Group Policies Not Applying

Posted on 2004-03-30
Last Modified: 2010-03-18
All Clients are W2k professional. All fresh installs, no upgrades.
All DC's are W2k Server in native mode. Many of these servers were upgraded a while back from Windows NT.
I just want to get a GPO to apply to a set of users to remove buttons from the toolbar in Internet Explorer.
I have an OU that includes the users I need the policy applied to and I have created the GPO called toolbar in that OU.
I have checked the security tab on the group policy, both authenticated users and the specific domain users that need this policy applied have read and apply group policy checked
We really don't have a lot of GPOS on our network so I don't thing this is being overwritten
I've run GPresult on a machine where I am logged in as that user. The only other GPO that is included in that OU shoes up as being applied.
Question by:Brian_Blair
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Expert Comment

ID: 10718107
Do you have any errors in the Application Log in Event Viewer that indicate that this policy is failing when it attempts to apply it?  So you don't even see this new GPO listed when you run GPresult, but you do see another GPO that is linked to the same OU?


Author Comment

ID: 10720380
I will check event log 3/31.

That is correct, the policy is not even listed in the output of gpresult. However, the default domain policy, another gpo called "roaming" that is linked to the OU, and the local policy are showing up as affecting the user.

Expert Comment

ID: 10723090
This could possibly be a result of a replication problem between DCs.  If you configured the GPO on one DC and it is not replicating to another DC, then perhaps the client machine is getting its list of policies to apply from the second DC.

To check on this, look in the event viewer on your DCs under the File Replication Service logs and Directory Service logs (especially for NTDS KCC entries).  Also try the replmon and netdiag tools in the Windows 2000 Support Tools (if not already installed, these are on the W2K Server CD).

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 10724427
Chacked that yesterday. Policies are replicating successfully.
Also checked event viewer. No errors in event viewer indicating policy failure.

We are a 1 domain shop with 11 dc's all W2K server.  When I create a gpo I do it through Active Directory Users and Computers. I'm a little confused when I see it suggested that the GPO may have been configured on one DC. I configure them right on my pc and link it to an OU. They seem to apply OK except this one.

Thanks for your help to this point though.

Expert Comment

ID: 10724832
If I understand it correctly, when you use Active Directory Users and Computers, it connects to the "closest" DC.  Whatever changes you make while connected to this DC are then replicated to the rest of the DCs at the next replication cycle.  So if you have replication problems on any particular DC and a client connects to that DC while logging on, it may not get the policy.  Does that make sense?

Are you using the Group Policy Management Console?  This is the new way of managing group policy that is downloadable from MS.  I have found it to very valuable for troubleshooting the organization of GPOs in our network.  It is a little more visual than the old way of doing it -- might help to pinpoint where it's failing.

I see that all your clients are w2k.  The GPMC may only be installed on XP Pro or W2K3 Server; however, it will manage W2K servers as well as W2K3 servers.  Perhaps you won't be able to use this tool if you have no XP clients.


Author Comment

ID: 10726144
No I haven't tried that yet. If I load XP on a machine and then download it, will I be able to look and see how policies are being applied on specific PC's in my networK?

Accepted Solution

following earned 250 total points
ID: 10726321
You will be able to run very informative reports that are similar to GPResult, except you can run them against a remote machine for any user that has previously logged onto that machine.  You can also see exactly which GPOs are linked to which objects and whether any GPOs at a specific OU level are set to "Block Inheritance" or "Enforce" -- right click on the OU.  You can quickly see if the User or Computer portion of a GPO has been disabled (usually for performance reasons) -- right click on the GPO and click GPO Status.  You can see if the link to a GPO has been enabled for the OU -- right click on the GPO under the OU and see if "Link Enabled" is checked.  You can see at a glance a summary of all settings that are configured in a particular GPO.

In short, it is a wonderful tool to manage, troubleshoot, and organize most all aspects of Group Policy.


Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question