We help IT Professionals succeed at work.

Cannot Apply Computer Configuration of a Group Policy

What do I need to do to get my Computer Configuration settings in my User group policies to work?

I have three group policies that I cannot apply the Computer Configuration of the group policy.  When I view them in the GPO Management Tool they are enabled and are linked.  They are in the container of the group that I want the policy applied to.  The client machines are members of the domain as well as the users.  They all appear in active directory.  Also, all the GPO's status shows that they are Enabled in the GPO Management Console.

When I run the Group Policy Results it shows me that the User Configurations have been applied but the Computer Configurations have not.  The Group Policy Results Setting Tab show me that there where "No settings defined."  

Another way that I know that the policy is not being applied is that I have one policy set to delete the roaming profile from the local machine when the user logs off.  When I test the policy, the local profile is still there.

I have tested another container group of users that use a different GPO and the same thing happens for them.

I have a mixed server and OS environment.  I use Windows Server 2000 and Windows Advanced Server 2003.  My clients are Windows XP SP2 and Windows Vista.

Any help to resolve this issue would be appreciated.
Comment
Watch Question

Consultant/Trainer
Commented:
Hi!

"They are in the container of the group that I want the policy applied to"? Can you clarify this part of your post?

If you want GPO with Computer settings to apply to computers, you should link GPO to the OU with computer accounts.

HTH

Toni
Computer configurations need to be applied to Computers, User configurations to Users.  Try applying it to a Computer or group of computers.
Toni UranjekConsultant/Trainer

Commented:
Group policy has almost nothing to do with groups. GPO should be linked to OU with computer accounts. Groups are used only for Security filtering.

Author

Commented:
I have applied the GPO to a computer, logged in as a user that is linked to the Group Policy and then logged back out.  

I then logged in to the same computer as the administrator and opened the Group Policy Management MMC to run the Group Policy Results wizard on the user I just used.  When I run the wizard for this user I go the the Settings tab and it gives me the message under the Computer Configuration "No Settings defined."

When I look at the GPO and its Computer Configuration section, I can see my settings that have been set, i.e. Windows Security Settings, Administrative Templates, Printers, System/Group Policy, User Profiles, Time Providers, and several IE settings.

Why is it not appling them?

At one time this was not an issue.  They were applied and they did work.  When I look at the GPO Results wizards from previous test I have ran I can see that they were applied, but now they are not.  The only things that have changed since the last time they worked are:  I had to change the operations master for my domain, and several windows updates.

HELP....
is the computer you are applying the GPO to linked to that policy?  in the Links section, should be an OU containing computers if the policy has computer configurations.  in the security filtering section, should be computer names

Author

Commented:
Yes.  I have added the testing PC to the security filtering of the first policy below.

I have also noticed that under the Summary of the GPO Policy Results that it has under the Denied GPOs, that my policies' links are disabled.  When I look at the policies themselves it show all links enabled.

Here are the copies of the policies that I am trying to apply.

I have changed the extensions so they would upload, orginally they were html files.
Delete-Local-Profile-Policy-Obje.txt
Domain-IE-Policy-Object.txt
Student-Policy-Object.txt
Toni UranjekConsultant/Trainer

Commented:
Go to command prompt on client and run "gpresult /v > gpo.txt", then upload gpo.txt here.

The problem is not how your GPOs are configured but how they are linked. If they don't appear on list of applied objects in gpo.txt, they are not linked correctly, if they appear on denied objects list, something is preventing GPO to apply to client computers.

Author

Commented:
Here's the gpo.txt file.

The file states the the links are diabled yet in the GPO management they are linked and enabled.

gpo.txt
Toni UranjekConsultant/Trainer

Commented:
Do you have any "usernev" related erros in Event Viewer's Application log?
Did you run "gpresult" as member of local Administrators group?

Author

Commented:
No, I do not have any "usernev" errors or any related errors.  I ran the grresult as the test user which is just a member of the Domain Users group and it is not associated with any Admin group or rights.
Toni UranjekConsultant/Trainer

Commented:
Can you run "gpresult" as member of local Administrator group, to exclude possibilty that regular user account can not access all information from Computer Configuration part.

Author

Commented:
Yes, I can but administrators or not linked to the policies that I am trying to apply only those that are members of the Student OU.  

Here is the gpo.txt file that I ran as an administrator.
gpoadmin.txt
Toni UranjekConsultant/Trainer

Commented:
We are troubleshooting Computer configuration part of Group Policy objects.

Does all computers experience the same error, does this computer experience any other problems?
Toni UranjekConsultant/Trainer

Commented:
To which OUs exactly are the following policies linked:

Delete-Local-Profile-Policy-Object
Domain-IE-Policy-Object
Student-Policy-Object

Author

Commented:
To just my student OU.

Author

Commented:
Other than not applying the Computer Configuration section of the policy the computer does not experience any other issues.  
Toni UranjekConsultant/Trainer

Commented:
Are you aware of the fact that computer which you used for gpresult is not in Student OU but in Computers container?

Move only one computer account from Computers container to Student OU, run "gpupdate /force" and "gpresult" again, any changes?

Author

Commented:
How would this affect other members of other OU's whose computer configuration policy is different from the students'?
Toni UranjekConsultant/Trainer

Commented:
Computer configuration settings always affect all users the same. It doesn't matter in which OU they (users) are.

Author

Commented:
If I move the GPO to domain container but still have it apply only to the students in the security filtering will it only apply its computer settings if that OU member logs on?

I want the computer configuration of that GPO to only apply itself if that OU member logs on.
Toni UranjekConsultant/Trainer

Commented:
Hi!

Group policy objects contain two distinctive  groups of settings: Computer Configuration settings and User Configuration settings. When you start computer and your network becomes active, client will check for new versions of GPOs on domain controller. If GPOs have changed, new versions will be downloaded and then Computer settings will be processed. You can observe this part of the process on your screen where it says "Applying computer settings...". When this part is over MSGINA will appear (Ctrl+Alt+Del Window). Now you can enter username and password and only now User configuration setting will be processed.

This means that Computer Configuration settings are ALWAYS processed first, regardless of which user will log on later and that you can't change this behaviour.

There is an "anomaly" in processing group policies called loopback processing. It this case Computer Configuration settings will be processed, than User Configuration settings will be processed and Computer settings will be processed AGAIN in replace or merge mode. Computer Configuration settings will win over User Configuration settings. This special cenario is often used on Terminal Servers or kiosk computers and does not solve your problem.

Security filtering will not help either, usualy security filtering brings nothing but... trouble.

Toni

Author

Commented:
There are settings in the computer configuration that are not found in the user configuration.  I would like to be able to apply these computer configuration setting for one group of users and not for another group.

I attempted to just apply these setting on a test computer but the computer configuration settings of the policy still did not work.  I must missed something.

I am thinking of creating a new OU and then moving a selected group of computers to that OU.  Then I will assign the GPO I want to that new group.  Would that work?
Toni UranjekConsultant/Trainer

Commented:
Sorry for delay.

But the answer to your last question is still: no.

You can not filter Computer configuration settings based on user's group membership, because these settings are processed before user logs on.

Unfortunately, there is no workaround. I will be very surprised if you or anyone else comes with up with working solution.

Commented:
thanks so much!!!!!!!!!! great

Explore More ContentExplore courses, solutions, and other research materials related to this topic.