Help with GPO not applying (specific to Computer Configuration settings)

Hey everyone, I'd love some assistance with a problem I can't seem to get past; I've altered the Default Domain Policy to include entries for EFS Recovery Agents etc. at the following locations:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates

Everything is great except that these settings do not seem to get pushed out to client machines. (mix of WinXP pro and Win7pro) I've run "gpupdate /force" on the servers (mix of 2k3, 2k3 R2, and 2008 R2) and run "gpupdate" on the clients but no luck. I've been working on this problem for over a day now, so I'm thinking that even without the gpupdate commands things should have updated by now.

Trying to track down the problem I ran RSOP based on the domain, and a particular computer I'm using as a guinea pig; both returned the expected result. I also looked at the syslog for that machine which showed that the GP configuration was updated successfully.

To make things more interesting I did a simple test by adding a new GPO and linking to the domain, then made a simple change in the User Configutation (placed a bookmark in IE); this policy updated on the client just fine. It seems that the user config is working but computer config is not...

Please let me know if anything jumps out as a possible cause or if any other quick checks come to mind, thanks in advance.
jostafewSystems AdministratorAsked:
Who is Participating?
jostafewConnect With a Mentor Systems AdministratorAuthor Commented:
A related thread has provided an answer to this problem; I was using gpedit.msc to view the status of the GPs being applied to the client machine. This was not giving the whole picture. Running rsop.msc confirmed that the GPOs were applied. I was also able to confirm the recovery agents' certificates being added to the encrypted files under the details section in the advanced properties of an encrypted file.

BCipollone thank you for your input.
Might want to try this:

"So, in the end, having all the computers in an OU linked to a GPO was not enough. I had to add the computers to a group within that OU, and then specify that group in the Security Filtering section"


There is also an article that will take longer to read, but should help here:
jostafewSystems AdministratorAuthor Commented:
Hey BCipollone, thank you for the reply. I read over the article at and tried the same approach on my system;

Within the applicable OU for this site (Langley) I created a security group called Langley Computers and added the test computers to that group. Back in GP Management I added the new Langley Computers group to the list under Delegation and gave that group Read and Apply Group Policy permissions. After all that was another round of gpupdate /force on the server and gpupdate on the clients (Win XP pro and Win7 pro). Sadly still no luck.

I am going to go back and read the article now. Please let me know if you have any other thoughts.
jostafewSystems AdministratorAuthor Commented:
Still working on this problem.... I defined another test setting :

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do not require CTRL+ALT+DEL

and that applied OK on both my XP and Win7 machine.... so that tells me that everything is working as it should (correctly linked to OU's, permissions OK etc.) but the machines just will not take the Public Key Policies!

Any other thoughts?
jostafewSystems AdministratorAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.