Solved

Local GPO is not getting updated!

Posted on 2010-11-09
10
379 Views
Last Modified: 2012-06-27
We've modified a GPO settings in domain level GPO. RSOP on the member server shows it's updated but the local GPO settings on the same workstation doesn't reflect this change!

It's a computer setting.....

I'm breaking my head still not finding out why!!!

Any idea!!
0
Comment
Question by:anupam1983
  • 5
  • 5
10 Comments
 
LVL 24

Expert Comment

by:Awinish
ID: 34091131
The GPO applies at LSDOU(Local-Site-Domain-OU) & any changes applied on local GPo should be replaced by GPO flowing from domain.

Whats the error you are getting in the event log of problem machine. Check application log.

You can also enable userenv logging to know the issue.

http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx

Note: Basically when system is in domain local GPo is not applied.
0
 

Author Comment

by:anupam1983
ID: 34091158
DC1 has say 10 member servers srv1, srv2...srv10.

I applied a computer setting "Allow signed content from intranet Microsoft update service location" in Domain GPO. Then i ran gpupdate /force on srv1. I can see the settings is applied in RSOP as well as the corresponding registry key is modified.

But when I open gpedit.msc on srv1, that local GPO doesn't show the settings to be enabled; it says not configured! Upon checking I found that Account policies (I can see the lock symbol) are inherited from domain level GPO, but that computer setting is not!

Is it a normal behavior?
0
 
LVL 24

Accepted Solution

by:
Awinish earned 500 total points
ID: 34091201
You need to reboot the system & the policy has to reflect into RSOP as i confirmed the setting in my lab.
0
 

Author Comment

by:anupam1983
ID: 34091224
Okay so once I reboot the local GPO will show the updated setting right?

Since this GPO is linked to more than 30k machines, so I'll be screwed up if I give all of them a reboot.

I think as long as the RSOP is showing the updates and registry key is set, we should not worry, am I correct?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34091482
Well you should reboot one machine & check settings are achieved because computer configuration sometime doesn't apply without reboot & if its showing in registry n rsop.msc you can reply but giving a reboot to one machine will be better.

I think its been applied but just run gpupdate /force on one machine & check event viewer & if there is successful log, yo are done, but sometime reboot is required as its Microsoft OS..:)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:anupam1983
ID: 34091559
Yeah, I actually did gpupdate /force for all the domain machine at one go :o)

Looks like they all are getting updates....secli event ID is showing the gpo is updated......

yup, i agree with u that Windows OS requires reboot for many computer settings :o)
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34091654
I think when there is no error, you can trust windows will not deceive you..:)
0
 

Author Comment

by:anupam1983
ID: 34091684
Yup!! Thanks Awinish for your help! I was seriously went mad when I saw local GPO was not updated!!

Have a great time ahead!

Regards,
Anupam Bhattacharjee
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34091708
0
 

Author Comment

by:anupam1983
ID: 34091903
Thank you once again!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now