How many group policy objects can be active on a Domain

vAdmin
vAdmin used Ask the Experts™
on
I have about 9 GPO actives on my domain, if I try to create a new one it does it fine, I create it I edit it but when I apply it ,the computers doesn't sems to be detecting it. Is there is a maximum allowed gpo on a domain? Or could it be a problem? I search in google about this but I dont find anything that mention limitations on GPO.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You should be able to have hundreds of GPOs.  Here are a few things to check:
1.  Are you applying the GPOs to the proper OUs?
2.  Have you run: rsop.msc from a machine's start->run line.  This will show you the resultant group policy and you can right click on the nodes to view properties of any errors.
3.  Have you done a gpupdate /force on the server and then on the clients in quesiton.  This needs to be done on both the server and clients.
4.  You can try GPO modeling in the Group Policy Management interface.  You pretty much run the wizard and pick a pc and a user and it will tell you which GPOs will apply to it.
Awarded 2009
Top Expert 2010

Commented:
There are no limitations only as much as available disk space on the servers that are storing them.

There are a number of reasons why your policies wouldn't be applying:

1> Are you applying Computer policies to computers and User policies to users?  If not then this will cause problems
2> do you have more than 1 domain controller? Is replication working between the DC's?
3> As already suggested run rsop.msc and see what policies the computer "thinks" are being applied.
Awarded 2009
Top Expert 2010

Commented:
gpupdate /force does not need to be done on the server unless you are having problems with the policy applying to the server.

Just remember that the /force switch performs a forceful re-read of Group Policies that are applied to both the user logged in and the computer account.  This means a re-boot will be required.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Author

Commented:
Hello:

Thanks for the fast response to both of you. I ran rhe resultant set of policy and the computer is not taking the gpo. I ran the gpupdate /force on both computer and server with no success. I am sure I am assigning computer gpo to computers and users gpo to users. As a final test, I configured the options I want to disable on the new gpo in to an existing one and the changes are applied successfully, but If I make it a separate gpo it will not work.
Awarded 2009
Top Expert 2010

Commented:
Do you have more than 1 domain controller?

Are you applying the policies to an OU? If not are the objects you are applying the settings to within an OU that has block inheritence set?

You can check by looking in Group Policy Management Console and navigate to the OU where the objects are and then select the Group Policy Inheritance tab this will tell you what policies are being applied to this OU.

Author

Commented:
I have two dc's and the policy is not been blocked inheritance.
Awarded 2009
Top Expert 2010

Commented:
Goto the group policy objects folder in Group Policy Management Console highlight the new policy that isn't applying then select the detail tab.

Where it says unique identifier (or similar, can't remember off the top of my head)
then check the following location:

\\servername\SYSVOL\DOMAINNAME.LOCAL\POLICIES and make sure that Unique ID appears in both servers.
Awarded 2009
Top Expert 2010

Commented:
Forgot to say that if it doesn't appear in both server locations DO NOT manually copy it.

This means there is a replication problem between your domain controllers, once that gets fixed they will replicate automatically.

Author

Commented:
Hello, yes it has the same identifier on both servers.

Commented:
In group policy management, right click on the policy and select "enforced".  This should ensure that the policy will be applied.

I always suggest doing a gpupdate /force on the server and selecting n(no) if it asks for a reboot.

I do suggest the reboot or re-login on the client machines if you are working with client GPOs (in order for the settigs to sometimes take effect).

Are you working with computer or user policies for your testing right now?
Did RSOP not show the policies or show them with errors?

Author

Commented:
I already tried enforcing the gpo, but didnt work either. The resultant set of policies dont show that the computer is taking the gpo.
Awarded 2009
Top Expert 2010

Commented:
and if you use the modelling wizard in Group Policy management console does it say the policy should be applied?

Author

Commented:
Hello demazter, no it doesnt show applied.
Awarded 2009
Top Expert 2010

Commented:
Then there is something wrong with the way the Group Policy is linked to the OU.

You have created the OU in Group Policy Objects?  If so did you select the OU you wanted it linked to and select link to gpo?

Can you post a screenshot?

Author

Commented:
Hello, yes it was done the way you explained above.

Commented:
Go into group policy management.  Select an OU, right click it, then click on "Create and Link a GPO Here".  Make a "test policy".  Don't edit it.  Now test to see if see it in the modeling wizard or rsop.

Author

Commented:
I don't see it on modeling wizard, it doesn't seems to be applied.

Commented:
Look into running gpotool, netdiag, and dcdiag.  Also check the event logs for errors.

It seems that you have some sort of major issue on your dc.
Commented:
Hello:

The problem is been solved. It was a replication problem that after I noticed the problem with the gpo's I also started to have many problems with the communications of my workstations and the AD. The way to check the communication problem between DC that I followed was, go to Active Directory Sites and service then go to Default-First-Site-Name then open Servers after that select the server that you are working in at the moment and select NTDS Settings. Now make a rigth click on <automatically generated> and select Replicate now, if that fails, as happened in my case, go to the command prompt and then run this commands on that same server:

repadmin /options MTIPR-DC1 -DISABLE_INBOUND_REPL
repadmin /options MTIPR-DC1 -DISABLE_OUTBOUND_REPL

This solution fixed my problem. Thanks to all of you that tried to helped me out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial