+ Reply to Thread
Results 1 to 2 of 2

Thread: GPO Applied when it should not.

  1. 09-12-2008, 04:35 PM #1
    EldarDragon
    EldarDragon is offline Getting Started on GPanswers.com
    Join Date
    Dec 1969
    Posts
    1

    Default

    Hi
    We wanted to restrict Internet access for some users. I did this by restricting access to the IE exe file.

    I set the GPO with security filtering to a group call “No Internet”. Then I added users that I did not want to have access, to that group. It has worked well for a long time in both XP and Vista.

    My problem now is that I want to grant access to the Internet for one of the restricted users. I removed him from the “No Internet” group. When he tries to open IE he still gets the restricted access message. I have done GP update, logged into machine he has never login to before. I have run the RSoP wizard. It shows on the on computer configuration “No Internet” denied - GPO disabled. On the user configuration “No Internet” denied - Access denied (security filtering). The only thing I see that is odd. In the “Security Group Membership when GP was applies” lists a group (“Crew D”) that is a member of “No Internet”. But that user is not actually a member of “Crew D”. So my questions are:

    1. Does anyone see what I could be doing wrong?
    2. Why does the “Security Group Membership when GP was applies” section list some groups the user is not a member of? Nor does it always list all the groups the use is a member.
    3. Why are the “Security Group Membership when GP was applies” sections for computer and user configurations different? I see why some of the built in groups would not be in both, shouldn’t all the ones created for that user be in both?

    Thanks
    Randy
    Reply With Quote Reply With Quote
  2. 10-28-2008, 01:13 PM #2
    PreviousPoster
    PreviousPoster is offline 100+ Helpful Posts! 50+ Helpful Posts
    Join Date
    Dec 1969
    Posts
    1,254

    Default

    Would be to create a Group in AD which this policy is enforced upon, that way you could add/remove users at any time & all they would have to do is log off/on to have policy changed.


    You may have to click on the Group Policy under "Group Policy Objects", then go to the delegation tab. from there you can "add" the user with the advanced tab & checking "DENY - FULL CONTROL" which will deny the user to even see the policy.

    If that doesn't change, you may have to go into the local machine's ie exe file & check permissions (there may be a deny on it).
    Reply With Quote Reply With Quote
+ Reply to Thread
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


Search Engine Friendly URLs by vBSEO