Local GPO is not getting updated!
We've modified a GPO settings in domain level GPO. RSOP on the member server shows it's updated but the local GPO settings on the same workstation doesn't reflect this change!
It's a computer setting.....
I'm breaking my head still not finding out why!!!
Any idea!!
It's a computer setting.....
I'm breaking my head still not finding out why!!!
Any idea!!
ASKER
DC1 has say 10 member servers srv1, srv2...srv10.
I applied a computer setting "Allow signed content from intranet Microsoft update service location" in Domain GPO. Then i ran gpupdate /force on srv1. I can see the settings is applied in RSOP as well as the corresponding registry key is modified.
But when I open gpedit.msc on srv1, that local GPO doesn't show the settings to be enabled; it says not configured! Upon checking I found that Account policies (I can see the lock symbol) are inherited from domain level GPO, but that computer setting is not!
Is it a normal behavior?
I applied a computer setting "Allow signed content from intranet Microsoft update service location" in Domain GPO. Then i ran gpupdate /force on srv1. I can see the settings is applied in RSOP as well as the corresponding registry key is modified.
But when I open gpedit.msc on srv1, that local GPO doesn't show the settings to be enabled; it says not configured! Upon checking I found that Account policies (I can see the lock symbol) are inherited from domain level GPO, but that computer setting is not!
Is it a normal behavior?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay so once I reboot the local GPO will show the updated setting right?
Since this GPO is linked to more than 30k machines, so I'll be screwed up if I give all of them a reboot.
I think as long as the RSOP is showing the updates and registry key is set, we should not worry, am I correct?
Since this GPO is linked to more than 30k machines, so I'll be screwed up if I give all of them a reboot.
I think as long as the RSOP is showing the updates and registry key is set, we should not worry, am I correct?
Well you should reboot one machine & check settings are achieved because computer configuration sometime doesn't apply without reboot & if its showing in registry n rsop.msc you can reply but giving a reboot to one machine will be better.
I think its been applied but just run gpupdate /force on one machine & check event viewer & if there is successful log, yo are done, but sometime reboot is required as its Microsoft OS..:)
I think its been applied but just run gpupdate /force on one machine & check event viewer & if there is successful log, yo are done, but sometime reboot is required as its Microsoft OS..:)
ASKER
Yeah, I actually did gpupdate /force for all the domain machine at one go :o)
Looks like they all are getting updates....secli event ID is showing the gpo is updated......
yup, i agree with u that Windows OS requires reboot for many computer settings :o)
Looks like they all are getting updates....secli event ID is showing the gpo is updated......
yup, i agree with u that Windows OS requires reboot for many computer settings :o)
I think when there is no error, you can trust windows will not deceive you..:)
ASKER
Yup!! Thanks Awinish for your help! I was seriously went mad when I saw local GPO was not updated!!
Have a great time ahead!
Regards,
Anupam Bhattacharjee
Have a great time ahead!
Regards,
Anupam Bhattacharjee
You too, Anupam
Below is the very good site for GPO.
http://www.grouppolicy.biz/2010/07/best-practice-active-directory-structure-guidelines-part-1/
Below is the very good site for GPO.
http://www.grouppolicy.biz/2010/07/best-practice-active-directory-structure-guidelines-part-1/
ASKER
Thank you once again!
Whats the error you are getting in the event log of problem machine. Check application log.
You can also enable userenv logging to know the issue.
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Note: Basically when system is in domain local GPo is not applied.