[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

Local GPO is not getting updated!

We've modified a GPO settings in domain level GPO. RSOP on the member server shows it's updated but the local GPO settings on the same workstation doesn't reflect this change!

It's a computer setting.....

I'm breaking my head still not finding out why!!!

Any idea!!
0
anupam1983
Asked:
anupam1983
  • 5
  • 5
1 Solution
 
AwinishCommented:
The GPO applies at LSDOU(Local-Site-Domain-OU) & any changes applied on local GPo should be replaced by GPO flowing from domain.

Whats the error you are getting in the event log of problem machine. Check application log.

You can also enable userenv logging to know the issue.

http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx 

Note: Basically when system is in domain local GPo is not applied.
0
 
anupam1983Author Commented:
DC1 has say 10 member servers srv1, srv2...srv10.

I applied a computer setting "Allow signed content from intranet Microsoft update service location" in Domain GPO. Then i ran gpupdate /force on srv1. I can see the settings is applied in RSOP as well as the corresponding registry key is modified.

But when I open gpedit.msc on srv1, that local GPO doesn't show the settings to be enabled; it says not configured! Upon checking I found that Account policies (I can see the lock symbol) are inherited from domain level GPO, but that computer setting is not!

Is it a normal behavior?
0
 
AwinishCommented:
You need to reboot the system & the policy has to reflect into RSOP as i confirmed the setting in my lab.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
anupam1983Author Commented:
Okay so once I reboot the local GPO will show the updated setting right?

Since this GPO is linked to more than 30k machines, so I'll be screwed up if I give all of them a reboot.

I think as long as the RSOP is showing the updates and registry key is set, we should not worry, am I correct?
0
 
AwinishCommented:
Well you should reboot one machine & check settings are achieved because computer configuration sometime doesn't apply without reboot & if its showing in registry n rsop.msc you can reply but giving a reboot to one machine will be better.

I think its been applied but just run gpupdate /force on one machine & check event viewer & if there is successful log, yo are done, but sometime reboot is required as its Microsoft OS..:)
0
 
anupam1983Author Commented:
Yeah, I actually did gpupdate /force for all the domain machine at one go :o)

Looks like they all are getting updates....secli event ID is showing the gpo is updated......

yup, i agree with u that Windows OS requires reboot for many computer settings :o)
0
 
AwinishCommented:
I think when there is no error, you can trust windows will not deceive you..:)
0
 
anupam1983Author Commented:
Yup!! Thanks Awinish for your help! I was seriously went mad when I saw local GPO was not updated!!

Have a great time ahead!

Regards,
Anupam Bhattacharjee
0
 
AwinishCommented:
0
 
anupam1983Author Commented:
Thank you once again!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now