Solved

GPO Not being applied

Posted on 2011-03-24
16
1,799 Views
Last Modified: 2012-05-11
Hello,

I have 2 main gpos in the Domain which are being applied. I created a GPO in an OU and it does nto seem to be applying or even being filtered out. What I did is disable these 2 main GPO's and see if these are preceding the OU gpo which it shouldn't. It does not seem to apply the gpo at all. I have tried my test machine object in to the gpo as well still not nothing. It does not apply this gpo at all. It is not even being filtered out when I look at gpresult on the client machine.

Any ideas?

thanks
0
Comment
Question by:rha_mtl
  • 9
  • 6
16 Comments
 
LVL 5

Expert Comment

by:zazagor
ID: 35206589
Hi,

have you tried gpupdate /force ?

//zazagor
0
 

Author Comment

by:rha_mtl
ID: 35206594
Yes, Sorry I forgot to mention that
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35206742


Is the link enabled for this gpo?  Is this gpo linked to a OU ?   Do you not want the gpo(s) to appy to the machine ?  if not  you can use security filtering within the group policy management console to and deny group policy from applying. you can assign security principals to a group or just use the security principal in the filter.  

Please tell me what your requirements are.  If you want the gpo to apply to the machine then you have to link the gpo to the ou where it object is located for it to apply to objects within that ou.  

For example,

You have a domain called contoso.com

You have a OU called   Management.

You create a Management GPO for the managers.

After you create the GPO you have the ability to liink it to the site, domain, and ou.

Please tell the steps that you followed to create your gpo and link it to the OU if thats what you did.
0
 

Author Comment

by:rha_mtl
ID: 35206836
What I did is the following. I moved my gpo from the OU to the domain level and changed the security filtering to the test account. I rebooted the test machine and logged in and the gpo is being applied. When I take this gpo and link through the OU called test it does not apply to the user. The security filtering is only to the user. Then I remove the security filtering and just put back authenticated users. Since the gpo should apply to all users in the TEST container. The link is enabled as well in both cases.

The gpo setting is simple its just a login script that maps drives every time the user logs in.

It seems it applies at the domain level but not the OU although OU should be first in precedence is it not?
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35207025

In the group policy management console You can run group policy results wizard and see why the gpo is not applying. it will give you a graphical look. it is very helpful.  I run that to see if your gpo is denied.  Posted the results if you can so I can see where we go from here. thanks

0
 

Author Comment

by:rha_mtl
ID: 35210158
Here is the result when I put the temp_workers gpo in the temp workers ou

Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
Print
Close
No explanation is available for this setting.
Supported On:
Not available
Group Policy Results
RHA-DC\bob on RHA-DC\RHA-WM2
Data collected on: 24/03/2011 3:36:47 PM hide all

Summaryhide
Computer Configuration Summaryhide
Generalhide
Computer name RHA-DC\RHA-WM2
Domain rha-dc.mtl.rha.ca
Site Default-First-Site-Name
Last time Group Policy was processed 24/03/2011 3:35:19 PM

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
User Windows Update Policy rha-dc.mtl.rha.ca AD (17), Sysvol (17)
RHA Domain Policy rha-dc.mtl.rha.ca AD (59), Sysvol (59)

Denied GPOshide
Name Link Location Reason Denied
Local Group Policy Local Empty

Security Group Membership when Group Policy was appliedhide
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
RHA-DC\RHA-WM2$
RHA-DC\Domain Computers
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status Last Process Time
Group Policy Infrastructure Success 24/03/2011 3:35:22 PM
Registry Success 24/03/2011 9:29:28 AM
Security Success 24/03/2011 9:29:29 AM

User Configuration Summaryhide
Generalhide
User name RHA-DC\bob
Domain rha-dc.mtl.rha.ca
Last time Group Policy was processed 24/03/2011 3:36:07 PM

Group Policy Objectshide
Applied GPOshide
Name Link Location Revision
RHA Domain Policy rha-dc.mtl.rha.ca AD (8), Sysvol (8)

Denied GPOshide
Name Link Location Reason Denied
Local Group Policy Local Empty
User Windows Update Policy rha-dc.mtl.rha.ca Empty

Security Group Membership when Group Policy was appliedhide
RHA-DC\Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
WMI Filtershide
Name Value Reference GPO(s)
None

Component Statushide
Component Name Status Last Process Time
Group Policy Infrastructure Success 24/03/2011 3:36:11 PM
Registry Success 24/03/2011 9:29:26 AM
Scripts Success 24/03/2011 3:33:48 PM

Computer Configurationhide
Policieshide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting Winning GPO
Enforce password history 5 passwords remembered RHA Domain Policy
Maximum password age 60 days RHA Domain Policy
Minimum password age 30 days RHA Domain Policy
Minimum password length 6 characters RHA Domain Policy
Password must meet complexity requirements Disabled RHA Domain Policy
Store passwords using reversible encryption Disabled RHA Domain Policy

Account Policies/Account Lockout Policyhide
Policy Setting Winning GPO
Account lockout duration 5 minutes RHA Domain Policy
Account lockout threshold 5 invalid logon attempts RHA Domain Policy
Reset account lockout counter after 5 minutes RHA Domain Policy

Local Policies/Security Optionshide
Accountshide
Policy Setting Winning GPO
Accounts: Administrator account status Enabled RHA Domain Policy
Accounts: Guest account status Disabled RHA Domain Policy

Interactive Logonhide
Policy Setting Winning GPO
Interactive logon: Do not require CTRL+ALT+DEL Enabled RHA Domain Policy

Network Securityhide
Policy Setting Winning GPO
Network security: Force logoff when logon hours expire Disabled RHA Domain Policy

Shutdownhide
Policy Setting Winning GPO
Shutdown: Clear virtual memory pagefile Enabled RHA Domain Policy

Otherhide
Policy Setting Winning GPO
Interactive logon: Display user information when the session is locked User display name, domain and user names RHA Domain Policy

System Serviceshide
Windows Firewall (Startup Mode: Disabled)hide
Winning GPO RHA Domain Policy
Permissions
No permissions specifiedAuditing
No auditing specified
Windows Firewall with Advanced Securityhide
Global Settingshide
Policy Setting Winning GPO
Policy version Not Configured  
Disable stateful FTP Not Configured  
Disable stateful PPTP Not Configured  
IPsec exempt Not Configured  
IPsec through NAT Not Configured  
Preshared key encoding Not Configured  
SA idle time Not Configured  
Strong CRL check Not Configured  

Domain Profile Settingshide
Policy Setting Winning GPO
Firewall state Off RHA Domain Policy
Inbound connections Not Configured  
Outbound connections Not Configured  
Apply local firewall rules Not Configured  
Apply local connection security rules Not Configured  
Display notifications Not Configured  
Allow unicast responses Not Configured  
Log dropped packets Not Configured  
Log successful connections Not Configured  
Log file path Not Configured  
Log file maximum size (KB) Not Configured  

Connection Security Settingshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting Winning GPO
Windows Firewall: Protect all network connections Disabled RHA Domain Policy

Network/Network Connections/Windows Firewall/Standard Profilehide
Policy Setting Winning GPO
Windows Firewall: Protect all network connections Disabled RHA Domain Policy

System/Group Policyhide
Policy Setting Winning GPO
Group Policy refresh interval for computers Enabled RHA Domain Policy
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 60
 
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
 
Policy Setting Winning GPO
Group Policy refresh interval for domain controllers Enabled RHA Domain Policy
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 64800 minutes (45 days).
Minutes: 5
 
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 0
 
Policy Setting Winning GPO
User Group Policy loopback processing mode Enabled RHA Domain Policy
Mode: Replace
 

System/Logonhide
Policy Setting Winning GPO
Don't display the Getting Started welcome screen at logon Enabled RHA Domain Policy

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connectionshide
Policy Setting Winning GPO
Allow users to connect remotely using Remote Desktop Services Enabled RHA Domain Policy

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environmenthide
Policy Setting Winning GPO
Remove Windows Security item from Start menu Enabled RHA Domain Policy

Windows Components/Security Centerhide
Policy Setting Winning GPO
Turn on Security Center (Domain PCs only) Disabled RHA Domain Policy

Windows Components/Windows Defenderhide
Policy Setting Winning GPO
Turn off Windows Defender Enabled User Windows Update Policy

Windows Components/Windows Updatehide
Policy Setting Winning GPO
Allow Automatic Updates immediate installation Enabled User Windows Update Policy
Allow non-administrators to receive update notifications Enabled User Windows Update Policy
Allow signed updates from an intranet Microsoft update service location  Enabled User Windows Update Policy
Automatic Updates detection frequency Enabled User Windows Update Policy
Check for updates at the following
interval (hours):  22
 
Policy Setting Winning GPO
Configure Automatic Updates Enabled User Windows Update Policy
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 16:00
 
Policy Setting Winning GPO
Delay Restart for scheduled installations Enabled User Windows Update Policy
Wait the following period before
proceeding with a scheduled
restart (minutes):  30
 
Policy Setting Winning GPO
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled User Windows Update Policy
Enable client-side targeting Enabled User Windows Update Policy
Target group name for this computer RHA
 
Policy Setting Winning GPO
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Enabled User Windows Update Policy
No auto-restart with logged on users for scheduled automatic updates installations Enabled User Windows Update Policy
Re-prompt for restart with scheduled installations Enabled User Windows Update Policy
Wait the following period before
prompting again with a scheduled
restart (minutes):  40
 
Policy Setting Winning GPO
Reschedule Automatic Updates scheduled installations Enabled User Windows Update Policy
Wait after system
startup (minutes):  5
 
Policy Setting Winning GPO
Specify intranet Microsoft update service location Enabled User Windows Update Policy
Set the intranet update service for detecting updates: http://rha-sccm
Set the intranet statistics server: http://rha-sccm
(example: http://IntranetUpd01)
 
Policy Setting Winning GPO
Turn on recommended updates via Automatic Updates Enabled User Windows Update Policy

User Configurationhide
Policieshide
Windows Settingshide
Security Settingshide
Public Key Policies/Certificate Services Client - Auto-Enrollment Settingshide
Policy Setting Winning GPO
Automatic certificate management Enabled RHA Domain Policy
Option Setting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
Update and manage certificates that use certificate templates from Active Directory Disabled
 
Show certificate expiry notifications Disabled RHA Domain Policy

Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.Control Panel/Personalizationhide
Policy Setting Winning GPO
Enable screen saver Enabled RHA Domain Policy
Password protect the screen saver Enabled RHA Domain Policy
Screen saver timeout Enabled RHA Domain Policy
Number of seconds to wait to enable the screen saver
 
Seconds: 1800
 

Systemhide
Policy Setting Winning GPO
Don't display the Getting Started welcome screen at logon Enabled RHA Domain Policy

System/Group Policyhide
Policy Setting Winning GPO
Group Policy refresh interval for users Enabled RHA Domain Policy
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 60
 
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
 

System/Power Managementhide
Policy Setting Winning GPO
Prompt for password on resume from hibernate / suspend Enabled RHA Domain Policy
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35210524
is the test account in the test OU ?

Where is the test account located ?

If you link the gpo to the ou it will only apply to objects in the OU.
0
 

Author Comment

by:rha_mtl
ID: 35210545
the test account which is called bob is in the ou called temp workers. Security is filtered to only this user Bob. It still doesn't work.

When I take the gpo and put in the domain it then works. Its when I move the gpo to the ou it doesn't work.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35210994

I don't see that your group policy object is denied.  


Are these logon/logoff scripts or startup/shutdown scripts?

Which part of the group policy did you configure ?

If you configured the user configuration part of the group policy then I run the following command on a client

gpupdate /target:user /force.  This will force a update of the user configuration part of the policy. you can do the samething for the computer configuration.  

I would also check to see if the PC is getting the policy.
On the PC, I would also run  rsop.msc (resultant set of policy)

1. Start, run  and type rsop.msc.  This will tell us if the policy is being applied to the computer.  When it comes check for the policy that you configured and see if its turned on.   Let me know the results
0
 

Author Comment

by:rha_mtl
ID: 35240605
These are logon scripts under the user configuration

I ran the command gpupdatte /target:user /force on the pc and then ran the rsop.msc on the pc and the policy is still not applying and it does not appear as being even filtered.  

As soon as I take this policy and put it in the domain level and have it applied only to that user in the security filtering it then applies to the user. But not when the gpo is in the OU. Starnge
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35241476


I have a question.

do you want the policy to apply to the bob user? or do you want to exclude bob from the policy? if you want the group policy to apply to bob in the ou you do not have to use security filtering for that.

let me know
0
 

Author Comment

by:rha_mtl
ID: 35243490
I want to actually apply to all users in the OU to I did have it set to authenticated users. But because I put it in the domain level I only wanted it to apply to BOB. I fiigure I will just leave it as is when I move it back and forth from domain to OU.

My goal is to have it apply to all users on that OU.
0
 

Author Comment

by:rha_mtl
ID: 35244362
OK. This is what I tried


I went on the OU and blocked inheritance to make sure that there is no conflict of gpo's going on. Then I made sure that the test gpo is linked in the test OU and still it is not being applied.

0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 250 total points
ID: 35245058

ok I understand now.  

turn off block policy inheritance on the dc

configure security filtering on the gpo and change it back to authenticated users

link the gpo to the temp works ou

make sure bob is in the ou that you linked the gpo to.

run a gpupdate /target:user /force.  

It is not necessary to filter the gpo to only apply to bob. You usually configure security filtering when you want to restrict who the policy applies to but this is not a case where you need to do that.

Also within the gpmc console take a look at the group policy inheritance tab and look at how group policy is being applied down the OU structure.  


0
 

Author Comment

by:rha_mtl
ID: 35327424
ok i did the following

I removed the block inheritance. Removed the security filtering.

I made sure bob is in the ou. then i did the gpupdate /target:user /force.
Linked the gpo in the test ou and still see nothing on the client.
I checked the group policy inheritance and see that it is in order
1) ou gpo i created called test
2) Domain poilcy
3) etc

I decided to start fresh.

I created a new ou called it test1
then created a new user called bob1.
created a new gpo called test1 and linked it to the test1 ou
still the gpo in ht eou will not apply and it does not even appear as being filtered or denied. on the client
I ran the rsop from the server of the computer and selected the user bob1 and looked at the results and see nothing regarding the gpp in the ou.

I tried again at the domain level again and it works fine. As soon as I go to the ou level it does not function
0
 

Author Closing Comment

by:rha_mtl
ID: 35327523
I found the problem....

When I looked at the following support issue at microsoft
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/eb62e904-e7f6-4fd8-8d1a-75e44347fde6/

i checked my gpo's and found that i had 2 gpo's with loopback processing, I removed the the loopback from both gpo's and it is now functioning correctly.

I will award you the points because you were a great help.

thanks
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now