Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

GPO says applied but its not... also its applied numerous times

Posted on 2012-08-12
25
Medium Priority
?
783 Views
Last Modified: 2012-08-14
Recently got out brand new server and I took on a challenge to deploy it. So got our roaming profiles etc.... however created some GPOs such as definition of dns server and mapping drives with logon scripts... the main policy works (folder redirection etc) other not to much...

gpresult seem to apply the same gpos numerous times on both users and computers, yet it doesnt...

im very lost now
0
Comment
Question by:metase
  • 13
  • 11
24 Comments
 
LVL 24

Expert Comment

by:yo_bee
ID: 38285888
Your question is very limited with detail.
If you need an anwser you will need to post a question.

1: What is applying and what is not?
2: Are you talking about User or Computer settings?
3: Are the GPO's linked to the proper OU level?
0
 

Author Comment

by:metase
ID: 38285947
sorry very new to GP...
well im applying mainly user settings but have another policy for computer only

my suspicion is that redirection applies as all the folders are on the server, yet the log on script in the same policy wont run...
they all sit under domain now as i tried sticking computer gpos to domain computers
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286008
What is your script supposed to accomplish?
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 24

Expert Comment

by:yo_bee
ID: 38286012
Also you're not really being clear about your redirection.
0
 

Author Comment

by:metase
ID: 38286059
script is to connect network drives (with password - it works when applied manually) and redirection as in roaming profiles
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286072
Do you have Group Policy Preferences in GPMC (Group Policy Management Console)
If you do you should use Map drive option from there.  It is much easier.
GPP accomplishes most common scripts that people used to use.

This is User Based so you need to make sure the the GPO is linked to the OU with the users that you want this to apply.

If you are trying this with a GPO link to an OU that is out of the user's hierarchy or if the GPO is blocked then that might be the cause of the GPO not working, but when you run it manually it works.
0
 

Author Comment

by:metase
ID: 38286203
well i created new ou linked users to it and still nothing,,, no sign of the policy being executed in gpresutl...
only obvious thing is that im doing "something" fundamentally wrong.
0
 

Author Comment

by:metase
ID: 38286206
btw i did dump log on script in favor of drive mapping in gp (and nowt)
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286207
Can you post your AD hierarchy and GPMC.
This may help me assist.
0
 

Author Comment

by:metase
ID: 38286214
Name      Type      Description      
Builtin      builtinDomain            
Computers      Container      Default container for upgraded computer accounts      
Domain Computers      Organizational Unit            
Domain Controllers      Organizational Unit      Default container for domain controllers      
ForeignSecurityPrincipals      Container      Default container for security identifiers (SIDs) associated with objects from external, trusted domains      
Managed Service Accounts      Container      Default container for managed service accounts      
UseresLogonMapping      Organizational Unit            
Users      Container      Default container for upgraded user accounts
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286217
What is that?
0
 

Author Comment

by:metase
ID: 38286220
AD hierarchy? (guess not then)
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286221
Here is an example what I am interested in.

image 1
image 2
0
 

Author Comment

by:metase
ID: 38286261
right, thought about doing screen shot adgpo
(dont laught too much)
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286264
OK
Now that I see your GPO's which ones are your looking to apply?
1: DriveMap
2: DNS Settings?
3: etc....
0
 

Author Comment

by:metase
ID: 38286274
well the idea is to apply:
DNS settings to apply to all computers
drive maps only to logged in users
and redirection to users too

(driveMap was the very last gpo that maps via gp rather than script)

am i approaching it completely wrong?
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286280
Ok.
Where are your User accounts located in?  What OU.

Also your naming convention for your OU's is probably not the best method.
You do not want to name OU's with the idea of what GPO is going to be applied.

You might want to create a OU structure that is Standard User, Admin User or departmental.
since this is the way you will probably apply GPO's.

As you can see mine is User, Computers and Admin Computers.
Then I apply the GPO's that I want to the masses that way.
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38286304
Here is another piece of info.
When Domain GPO's apply they start from the OU level and those take precedence.
then inherited GPO's are applied unless there is a setting that is already applied from the OU level.
example:
Drive mappings:  There is one in the Domain level and one in the OU level both mapping to the X:\ drive.  The x:\ drive mapping at the OU level take precedence and will be the one that applies.
No need to set enforcement on the GPO.
0
 

Author Comment

by:metase
ID: 38286345
i think i created UsersLogonMapping to be for the users... im only guessing here never done that sort of a thing ...
0
 
LVL 24

Accepted Solution

by:
yo_bee earned 2000 total points
ID: 38286372
Ok.

So this is how it works. If you link a GPO to a OU (ie UsersLogonMapping) and there are none of the User Objects (Accounts) are in that OU (Active Directory Users and Computers Console) then what ever GPO that is Linked to that OU will not apply.

You will need to move the user objects (accounts) in the OU that you have the GPO linked to.

This is what I was talking about in reply 38286280 & 38286304.

You need to figure how you want to manage your AD then you can apply Linked GPO's

Does that make sense?

Mike
0
 

Author Comment

by:metase
ID: 38286820
i see... well my OU had a group but i suppose that wouldnt do the trick. I thought of dragging users from users to a different ou but then not done it just in case...
presumably id have only user settings in that gp and have a separate gp only for computers with computers settings only?
Joe
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38287806
Here is a link that you should go to.  It is how Group Policy works
http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

This is probably the document you want to read:
http://www.microsoft.com/en-us/download/details.aspx?id=22478
0
 

Author Comment

by:metase
ID: 38293637
I didit as you suggested and guess what it worked the first time :)
The only thing is that's it's doesn't remember the password for a share that's on a different domain , but I guess I'll look online or start another thread
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 38293848
You should post a new question since that was never part of your original thread.
To help out you want to look into Domain Trust between two domains or more.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question