Announcement

Collapse
No announcement yet.

Help Needed with simple GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help Needed with simple GPO

    Hi,

    I am new to GPO's and I have been trying to figure a simple GPO but it is not working as expected. Here are my requirements.

    I would like to block everybody from being able to attach pst's to Outlook 2010 and based on a security group membership to allow users in it to be able to attach pst's in outlook.

    I have created 2 gpo's based on Outlook 2010 ADM templates and one of them is called AllowPST and another is DenyPST.

    DenyPST is configured for Authenticated Users in the Security filtering and applied to an OU where users live.

    AllowPST is configured for security group without Authenticated Users in Security filtering and applied to the same ou.

    When i run the GPUpdate on the users machine who is allowed to have pst I only get DenyPST GOP applied and AllowPST is filtered out and says Filtering: Denied (Security)

    Not sure what is happening and why.

    Any feedback would be appreciated and thank you for reading my post.

    IcyFish

  • #2
    Re: Help Needed with simple GPO

    Is the group for the AllowPST newly created?

    On the user that should be allowed, run whoami /groups. Make sure the AllowPST group is listed for the user.

    Also make sure the AllowPST GPO is higher in the order than then DenyPST GPO on the links for the OU.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Help Needed with simple GPO

      Thank you for reply Jeremy. This is a new security group that was created prior to the GPO creation. The user is member of this group. I have made it as a link order 1 (AllowPST) for this OU. To your point about whomai /groups user was not listed but after a reboot of few times I have him showing in the group and interestingly now from below i see that it was not applied because it was EMPTY as before it was enied (Security) and filtered out.

      Here is the snippet. Interesting thing is after i rebooted the machine I

      Applied Group Policy Objects
      -----------------------------
      Outlook2010DisAllowPST
      Outlook2010CachedMode

      The following GPOs were not applied because they were
      -----------------------------------------------------
      Local Group Policy
      Filtering: Not Applied (Empty)

      Default Domain Policy
      Filtering: Not Applied (Empty)

      Outlook2010AllowPST
      Filtering: Not Applied (Empty)

      The user is a part of the following security groups
      ---------------------------------------------------
      Domain Users
      Everyone
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      CONSOLE LOGON
      NT AUTHORITY\Authenticated Users
      This Organization
      LOCAL
      AllowPST
      Medium Mandatory Level

      Comment


      • #4
        Re: Help Needed with simple GPO

        Jeremy,

        I think i figured it out. Thank you for all your feedback. Empty seem to have been because the that gpo was not configured with and I said "Disabled" from "not configured" and I did gpupdate and I see it working. Not sure what this was all about. Lol. Still don't know why I needed to reboot this few times and even after few times it was not working the first time so I waited almost 6 hours and rebooted again and it showed up.


        Applied Group Policy Objects
        -----------------------------
        Outlook2010AllowPST
        Outlook2010DisAllowPST
        Outlook2010CachedMode

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
        Local Group Policy
        Filtering: Not Applied (Empty)

        Default Domain Policy
        Filtering: Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        AllowPST
        Medium Mandatory Level

        Comment


        • #5
          Re: Help Needed with simple GPO

          The reason the group didn't show up right away is because that information is part of the Kerberos ticket the user gets. It is not updated until the user gets a renewal or a new ticket. The default duration is 10 hours I think.

          You can use KerbTray to force a re-authentication which would update the group membership list right away. (part of the support tools)
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment

          Working...
          X