vAdmin
asked on
How many group policy objects can be active on a Domain
I have about 9 GPO actives on my domain, if I try to create a new one it does it fine, I create it I edit it but when I apply it ,the computers doesn't sems to be detecting it. Is there is a maximum allowed gpo on a domain? Or could it be a problem? I search in google about this but I dont find anything that mention limitations on GPO.
There are no limitations only as much as available disk space on the servers that are storing them.
There are a number of reasons why your policies wouldn't be applying:
1> Are you applying Computer policies to computers and User policies to users? If not then this will cause problems
2> do you have more than 1 domain controller? Is replication working between the DC's?
3> As already suggested run rsop.msc and see what policies the computer "thinks" are being applied.
There are a number of reasons why your policies wouldn't be applying:
1> Are you applying Computer policies to computers and User policies to users? If not then this will cause problems
2> do you have more than 1 domain controller? Is replication working between the DC's?
3> As already suggested run rsop.msc and see what policies the computer "thinks" are being applied.
gpupdate /force does not need to be done on the server unless you are having problems with the policy applying to the server.
Just remember that the /force switch performs a forceful re-read of Group Policies that are applied to both the user logged in and the computer account. This means a re-boot will be required.
Just remember that the /force switch performs a forceful re-read of Group Policies that are applied to both the user logged in and the computer account. This means a re-boot will be required.
ASKER
Hello:
Thanks for the fast response to both of you. I ran rhe resultant set of policy and the computer is not taking the gpo. I ran the gpupdate /force on both computer and server with no success. I am sure I am assigning computer gpo to computers and users gpo to users. As a final test, I configured the options I want to disable on the new gpo in to an existing one and the changes are applied successfully, but If I make it a separate gpo it will not work.
Thanks for the fast response to both of you. I ran rhe resultant set of policy and the computer is not taking the gpo. I ran the gpupdate /force on both computer and server with no success. I am sure I am assigning computer gpo to computers and users gpo to users. As a final test, I configured the options I want to disable on the new gpo in to an existing one and the changes are applied successfully, but If I make it a separate gpo it will not work.
Do you have more than 1 domain controller?
Are you applying the policies to an OU? If not are the objects you are applying the settings to within an OU that has block inheritence set?
You can check by looking in Group Policy Management Console and navigate to the OU where the objects are and then select the Group Policy Inheritance tab this will tell you what policies are being applied to this OU.
Are you applying the policies to an OU? If not are the objects you are applying the settings to within an OU that has block inheritence set?
You can check by looking in Group Policy Management Console and navigate to the OU where the objects are and then select the Group Policy Inheritance tab this will tell you what policies are being applied to this OU.
ASKER
I have two dc's and the policy is not been blocked inheritance.
Goto the group policy objects folder in Group Policy Management Console highlight the new policy that isn't applying then select the detail tab.
Where it says unique identifier (or similar, can't remember off the top of my head)
then check the following location:
\\servername\SYSVOL\DOMAIN NAME.LOCAL \POLICIES and make sure that Unique ID appears in both servers.
Where it says unique identifier (or similar, can't remember off the top of my head)
then check the following location:
\\servername\SYSVOL\DOMAIN
Forgot to say that if it doesn't appear in both server locations DO NOT manually copy it.
This means there is a replication problem between your domain controllers, once that gets fixed they will replicate automatically.
This means there is a replication problem between your domain controllers, once that gets fixed they will replicate automatically.
ASKER
Hello, yes it has the same identifier on both servers.
In group policy management, right click on the policy and select "enforced". This should ensure that the policy will be applied.
I always suggest doing a gpupdate /force on the server and selecting n(no) if it asks for a reboot.
I do suggest the reboot or re-login on the client machines if you are working with client GPOs (in order for the settigs to sometimes take effect).
Are you working with computer or user policies for your testing right now?
Did RSOP not show the policies or show them with errors?
I always suggest doing a gpupdate /force on the server and selecting n(no) if it asks for a reboot.
I do suggest the reboot or re-login on the client machines if you are working with client GPOs (in order for the settigs to sometimes take effect).
Are you working with computer or user policies for your testing right now?
Did RSOP not show the policies or show them with errors?
ASKER
I already tried enforcing the gpo, but didnt work either. The resultant set of policies dont show that the computer is taking the gpo.
and if you use the modelling wizard in Group Policy management console does it say the policy should be applied?
ASKER
Hello demazter, no it doesnt show applied.
Then there is something wrong with the way the Group Policy is linked to the OU.
You have created the OU in Group Policy Objects? If so did you select the OU you wanted it linked to and select link to gpo?
Can you post a screenshot?
You have created the OU in Group Policy Objects? If so did you select the OU you wanted it linked to and select link to gpo?
Can you post a screenshot?
ASKER
Hello, yes it was done the way you explained above.
Go into group policy management. Select an OU, right click it, then click on "Create and Link a GPO Here". Make a "test policy". Don't edit it. Now test to see if see it in the modeling wizard or rsop.
ASKER
I don't see it on modeling wizard, it doesn't seems to be applied.
Look into running gpotool, netdiag, and dcdiag. Also check the event logs for errors.
It seems that you have some sort of major issue on your dc.
It seems that you have some sort of major issue on your dc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. Are you applying the GPOs to the proper OUs?
2. Have you run: rsop.msc from a machine's start->run line. This will show you the resultant group policy and you can right click on the nodes to view properties of any errors.
3. Have you done a gpupdate /force on the server and then on the clients in quesiton. This needs to be done on both the server and clients.
4. You can try GPO modeling in the Group Policy Management interface. You pretty much run the wizard and pick a pc and a user and it will tell you which GPOs will apply to it.