• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

GPO not being applied unless PC is rejoined to the domain

We have recently started to use GPOs throughout our company and thought everything was going according to plan until we discovered that certain policies are not being applied to certain computers. Amongst them is a policy to disable mass USB storage devices, and also a policy that installs Flash on the PC.

This is not affecting all the PCs, only certain ones. We only use Windows 2000 and Windows XP clients and this problem is not specific to either one. All our domain servers are Windows 2003.

As I mentioned, this is not a domain wide problem as it only affects certain PCs. I have today found two identical PCs, same Dell model, same operating system (windows 2000), same patches and security updates installed......yet one of them applies all the policies at logon and the other one only applies certain policies..

I have found that if I 'un-join' the problem PC from the domain, add it to a workgroup, reboot, rejoin the domain then all of the policies work as they should.

I know that I can get around this problem by rejoining the PCs to the domain, but could someone suggest why this is happening and if there is something I can do instead of rejoining each PC to the domain ?

thanks in advance for any help
  • 3
  • 2
1 Solution
open a command prompt on the PC and enter

gpupdate /force

That should make them get all the policies. Another reason could be that if you have more than 1 domain controllers, not all of them have been updated either, so you might want to make sure all the DC's have been replicated.
1. Do other policy settings apply to the problem pc successfully?
2. Are the 2 pc's in question in different OUs, sites or subnets?  this will have an effect on policy application.
MisterBedoAuthor Commented:
rindi - I'll try that today and report back. I'm pretty sure all the policies are replicted round the DCs, but I'll double check.

richard - 1) Yes, there are other policies in effect that apply themselves succesfully, it's only certain ones that don't.
              2) It varies, some of the PCs are in different OUs etc, but some are in the sam eOU, subnet etc yet still one will get the policy apllied, one won't.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

MisterBedoAuthor Commented:
rindi - GPUPDATE only works with XP clients, so I can't test that on a Win 2000 client. Will test it on an XP machine as soon as I can tho.
Is it an entire policy that is not applying, or just certain settings within the same policy?

As you are using Windows Server 2003 on the domain controllers, you should be able to use RSoP or GPMC to see the exact policy that will apply to specific pc's, compare one that works with one that doesn't

Ideally you will have a test environment, but if not it is worth creating a new OU and a new policy that just contains the settings that are not working. Isolate one of the PC's in question by placing it into this OU and ensure only this new policy is applied. This will show wether or not the settings can be applied to that PC, then start adding your other policies to see if a conflict appears.

Another idea is to check if the settings can be made manually, then ensure they remain when the next policy refresh occurs (reboot should do the trick as long as the DC it connects to has the latest versions)
MisterBedoAuthor Commented:
Apologies, I forgot I left this open.

The solution in the end was down to the PCs in question needing an update to the WSH, after this they worked perfectly.

Thanks for the suggestions though.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now