Solved

GPO is not applying

Posted on 2011-03-09
16
1,077 Views
Last Modified: 2012-05-11
Hello,

I wonder if somebody can help me. I am trying to get a new GPO applied to a small group of users sat in an OU on my AD. The GPO is simply to force the IE homepage to a specific URL when they log onto a terminal server.
I've set the URL in - user config-policies-windows settings-internet explorer maintenance to point to the right place. However this will not work. I've setup other GPO's in the past fine. Running gpupdate /force makes no difference. When I run a gpresult, and look under the applied group policy objects, it's not there. Only the default domain policy has applied (which doesn't have any IE settings).

There is another GPO on the terminal servers OU (where the terminal server resides that I am logging onto) that has lots of settings but I have denied read access to this user account so this GPO does not apply.

Can anybody help at all please? I'm at my wits end!!!

Thanks
0
Comment
Question by:ianlee1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
16 Comments
 
LVL 24

Expert Comment

by:Awinish
ID: 35084466
You can enable userenv logging for derailed troubleshooting help.

http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx

0
 

Author Comment

by:ianlee1
ID: 35093222
Thank you but this doesn't really help with a solution.

If I edit another exisiting GPO with a specific setting, that all works. Just this GPO will not apply and it's only a simple URL setting.

Does anybody elsse have any suggestions please?

Thanks in advance
0
 

Author Comment

by:ianlee1
ID: 35107258
If I block inheritance on this OU so that the default domain policy in it's parent folder is not being inherited and then run a gpresult, the default domain policy STILL applies and there is still no mentionof my other GPO.

Help!!

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:Awinish
ID: 35107360
Can you run rsop.msc & check if the proper setting applied.
 Verify the GPO with URL has been linked to OU where users are no to the compute OU kept & its been linked properly using GPMC tool.

run gpotool.exe to check the health of the gpo, its not corrupt.
0
 

Author Comment

by:ianlee1
ID: 35107387
I have sorted this but I'm not sure why the problem existed. Can anybody advise me please?

If I add the GPO to the OU where the terminal servers computer account resides, the new GPO runs perfectly, even though it only user settings. When it was linked to the OU where my user account sits, the GPO doesn't run. I don't understand why.
Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?

I've attached a screenshot for somebody to look at. Please can anybody offer any advice. The problem is sorted now so I don't need a solution - I just need an explanation of the above if anybody would be so kind.

Thanks GPO Issue
0
 
LVL 24

Expert Comment

by:Awinish
ID: 35107678
If I add the GPO to the OU where the terminal servers computer account resides, the new GPO runs perfectly, even though it only user settings. When it was linked to the OU where my user account sits, the GPO doesn't run. I don't understand why.
You might have enable loopback policy in GPO.

Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?
Yes, you are right.

Take a look at loopback GPO.

http://awinish.wordpress.com/2010/11/11/gpo-loopback-policy-explained/
0
 

Author Comment

by:ianlee1
ID: 35107789
Thanks for getting back to me and offering your advice. On the GPO that won't work - I have already enabled loopback processing as part of the GPO but it still doesn't work. The only way this GPO will execute is if it sits in the same OU as the computer account. I know that loopback is making this work as it's only user settings contained in there.

"Am I right in thinking that, if a user account sits in an OU that has a GPO applied with user settings, then that GPO should apply on any computer that person logs onto?
Yes, you are right."

You say I am correct but it still doesn't work. It's literally a simple case of the OU containing 3 user accounts with a GPO on that OU with user configuration settings inside. It doesn't apply the GPO when those users log on. With or without loopback coming into the equation - surely this should just work?
0
 
LVL 24

Expert Comment

by:Awinish
ID: 35108006
If you got to GPMC, go to group policy object & select the GPO, right click the GPO>GPO status what you see is enabled or configuration only checked or user config or all settings disabled.

Userenv which i gave you earlier is the way for deep level troubleshooting & since its your infrastructure & you got access, you can track with userenv.
What i explained earlier that's hows GPO works & if it works differently, you need to check DC its healthy n use dcdiag to verify.
0
 
LVL 4

Expert Comment

by:bitla
ID: 35108052
Are you trying apply group policy for A Group that will not work.

Group Policy cannot be applied to groups.  You can only target users and computers and OU.  If in your GPO, you have settings configured in the user configuration section and you link it to an OU, it will apply to the user objects that are members of that OU, or child OU through inheritance.

The only way that a group can interact with the GPO is via Security Filtering (to either target or not target a certain group of users in the OU).
0
 

Author Comment

by:ianlee1
ID: 35108128
Hi,

Thanks for your replies. It's not a group - just an OU that contains some user accounts.
"If in your GPO, you have settings configured in the user configuration section and you link it to an OU, it will apply to the user objects that are members of that OU, or child OU through inheritance."
It doesn't though - not on this terminal server anyway. The below seems interesting.

One other thing I have found is that if I log onto a laptop and not the terminal server with one of these accounts, IE launches automatically as specified in the GPO but the home page doesn't go to the URL specified in the GPO. If I run a gpresult I can see the GPO being applied and it even says that the homepage should be what's in the GPO but it isn't.

It's a strange one.
0
 

Author Comment

by:ianlee1
ID: 35108170
Hi Awinish,

The policy is set to enabled. I've never used userenv before so I will take a look at that to see if it shows me anything. It's either me doing something drastically wrong or there is an issue somewhere else.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 35108200
Use the above reference how to read userenv logging.
Speaking truly i have never encountered any such issue even though i worked alot on GPO design.
But there is something wrong, check FRS log, check replication is working & dns is properly configured, no other than local dns is used in the Nic,
I recommend run dcidag /v /c /d /e & check the result.

0
 

Author Comment

by:ianlee1
ID: 35109043
In the log I see this - it doesn't mean much to me but it is the GPO in question;


GPSVC(3c8.4360) 14:31:00:571 CheckForGPOsToRemove: GPO <Tropos Mobile Config> needs to be removed
GPSVC(3c8.4360) 14:31:00:571 GetDeletedGPOList: Finished.

Why might that happen please?

Thanks
0
 

Author Comment

by:ianlee1
ID: 35109347
Also, if I create a new OU and put a user account in it with a new GPO it works fine so there doesnt appear to be a problem with the infrastructure.

Is there such thing as a corrupt GPO, OU?

Thanks
0
 

Accepted Solution

by:
ianlee1 earned 0 total points
ID: 35109402
Sorry for all the updates. If I log onto an XP machine with one of these accounts, the GPO works OK.

Looks like it could be something to do with Server 2008 and Windows 7. Still, the fact the GPO is being removed as in the log above is strange.

There is something to do with Kerberos out there on the net which could be an answer. A hotfix is apparently available.

Does this sound like it could be a solution?
0
 

Author Closing Comment

by:ianlee1
ID: 35178766
Not resolved
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question