winstalla
asked on
GPResult doesn't show group a User is a member of
I am trying to get Group Policy working from scratch. It is possible (indeed, quite likely) that I have missed a simple step somewhere. But anyway...
I have created a new OU specifically for Group Policy testing and created a new Security Group inside it. I have added a User (me, actually) to this new Security Group.
However, whenever I run a GPResult /R [with or without /V], the User us shown as being in every Security Group that they were in before I created the new OU and Security Group but not the new one!
If I check the User in AD Users and Computers membership of the new group is shown. The OU is inside a main OU within the Domain.
Since I can't find the User as being a member of the Security Group, you will not be surprised to discover that GP Modelling doesn't indicate the the GPO will apply to the User - and it doesn't.
Machine is Windows 7, DC is Server 2010. I don't think this should matter, though!
???
I have created a new OU specifically for Group Policy testing and created a new Security Group inside it. I have added a User (me, actually) to this new Security Group.
However, whenever I run a GPResult /R [with or without /V], the User us shown as being in every Security Group that they were in before I created the new OU and Security Group but not the new one!
If I check the User in AD Users and Computers membership of the new group is shown. The OU is inside a main OU within the Domain.
Since I can't find the User as being a member of the Security Group, you will not be surprised to discover that GP Modelling doesn't indicate the the GPO will apply to the User - and it doesn't.
Machine is Windows 7, DC is Server 2010. I don't think this should matter, though!
???
ASKER
Run, as suggested, but I don't understand the results (duh!). I get an RsoP console, but I don't see anything in it that helps me to understand the situation.
Incidentally, yes I have done the GPUPDATE /force. And when doing the RSoP the User appeared in the new group, but a GPResult /R still shows it not being there.
Incidentally, yes I have done the GPUPDATE /force. And when doing the RSoP the User appeared in the new group, but a GPResult /R still shows it not being there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please take a quick look here on how to utilize RSOP:
http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Planning-Logging.html
It basically lists or policies have precedence and that can help pinpoint where it's failing
http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Planning-Logging.html
It basically lists or policies have precedence and that can help pinpoint where it's failing
ASKER
Thank you! I can now see why it doesn't work. Whether this helps is another matter.....
Have you performed a gpupdate /force after creation of the new policy? Could you run rsop and see whether the policy is getting applied to the user?
AD>>Select the affected OU>>Right click on a user>>All Tasks>>Resultant Set Of Policy (Planning)>>Run the wizard and see whether the new policy is applying.