Cross Forest User GPOs not applying

Similar Messages

• User GPO not applying

  I have just started at a new company and trying to to setup some new GPO's
  We have all the users in a root OU called Accounts
  We have  all the computers in a root OU Company\Workstations
  There are a number of GPO assigned to the "Workstations" OU for both Users and Computer Policy's
  I would like to add some new GPO's to the Users OU for Uses settings but they will not apply or appear.
  I have run a Group Policy Results on a few workstations and I can see the GPO being applied from the Workstations OU but none from the Users OU.  However if I set the GPO to run off the Workstations OU it appears.  
   

  > GPO's in the Workstations OU and if there are any users settings I will
  > have to create a new GPO in for the Accounts' OU for any user settings
  > before I disabled the Loopback GPO?
  Basically "yes". Alternatively change Loopback "replace" to Loopback
  "merge".
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Calendar permission for cross-forest users

  How can I grant mailbox folder like doctor's Outlook 2010 calendar to a cross-forest user like a receptionist. 
  The reception accepts and manages all booking for about 10 doctors and they used to work perfectly.  When reception complained that she started seeing Busy status for say 3 out of 10 doctors, I noticed the other 7 working calendars have DomainB\Reception
  explicitly added on the Calendar permission while the 3 faulty ones don't.
  When I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'DomainB\Reception' -accessrights editor
  I simply get the error "The user "DomainB\Reception" is either not valid SMTP address, or there is no matching information."
  Obviously, the cross-forest permission still works but I cannot make the powershell command to work.  I have also tried the ExFolder utility to no avail.  The old Exch admin has left the company.  We use Exchange 2010 SP2
  Thank you for any assistance.

  Just to add more info, the reception mailbox is hosted on DomainA and it is linked to an external account DomainB\Reception. 
  Alternatively, I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'Reception @ DomainA.com' -accessrights editor
  and the command works fine but when the Reception checks the calendar on both Outlook and OWA, she only sees "Busy" on each existing appointments and cannot add new. 
  For those calendars that work, the Editor permission shows "NT User: DomainB" while those that won't shows DomainB mailbox.
  Appreciate any help on this.

• Loopback GPO on Replace prevents other user GPOs from applying

  I had the need to create a GPO and use a loopback.  Simple little GPO, just to add some stuff to trusted sites on a specific Citrix server.  I created it as a user GPO then did a loopback so I could apply it to only the application hosting XenApp
  server I wanted.
  I set the loopback to replace, just because it was default and the trusted site settings were not applied anywhere else; I didn't really care.
  Long story short, when I linked that GPO, it, for some reason, prevented all other user GPOs from applying.  Not denied, they just didn't even show up.  
  I figured it out shortly after, and when I changed it to merge, the other user GPOs applied again.  This is not the way I believe Loopback is supposed to work, in either replace or merge.  
  Any insight on why that might have happened?

  > Long story short, when I linked that GPO, it, for some reason, prevented
  > all other user GPOs from applying.  Not denied, they just didn't even
  > show up.
  > I figured it out shortly after, and when I changed it to merge, the
  > other user GPOs applied again.  This is not the way I believe Loopback
  > is supposed to work, in either replace or merge.
   This actually IS the way it is supposed to work:
  http://evilgpo.blogspot.com/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))
  That makes a lot more sense.
  What it says on the GPO itself is:
  "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.  
  I was interpreting that as GPOs it would replace were only the settings in the loopback.

• Cross-forest user administration

  I have created a cross-forest trust between DSfW domain and MSAD domain. In both domains, I have added one user (call him CrossAdmin) as member of Builtin\Administrators group.
  I can log in to DSfW domain as CrossAdmin and successfully administer users in MSAD domain using "Active Directory Users and Computers"). But the reverse doesn't work. If I log in to MSAD domain as CrossAdmin and in "Active Directory Users and Computers" try to switch to the DSfW domain, I get an error message:
  "The domain dsfwdomain.oursite could not be found because: Access is denied".
  At the same time, the following is logged to /var/log/messages on the DSfW server:
  krb5kdc: [KDC] Regenerating authorization data for cross-realm client [email protected]
  krb5kdc: [KDC] Failed to locate PAC principal data buffer
  krb5kdc: [KDC] PAC lacks principal name authenticator
  krb5kdc: [KDC] Ticket for client [email protected] is not bound to PAC
  Is this a restriction by design, or can it be made to work somehow?

  vatson,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• GPO Not Applying

  HI All,
    I have a OU for Computers and OU for USers.
   Create the FolderRedirect GPO for User configuration ( Folder Redirection) for One Security Group (OLGroup) of people only.
   I have applied to users but this policy not applying?  Do i need Computers and Users in same OU?
  AS

  GPO delegation to Sub OU is the same as the domain OU?
  any conflicting GPOs that you think that might cause the problem?
  or check the GPO inheritance and precedence:
  Group Policy settings are processed in the following order:
  Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 
  Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
  site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
  processed last, and therefore has the highest precedence.
  Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are
  linked to the organizational unit that contains the user or computer are processed. 
  At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked
  Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user
  is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
  from this link: http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

• GPO not applied at all with build 9926

  Hello,
  I have a Samba 4 Active Directory Domain controler. My LAN is composed of XP and 7 computers ; everything works well.
  I also have tested previous builds of Windows 10, and had no particular problem with Group Policies.
  With build 9926, my GPOs are not applied at all. It seems there is a big change making Group Policies not applied / not reloaded when users log in. Here are step by steps what I have noticed :
  0) At the very first log in, when I do a gpresult /V, i have a message saying something like "no rsop data for this user"
  1) I performed a gpupdate /force
  2) I performed another gpresult /V and then I got information about my GPO
  3) I logged out and logged in with same user --> my GPO is applied
  4) I modified my GPO to set new policy
  5) I loggged out and in again --> old policies are applied but new policy is not applied
  6) I performed gpresult /V --> new policy is not displayed
  7) I performed a gpupdate /force and then a gpresult /V --> new policy appears
  8) I loggged out and in again --> All policies, including the new one are applied
  So it seems the GPOs are not automatically updated and applied when logging in, and I have to force them manually.
  The good question is : WHY ? :)
  Thanks
  Will

  Hi Will799114,
  I tested this in my environment, it seems a restart would apply group policy successfully, but a sign out and sign in would not trigger this procedure.
  Here I would suggest you post your feedback directly to our Feedback channel:
  http://windows.microsoft.com/en-in/windows/preview-how-to#how-to=tab7
  Alex Zhao
  TechNet Community Support

• WSUS GPO not applying on server restart

  At first I thought this was limited to a single SBS 2008 server but I have now seen this behavior on another SBS2008 and SBS2011 server.  Basically what happens is I patch the server, I restart the server but... somehow the GPO for WSUS does not apply
  and leaves the server Windows update settings set on Download automatically and install at 3am when it should be the Standard "Download and Notify for install"
  I can open a command prompt and perform a gpupdate /force and the the correct policy immediately applies.
  Has anyone seen this behavior?  Is it possible a windows patch that has caused this issue.  It must be something common amongst all three different instances of SBS.  I do not see any errors in event logs regarding group policy.
  Please Help

  Hi skahlam,
  Does this issue always occur when you reboot the server?
  If yes, to verify if this issue is related to the updates, please try to remove the updates installed recently.
  If issue persists after removing the updates, please try to run the gpresult /h C:\report.html
  to check the detailed information about the GPO.
  Note: This procedure needs the privilege of the Administrator.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• User policies not applied hence dlu not working

  We have 6 pc's that for some reason don't get user policies. Here's the
  line from zmd-message.log of the workstation agent:
  [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
  [ApplyPolicies: Either user session is null or Device-only mode is
  enabled or Zen logon module is not present; not applying user policies.]
  The zone is 10.3.3, we use a user source connected to edir and the user
  is getting user policies on other computers. What's this Device-only mode?
  regards,
  Limor

  Found the problem. Our people disabled Zenworks User Authentication in
  the registry.
  On 13/09/2011 09:13, Limor wrote:
  > We have 6 pc's that for some reason don't get user policies. Here's the
  > line from zmd-message.log of the workstation agent:
  > [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
  > [ApplyPolicies: Either user session is null or Device-only mode is
  > enabled or Zen logon module is not present; not applying user policies.]
  >
  > The zone is 10.3.3, we use a user source connected to edir and the user
  > is getting user policies on other computers. What's this Device-only mode?
  >
  > regards,
  > Limor

• GPO not applying to all users in the same security groups

  If Elaine logs in on Angie's PC does it work?

  Using Windows Server 2008 R1. I have a single domain with two DCs (both Server 2008 R1). Both DCs seem to be communicating without issues, as changes on one DC are replicating normally to the other for all services.I have a group policy set up to set drive mapping for my users. However when I run the GP modeling wizard only a few of the users receive the proper mappings. In this specific instance I have two users, Elaine and Angie. 1. Both are members of the Domain Users security group and another security group I created called Staff2. Neither user is a member of any other security groups.3. My group policy Security Filtering setting is set to apply the policy ONLY to the Staff security group4. When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied...
  This topic first appeared in the Spiceworks Community

• PIN sign-in GPO not applying to workstations

  I am currently testing Windows server 2012 R2 with Windows 8.1 tablets and cannot get PIN sign-in to work on the client machines, I have disabled local policy processing and all of the management is coming from GP, however when I manually apply the policy
  setting using gpedit.msc it works, does anyone of a way to have it read from GPO in domain?

  Hi,
  Before going further, the setting Turn on PIN sign-in allows users to set up and sign in with PIN. As Don suggested we could check the registry key to confirm if the policy
  setting was enabled successfully. If yes, to use PIN sign-in option, 
  users need to create a PIN for themselves. After a PIN is created, users should be able to choose to sign in with PIN sign-in option when they log on. After we enabled the turn on PIN sign-in setting, user also need to set the password for sign-in account.
  After reset the account, user can use sign-in when user re-logon.
  We can follow the steps below to set account password: to create a PIN, the following steps can be referred to as reference:
  Step 1: Swipe in from the right edge of the screen, and then tap Settings.
  (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings.) 
  Step 2: Tap or click Change PC settings, and then tap or click Accounts. 
  Step 3: Tap or click Sign-in options, and under PIN, tap or click Add.
  If you don't have a password on your account, you'll need to create a password before you can create a PIN. 
  Step 4: Confirm your current password and then you can create a PIN.
  If there is any question, don’t hesitate to let us know.
  Best Regards,
  Erin

• Import - user preset not applied 'fully'

  This is update of problem reported in previous entry 'duplicate imports'.  Have now tracked the cause of this observation.
  The problem dates back to at least Lightroom 3.
  I use different import presets for my set of cameras so that the file name reflects the camera.
  I also have pairs of presets where the only difference is that a duplicate backup is created or not.
  On my PC the default path for backup files has the drive letter of my card reader.
  What I notice is that if I select the 'backup' preset then change my mind and select the 'non-backup' preset the flag enabling the creation of a backup copy remains selected.  On then proceeding with the import a backup copy is made on the card using the default path.
  This is not normally a problem as I then re-format the card in the camera, but it could be a problem if the card is nearly full as the backup copy process will fail due to lack of space on the card.
  This became apparent because I initially imported files into my LR3 catalogue and thus unknowingly created duplicates on the card.
  Then on importing into my LR4_beta catalogue two copies of each file appeared, the original in the location set by the camera and the duplicate/backup created by LR3.  The import dialog does not show paths on cards so it is not apparent that the duplicate files are in different folders.
  This looks like a bug in the handling of presets, that some settings, in this case the flag to enable backup file creation, are not updated on selecting the preset.
  The pairs of preset names are similar eg c41_backup and c41_nobackup.
  For the softies benefit I also note that if I select the 'non backup' preset for a different camera the flag does get cleared, suggesting the bug is something to do with recognising a change of pre-set.
  I have not checked but this may be the cause of other mysterious import issues.
  Message was edited by: gp7024

  Do you have "Apply Auto Tone adjustments" checked in the Preferences>Presets tab? If yes, uncheck it. If not:
  Take one image into the Develop module, press and hold the Shift key and the "Reset" button bottom-right will change to "Reset (Adobe)", then click on that button. Does the image reset to the way you expected it? If so, you've (inadvertently) changed the default develop settings, to reset them go to Develop menu>Set Default Settings>click on "Restore Adobe Default Settings".

• Webfeed gpo is applied (in resultant Policy) but RADC is not configured

  After tests for placing Remote app shortcut in Start menu of Windows 7 client and getting positive result I want to automate the process.
  So I created computer GPO for SSO and linked it to OU where test computer resides.
  I created User GPO for WebFeed and linked it to Test Users OU (User1, User2)
  Resultant Policy shows that User GPO is applied to each user. But I cannot get webfeed URL in RADC when logged in with test User2.  To be sure that final solution works I entered manually webfeed url in RADC when logged in as USER1
  1 Remote App works fine from shortcut in start Menu and Desktop when
  USER1 is logged in.
  WebFeed link is entered manually in RADC applet in Control Panel for user USER1
  2. The last desired point is to make work WebFeed GPO.
  If I login as USER2 no icon in start menu. RADC is empty.
  As mentioned Resultant GPO shows that webfeed GPO is applied to USER1 and USER2
  How to troubleshoot this thing?
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  what is the registry ? if I want to insert it in the image.
  Can you provide a script plz.
  In GPO itself it says Windows 8 or RT minimum. But I think I saw somewere that I can use it on Windows 7 with RDP 8.
  Thanks.
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

• Local forest roaming profiles with remote forest users within RDS?

  We have been using RDS for some time now. New users get a new profile from (*1)"\\domain_1\netlogon\Default User.v2" when they first logon to a RDS session host. Ones that is done, the profile is becomes roaming profile that is stored on (*2) "\\some_serverx_in_domain_1\profiles$\%username%".
  (Note, this last setting can be set in 4 different places. We used a GPO and used the Remote Desktop Services section to set it) 
  So far, no rocket science. Now...
  Recently we've been asked to allow user accounts from another (trusted) forest (domain_2) to our RDS environment. These users are able to logon to our RDS environment but they do not get a fresh profile from our (*1) default profile location. Instead, they
  get a default profile from the RDS session host and this new profile does not become roaming so it is not saved to our (*2) location. How can we force the foreign accounts to get a roaming profile within domain_1 without having to change anything outside our
  administrative border?  
  Note: Their logon servers do not have a "Default User.v2" in their netlogon and their roaming profile settings are set in the AD properties for the user accounts. The roaming profiles they use are pre-2008 and thus unusable for our 2008-R2 RDS environment.
  We are not looking for cross-forest roaming profile functionality. We just want foreign accounts to use our roaming profile setup. Please Help! 

  Hi,
  Thanks for your post.
  Make sure the trusted forest user have permission to access the Default User profile. In addition, ensure the following policy was enabled:
  Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming User Profiles
  Allows User based policy processing, Roaming User Profiles and User Object logon scripts for cross forest interactive logons. This setting affects all user accounts interactively logging on to a computer in a different forest when a Cross Forest or 2-Way
  Forest trust exists.
  How to troubleshoot Group Policy object processing failures that occur across multiple forests
  http://support.microsoft.com/kb/910206
  Best Regards,
  Aiden
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Aiden Cao
  TechNet Community Support

• Cross-forest access to public folders Exchange 2013-2007

  Dear.
  We have an Exchange 2007 org in one forest and an Exchange 2013 org in another forest.
  User accounts remain in the 2007 AD, mailbox moved to Exchange 2013 in the other forest, so a linked mailbox.
  What do I need to do in the Exchange 2007 public folders to give the migrated mailboxes (not migrated users) access to these public folders?
  Thanks for the support.
  Regards.
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Stephen,<o:p></o:p>
  <o:p> </o:p>
  Do you have trust between Exchange 2007 forest and Exchange 2013 forest? Please set up a trust between the two forests. Then set the public folder client  permission
  to see if we can access the
  public folders.<o:p></o:p>
  <o:p> </o:p>
  If not, since Public folder cross forest migration is not supported in from an Exchange 2007/2010 forest to an exchange 2013 forest, refer to forum:
  http://social.technet.microsoft.com/Forums/office/en-US/51da1b97-fbb1-4f81-87da-c3370960c4ab/crossforest-public-folder-migration?forum=exchangesvrdeploy
  http://social.technet.microsoft.com/Forums/office/en-US/663f0dc3-a977-408a-93c7-94584fbefc62/public-folder-issue-cross-forest-migration-exchange-2010-to-2013?forum=exchangesvrdeploy
  <o:p></o:p>
  Title: Migrate Public Folders to Exchange 2013 From Previous Versions<o:p></o:p>
  Link:
  http://technet.microsoft.com/en-us/library/jj150486(v=exchg.150).aspx<o:p></o:p>
  <o:p> </o:p>
  So for public folder migration,
  the only supported path is cross forest 2007/2010 to 2007/2010 and then inter forest 2007/010 to 2013. Or
  we can first export all the public folder to PST from the Exchange 2007 forest, then import the PST to the Exchange 2013 forest.
  <o:p></o:p>
  Regards, Eric Zou