Solved

GPO is not applying

Posted on 2011-03-09
16
1,069 Views
Last Modified: 2012-05-11
Hello,

I wonder if somebody can help me. I am trying to get a new GPO applied to a small group of users sat in an OU on my AD. The GPO is simply to force the IE homepage to a specific URL when they log onto a terminal server.
I've set the URL in - user config-policies-windows settings-internet explorer maintenance to point to the right place. However this will not work. I've setup other GPO's in the past fine. Running gpupdate /force makes no difference. When I run a gpresult, and look under the applied group policy objects, it's not there. Only the default domain policy has applied (which doesn't have any IE settings).

There is another GPO on the terminal servers OU (where the terminal server resides that I am logging onto) that has lots of settings but I have denied read access to this user account so this GPO does not apply.

Can anybody help at all please? I'm at my wits end!!!

Thanks
0
Comment
Question by:ianlee1
  • 10
  • 5
16 Comments
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
You can enable userenv logging for derailed troubleshooting help.

http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx

0
 

Author Comment

by:ianlee1
Comment Utility
Thank you but this doesn't really help with a solution.

If I edit another exisiting GPO with a specific setting, that all works. Just this GPO will not apply and it's only a simple URL setting.

Does anybody elsse have any suggestions please?

Thanks in advance
0
 

Author Comment

by:ianlee1
Comment Utility
If I block inheritance on this OU so that the default domain policy in it's parent folder is not being inherited and then run a gpresult, the default domain policy STILL applies and there is still no mentionof my other GPO.

Help!!

Thanks
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Can you run rsop.msc & check if the proper setting applied.
 Verify the GPO with URL has been linked to OU where users are no to the compute OU kept & its been linked properly using GPMC tool.

run gpotool.exe to check the health of the gpo, its not corrupt.
0
 

Author Comment

by:ianlee1
Comment Utility
I have sorted this but I'm not sure why the problem existed. Can anybody advise me please?

If I add the GPO to the OU where the terminal servers computer account resides, the new GPO runs perfectly, even though it only user settings. When it was linked to the OU where my user account sits, the GPO doesn't run. I don't understand why.
Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?

I've attached a screenshot for somebody to look at. Please can anybody offer any advice. The problem is sorted now so I don't need a solution - I just need an explanation of the above if anybody would be so kind.

Thanks GPO Issue
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
If I add the GPO to the OU where the terminal servers computer account resides, the new GPO runs perfectly, even though it only user settings. When it was linked to the OU where my user account sits, the GPO doesn't run. I don't understand why.
You might have enable loopback policy in GPO.

Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?
Yes, you are right.

Take a look at loopback GPO.

http://awinish.wordpress.com/2010/11/11/gpo-loopback-policy-explained/
0
 

Author Comment

by:ianlee1
Comment Utility
Thanks for getting back to me and offering your advice. On the GPO that won't work - I have already enabled loopback processing as part of the GPO but it still doesn't work. The only way this GPO will execute is if it sits in the same OU as the computer account. I know that loopback is making this work as it's only user settings contained in there.

"Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?
Yes, you are right."

You say I am correct but it still doesn't work. It's literally a simple case of the OU containing 3 user accounts with a GPO on that OU with user configuration settings inside. It doesn't apply the GPO when those users log on. With or without loopback coming into the equation - surely this should just work?
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
If you got to GPMC, go to group policy object & select the GPO, right click the GPO>GPO status what you see is enabled or configuration only checked or user config or all settings disabled.

Userenv which i gave you earlier is the way for deep level troubleshooting & since its your infrastructure & you got access, you can track with userenv.
What i explained earlier that's hows GPO works & if it works differently, you need to check DC its healthy n use dcdiag to verify.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 4

Expert Comment

by:bitla
Comment Utility
Are you trying apply group policy for A Group that will not work.

Group Policy cannot be applied to groups.  You can only target users and computers and OU.  If in your GPO, you have settings configured in the user configuration section and you link it to an OU, it will apply to the user objects that are members of that OU, or child OU through inheritance.

The only way that a group can interact with the GPO is via Security Filtering (to either target or not target a certain group of users in the OU).
0
 

Author Comment

by:ianlee1
Comment Utility
Hi,

Thanks for your replies. It's not a group - just an OU that contains some user accounts.
"If in your GPO, you have settings configured in the user configuration section and you link it to an OU, it will apply to the user objects that are members of that OU, or child OU through inheritance."
It doesn't though - not on this terminal server anyway. The below seems interesting.

One other thing I have found is that if I log onto a laptop and not the terminal server with one of these accounts, IE launches automatically as specified in the GPO but the home page doesn't go to the URL specified in the GPO. If I run a gpresult I can see the GPO being applied and it even says that the homepage should be what's in the GPO but it isn't.

It's a strange one.
0
 

Author Comment

by:ianlee1
Comment Utility
Hi Awinish,

The policy is set to enabled. I've never used userenv before so I will take a look at that to see if it shows me anything. It's either me doing something drastically wrong or there is an issue somewhere else.
0
 
LVL 24

Expert Comment

by:Awinish
Comment Utility
Use the above reference how to read userenv logging.
Speaking truly i have never encountered any such issue even though i worked alot on GPO design.
But there is something wrong, check FRS log, check replication is working & dns is properly configured, no other than local dns is used in the Nic,
I recommend run dcidag /v /c /d /e & check the result.

0
 

Author Comment

by:ianlee1
Comment Utility
In the log I see this - it doesn't mean much to me but it is the GPO in question;


GPSVC(3c8.4360) 14:31:00:571 CheckForGPOsToRemove: GPO <Tropos Mobile Config> needs to be removed
GPSVC(3c8.4360) 14:31:00:571 GetDeletedGPOList: Finished.

Why might that happen please?

Thanks
0
 

Author Comment

by:ianlee1
Comment Utility
Also, if I create a new OU and put a user account in it with a new GPO it works fine so there doesnt appear to be a problem with the infrastructure.

Is there such thing as a corrupt GPO, OU?

Thanks
0
 

Accepted Solution

by:
ianlee1 earned 0 total points
Comment Utility
Sorry for all the updates. If I log onto an XP machine with one of these accounts, the GPO works OK.

Looks like it could be something to do with Server 2008 and Windows 7. Still, the fact the GPO is being removed as in the log above is strange.

There is something to do with Kerberos out there on the net which could be an answer. A hotfix is apparently available.

Does this sound like it could be a solution?
0
 

Author Closing Comment

by:ianlee1
Comment Utility
Not resolved
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now