done as you instructed and it turned out the results are still the same. Same as with the current config only some of the policies take effect its like the select few is just completely being ignored. Like it does remove recent documents, it does change the start button from shut down to log off. but my bigest concern is that “hide all drive”, remove run from start menu.”prevent access to control pannel”. those are my bigest fear if i could get them sorted out. Another thing i should note is that there have been alot of registery changes lately. Its about a program that gave us alot of issues so we had to made a lot of changes in the registery.. posibly something went wrong there?

Reply | Quote

I tend to agree about the registry changes. No chance of re-building the server?

cheers, Paul

Reply | Quote

Before rebuilding the server, how about trying to restore it back to a time before the registry changes were made to overcome the problematic software. After restoring the registry try the GPO again. You’re not on a Domain with ADFS, so running a simple system restore might be effective enough?

You could even pull the registry from the local on disk backups using a boot disk if system restore is not available.

Reply | Quote