I have created a GPO that will put a shortcut on our receptionists desktops that is linked to a file share that is full of Internet shortcuts for Insurance verification. This has worked for almost 90% of my users. I have that remaining 10% that just don't want to behave. I can run gpresult /r and see that the result of the GPO should be displaying but it isn't. The only thing that I've found will "jump start" the GPO is if I log into the problem machine and I have the policy applied to the OU my user account is a member of. If I log into the machine without the policy being applied to my account the domain users experience will not change. So something must be happening to the system when I log in as a domain admin and have the policy applied to my account that then allows all other domain user accounts to accept the policy when they log in after me. I haven't found a lot out there googling this topic. The GPO is a user Policy. Any ideas?
-
Does the GPO place the shortcut in the Public / All User's folder ? If so can be a local security problem. How you push the shortcut too ? Thougth to create a GPP's GPO and create it directly with the %desktop% location ? No need for a central's file and it's place on the user's own desktop directly. – yagmoth555 Sep 22 '15 at 01:15
-
That was it. I was trying to send it to the "All Users Desktop" location. After changing it to just "Desktop" it began working for all users. I'm interested to know why that is the case. I can admit I don't understand systems deeply enough to know what security settings are being affected by each setting. Thank you for you suggestion and help! – CZobell Sep 22 '15 at 23:53
-
It's because that folder is restricted to admin only, so if a infected user log into the computer, it cant go write there. For security purpose the user is directly restricted to it's c:\users\folder only :) – yagmoth555 Sep 23 '15 at 00:50
-
oh, will write the tip as an answer too :) – yagmoth555 Sep 23 '15 at 00:51
1 Answers
If the GPO place the shortcut in the Public / All User's folder, then it's a local security problem.
The way you push the shortcut can be made other some other way. Like with a GPP's GPO and create it directly with the %desktop% location. No need for a central's file and it's place it on the user's own desktop directly.
A restricted user by default can only write in it own's profile.
The description from Microsoft;
What is a standard user account?
A standard user account lets a person use most of the capabilities of the computer, but permission from an administrator is required if you want to make changes that affect other users or the security of the computer.
When you use a standard account, you can use most programs that are installed on the computer, but you can't install or uninstall software and hardware, delete files that are required for the computer to work, or change settings on the computer that affect other users. If you're using a standard account, some programs might require you to provide an administrator password before you can perform certain tasks.
- 16,758
- 4
- 29
- 50