Group policy not working over WAN?!

What is your WAN link between that point and VPN location?
Check if changing "slow link detection" can help
http://support.microsoft.com/kb/2008977

also run RSoP.msc to check if GPO is being applied on that TS

Regards,
Krzysztof

Thanks dude. How do i run the rsop.msc? And from which server?

Anything below 512 kbps considered to be slow link, you can reduce the slow link settings. You can use GPOInventory tool to run rsop.msc and other reports to several remote computers.
http://support.microsoft.com/kb/323276
http://support.microsoft.com/kb/323276
Ports required to be opened on the firewall
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

You can also download and use to scan if port block is the issue.
http://support.microsoft.com/kb/310456
http://www.windowsecurity.com/articles/mastering-portqryexe-part1.html

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com

Assuming you have Active Directory Sites and Services setup correctly with that subnet and a domain contoller at the remote site, you can simply force replication.

Otherwise run gpupdate /force from the command prompt on the DC(s) and Workstations

-Eric

Hey guys,

I ran the gpresult /z>c:\gpresult.txt even on the local LAN and it came back with the following:

The following GPOs were not applied because they were filtered out:
Printers for Quantiv Backend - Security denied.

So I must have thought it was working but it wasn't even on our LAN! Apologies for that.
However, I have added 'Authenticated Users' now to the permitted list of users on this GPO and when I re-ran the same command as before, it is now saying the GPO has applied. However, surely the 'authenticated users' will now make add this policy for everybody in the domain?

Authenticated users should not be removed and you can use group policy filtering instead of removing authenticated users.
http://www.grouppolicy.biz/tag/printer/
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

Yes, Authenticated Users group is for every user/computer authenticated in a domain. Then policy applies to each object which resides in an OU or domain (depends on GPO link level).

When this group is removed from GPO's DACL that means GPO Filtering is used and you need to know where and how it is applied.

Good resources for that in Awinish' post above :)

Krzysztof

Thanks for that Awinish. Great article.

Well this is the strange thing now, so on our LAN it is saying that the GPO has been applied. However, at the other site when I run it, I still get:

   The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Printers for Quantiv Backend
            Filtering:  Denied (Security)

This has been going on for an hour now, the VPN between each site is around 10mb/10mb so it's very fast. I did a gpupdate /force at the other end DC and it came up with:

The processing of Group Policy failed. Windows attempted to read the file \\matc
hes.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.i
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
 be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

If this is only happening at the remote end, could it be due to VPN?

The below error points to either network connectivity issue or firewall settings that system is not able to contact DC to get the GPO from sysvol and apply on its system.

Windows attempted to read the file \\matches.com\SysVol\matches.com\Policies\{C3A6F453-6B4F-4897-973C-93E820789D78}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved

You can run portquery tool as suggested earlier to check with the firewall blocking the ports. You can also take help of userenv logging tool Syspro to read the userenv log.
Check the GPO has been replicated to sysvol and when you run gpupdate /force on the problem machine, verify the event logs.
http://www.sysprosoft.com/policyreporter.shtml
http://blogs.technet.com/b/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx
http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx


Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com

GPOLOG view is also a good tool, give a try.
http://gplogview.codeplex.com/

Regards
______________________________
Awinish Vishwakarma
MY BLOG:  awinish.wordpress.com

Awinish, which ports would you query if you used the portqry tool. I've just used it to query TCP 389 from the 10.45.191.0/24 site to our site 10.0.0.0/24 and it's listening. But it fails on the UDP 389.

Any particular ports you would try to see whether it is affecting?
Thanks again for all this information.

Thanks for your help peeps. The ports on the firewall have now been opened, as some were missing. Much appreciated it.