Forcing Group Policy

Joel

Guys, can you help? I am trying to hide my data E drive on the server. I'm sure I have the GPO correctly configured, however its not working OR more just not updating. If I do a gpupdate /force - should that not automatically force it? I have tried logging in and out and even restarting the server but it seems to not want to kick in. I have other GP's on the same OU which kick in straight away when I make changes but its not hiding the drives so wondered if anyone can help shed light?

black3dynamite

@joel said in Forcing Group Policy:

Guys, can you help? I am trying to hide my data E drive on the server. I'm sure I have the GPO correctly configured, however its not working OR more just not updating. If I do a gpupdate /force - should that not automatically force it? I have tried logging in and out and even restarting the server but it seems to not want to kick in. I have other GP's on the same OU which kick in straight away when I make changes but its not hiding the drives so wondered if anyone can help shed light?

Where did you linked the group policy object at?

black3dynamite

If you chose to hide a drive, applications can still see it.

Joel

I created a new OU and put the users I want it to apply to within there. The policy is linked to that OU.

Im happy if they are clever enough to know they can browse to the drive but i just don't want them to see the drive at first glance.

black3dynamite

Here's what I've done to make it work.
I have a group called HideDrivesFromUsers and then add the users who's not allowed to see the drive in the group.

I linked the policy object to domain.local
Under Scope tab, remove authenticated users from Security Filtering.
Under Scope tab, add HideDrivesFromUsers
Under Delegation tab, add authenticated users with read permission.

Dashrender

https://technet.microsoft.com/en-us/library/cc978514.aspx

https://social.technet.microsoft.com/Forums/windowsserver/en-US/ed0e5985-4902-4af1-af45-ee1330eb2bc1/ho-to-remove-user-access-permission-to-c-drive-in-terminal-server?forum=winservergen

Joel

@black3dynamite said in Forcing Group Policy:

Here's what I've done to make it work.
I have a group called HideDrivesFromUsers and then add the users who's not allowed to see the drive in the group.

I linked the policy object to domain.local
Under Scope tab, remove authenticated users from Security Filtering.
Under Scope tab, add HideDrivesFromUsers
Under Delegation tab, add authenticated users with read permission.

I tried this but still doesnt work!

Kelly

@joel said in Forcing Group Policy:

@black3dynamite said in Forcing Group Policy:

Here's what I've done to make it work.
I have a group called HideDrivesFromUsers and then add the users who's not allowed to see the drive in the group.

I linked the policy object to domain.local
Under Scope tab, remove authenticated users from Security Filtering.
Under Scope tab, add HideDrivesFromUsers
Under Delegation tab, add authenticated users with read permission.

I tried this but still doesnt work!

Are you seeing the policy successfully apply when you look at the RSOP? Most of the issues I've encountered with GPOs are either due to container problems or with DC sync issues (typically DNS is the culprit).

momurda

Weird. Just last night i changed a gpo for drive maps. Used Replace because i moved a share to different server.
It isnt working either.

Joel

So all is now working guys.....I realised I kept applying GPO's again and again, deleting them and re-applying the same things to get it to work. Where I should have taken a step back and instead of re-creating and re-applying I should have modified the GPO to remove the existing configuration - applied it so it was all clear and then re-applied if that makes sense.

Thanks for your help

dbeato

@joel Yeah, that makes sense. Rebooting also works well.

wrx7m

In the future you can also use this command (run as admin) on the affected system to view which GPOs are being applied.

gpresult /h c:\gp.html /f

Once it creates the file, open it and show all content and do a ctrl + f for the GPO name or even the setting specific to the issue to see if it says it is being applied or blocked. You can use this to troubleshoot link order or permissions issues or even if it is showing at all (maybe you have a wmi filter or link disabled)

JaredBusch

@wrx7m said in Forcing Group Policy:

In the future you can also use this command (run as admin) on the affected system to view which GPOs are being applied.

gpresult /h c:\gp.html /f

You need to be careful when testing things on a user without admin rights.

Because when you run as admin and enter the admin account password, you are no longer running in the user's context. So not all of the same GPO may show up.

wrx7m

@jaredbusch said in Forcing Group Policy:

@wrx7m said in Forcing Group Policy:

In the future you can also use this command (run as admin) on the affected system to view which GPOs are being applied.

gpresult /h c:\gp.html /f

You need to be careful when testing things on a user without admin rights.

Because when you run as admin and enter the admin account password, you are no longer running in the user's context. So not all of the same GPO may show up.

True. If you don't run as admin, though, the computer policy will be blank. So you would have to run it regular for the user and as admin for computer.

black3dynamite

@wrx7m said in Forcing Group Policy:

In the future you can also use this command (run as admin) on the affected system to view which GPOs are being applied.

gpresult /h c:\gp.html /f

Once it creates the file, open it and show all content and do a ctrl + f for the GPO name or even the setting specific to the issue to see if it says it is being applied or blocked. You can use this to troubleshoot link order or permissions issues or even if it is showing at all (maybe you have a wmi filter or link disabled)

Group Policy Results in Group Policy Managment Console can provide the same results too.