GPO Does not apply if Mandatory User Profile is used., in the Profiles / User Environment forum on BrianMadden.com

Environment:
Windows Server 2003 SP2
Citrix PS 4.0 - hotfix Rollup 3

Citrix Servers Reside in Separate OU
1 GPO Applied with Loopback Processing set to Replace

Problem - Login as user with Mandatory Profile defined (Man profile exists on local drive in C:\TSPROFILE)
GPO does not apply

Login as same user with a Roaming or Local Profile, and GPO applies successfully.

Has anybody else ever seen such behavior?

Thanks..

I would check your mandatory profile to see if there is something in there that is disabling Loopback Processing, or something similar.

What would block loopback processing in a mandatory profile?

What does your GPO do (i.e. what settings)?

Locks down the environment.

Removes most of control panel icons.
Removes Shutdown button.
A lot of "Standard" Office Settings for our company.
Desktop Settings
IE Settings

Hmm, that is weird.

I use a mandatory profile on the client side with GPO settings that highly restrict users, but have no issues.

Have you run a RSOP query against the user account and one of the CPS machine accounts contained in the OU where the GPO is linked yet? I'm curious if RSOP will show the GPO as having been applied or not when using the mandatory profile.

Oh, one other thing - any errors in your userenv log file?

http://support.microsoft.com/kb/221833/en-us

Good suggestions. One question Brian: Were you logged-on as local or domain administrator when you created that .man profile? Conversly, check the scope and security filtering on that GPO as well.

Hope this helps and please post your findings,

Best regards,

Mandatory profile was created as a local admin. After creation, profile was moved to a share, shared to Authenticated users with security set to Read. ALso, permissions where set on the ntuser.man file within regedit.

What I have found, the GPO's will apply to Administrators. (I haven't set any filtering yet while I'm trying to work through this issues.)

Here is what I have done for additional troubleshooting:
1. Created a separate OU --> moved one Citrix box into the OU
2. Block inheritance on the OU, no GPO's applied
3. Empty GPO created that does nothing but set Loopback processing to Replace
4. New GPO created that does nothing but remove the "Shutdown" button (User Setting) (this is just to easily test to see if the policy is applying.

If I run gpresult, it shows that both of the policies created in step 3 and 4 are applied. However, the policy setting is not applied unless the user is a member of the local administrators group.

Hi Brian,

I wish I had the precise answer for you. I think you're on the right track. Using gpresult, and/or RSoP in logging mode was the first thing to do. Your issue appears to be permissions related yes?

I would also try the following.
1. Set GPO filtering to 'Authenticated Users". -I usually exclude Domain/Local Administrators on my GPO's because when I logon with RDP or at the console, I want a full desktop.
2. Consider disabling loopback processing - Do not use unless you have to. http://support.microsoft.com/kb/231287
3. Re-create that mandatory profile. There aren't many sources out there that tell you how. This one's old but will do. http://support.microsoft.com/kb/q168476/
If you're really good, you can get it's size down to around 256k (loads much faster - hint, do not use a wallpaper and delete unneeded folders)

Question: Where are your DS and DC located in AD?

Here's another decent troubleshooting guide: http://technet.microsoft.com/en-us/magazine/cc162497.aspx

Hope this helps,

At a guess you've probably manually copied the profile to C:\TSPROFILE rather than using the profile tab, by doing this it has set the persmissions correctly on the NTUSER.DAT file.

To rectify this load the profile into the registry and apply permissions to Authenticated Users Full control on the Reg File you've just imported.

Alternatively recreate the profile but use the profile tab to copy the profile and set the correct permissions.

Rgds

Andy Friar

Hi Brian,

did you get to the bottom of your issue ?

I have a similar problem where GPO does not seem to be applying correctly when used in an environment with mandatory profile. RSOP and UserEnvDebug show that things look like they should apply.

My GPO calls a logonscript.vbs but this does not seem to always run for Mandatory users.

Thanks

David