We have created a group policy  in AD on an OU outside the OU=Hosting managed by MPS.

That OU on which the GPO is applied groups computer (server) objects. In the GPO we use Loopback processing in 'replace mode' to apply user settings when a user does a logon to that server

Our problem is  that the GPO user settings are not applied for users located under the OU=Hosting managed by MPS. For users outside the OU=Hosting the GPO is applied correctly.

In the eventlog of the server we have the following error:

Source: Userenv

Event id:1101

Windows cannot access the the object OU=Hosting,DC=exo,DC=net in Active Directory. The access to the object may be denied. Group Policy processing aborted.

All ideas are welcome

 

 

 

 

 

 

This happens because the user does not get access to the CN=System Container in the root of the domain in AD you will have to selectively grant read access to the Group Policy Container underneath CN=System to the AllUsers Group from that customer so that they can access the actual GPO Object as well grant them more then the list object access on the Hosting Org they get today. The Problem with this si that then the users in that OU will be able to discover other objects under Hosting and the System Container they should not have access to. Doing this will break the isolation we build when creating the OUs.

You will have to carefully determine the changes needed or find another way to get the GPO onto the user.

HTH

Mike

Is there any easy way to work around this, I have the same problem to solve. One idea I had was to grant the "read access to the Group Policy Container underneath CN=System" to selected customers. The question is how much and what access do they need to the hosting org? Would one way be to put one customer into uniuqe reseller OUs and grant them more rights within that reseller OU?

//Johan

Hi,

are there other ways to apply the GPO to the users under the Hosting container? We've got the same situation here. We like to set some policies on the users beneath the hosting container!

Please advice,

Thanks in advance, Patrick

Hi,

 

we just fixed this annoying problem; you need to set the following permissions on your Hosting and reseller OU's (customer OU's inherit them from the reseller OU):

• Authenticated users

Read cn

Read distinguisedName

Read GPLink

Read GPOptions

I set the scope to 'This object only'.

 

The Userenv errors are now gone and GPO usersettings are applied succesfully.

 

I hope this helps!

 

Regards,

Enrico Klein

ApplicationNet B.V.

Netherlands