A user group policy is not being pushed out or applied. The policy is linked to the computer OU and enabled. On the security filter is a group. The user is a member of the group.
The policy is linked to the machine OU and not the user's OU. Microsoft Group Policies are set at the OU level and apply to the objects in that OU is the default behavior.
Running vgptool apply, as root, will not apply user policies.
RESOLUTION 1:
Link the policy to the same OU or higher than OU that the users are located.
RESOLUTION 2: (Only works for QAS 4.x and up)
1 - Ensure the /etc/opt/quest/vgp directory exist. If it does not, create it.
2 - Enable Loopback processing Mode:
Using Group Policy Management Console, edit the GPO you desire, expand Computer Configuration\Policies\Administrative Templates\System\Group Policy,
and then double-click User Group Policy Loopback Processing Mode.
Then select the appropriate option (Replace or Merge).
Please refer to Microsoft documentation : http://support.microsoft.com/kb/231287
Helpful commands
If you are logged in as root you must obtain a user's kerberos ticket before applying policies. You can do this with the "/opt/quest/bin/vastool kinit <usenamer>" command. Then do /opt/quest/bin/vgptool apply -u <username> command.
Be sure the /etc/opt/quest/vgp directory exists. If it does not create it with the "mkdir /etc/opt/quest/vgp" command.
Show the resulting policies that QAS is setting:
Computer:
/opt/quest/bin/vgptool rsop
User:
/opt/quest/bin/vgptool rsop -u
/opt/quest/bin/vgptool -d 5 apply -M logon -u
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center