We help IT Professionals succeed at work.

GPO says applied but its not... also its applied numerous times

Medium Priority
796 Views
Last Modified: 2012-08-14
Recently got out brand new server and I took on a challenge to deploy it. So got our roaming profiles etc.... however created some GPOs such as definition of dns server and mapping drives with logon scripts... the main policy works (folder redirection etc) other not to much...

gpresult seem to apply the same gpos numerous times on both users and computers, yet it doesnt...

im very lost now
Comment
Watch Question

yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Your question is very limited with detail.
If you need an anwser you will need to post a question.

1: What is applying and what is not?
2: Are you talking about User or Computer settings?
3: Are the GPO's linked to the proper OU level?

Author

Commented:
sorry very new to GP...
well im applying mainly user settings but have another policy for computer only

my suspicion is that redirection applies as all the folders are on the server, yet the log on script in the same policy wont run...
they all sit under domain now as i tried sticking computer gpos to domain computers
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
What is your script supposed to accomplish?
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Also you're not really being clear about your redirection.

Author

Commented:
script is to connect network drives (with password - it works when applied manually) and redirection as in roaming profiles
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Do you have Group Policy Preferences in GPMC (Group Policy Management Console)
If you do you should use Map drive option from there.  It is much easier.
GPP accomplishes most common scripts that people used to use.

This is User Based so you need to make sure the the GPO is linked to the OU with the users that you want this to apply.

If you are trying this with a GPO link to an OU that is out of the user's hierarchy or if the GPO is blocked then that might be the cause of the GPO not working, but when you run it manually it works.

Author

Commented:
well i created new ou linked users to it and still nothing,,, no sign of the policy being executed in gpresutl...
only obvious thing is that im doing "something" fundamentally wrong.

Author

Commented:
btw i did dump log on script in favor of drive mapping in gp (and nowt)
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Can you post your AD hierarchy and GPMC.
This may help me assist.

Author

Commented:
Name      Type      Description      
Builtin      builtinDomain            
Computers      Container      Default container for upgraded computer accounts      
Domain Computers      Organizational Unit            
Domain Controllers      Organizational Unit      Default container for domain controllers      
ForeignSecurityPrincipals      Container      Default container for security identifiers (SIDs) associated with objects from external, trusted domains      
Managed Service Accounts      Container      Default container for managed service accounts      
UseresLogonMapping      Organizational Unit            
Users      Container      Default container for upgraded user accounts
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
What is that?

Author

Commented:
AD hierarchy? (guess not then)
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Here is an example what I am interested in.

image 1
image 2

Author

Commented:
right, thought about doing screen shot adgpo
(dont laught too much)
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
OK
Now that I see your GPO's which ones are your looking to apply?
1: DriveMap
2: DNS Settings?
3: etc....

Author

Commented:
well the idea is to apply:
DNS settings to apply to all computers
drive maps only to logged in users
and redirection to users too

(driveMap was the very last gpo that maps via gp rather than script)

am i approaching it completely wrong?
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Ok.
Where are your User accounts located in?  What OU.

Also your naming convention for your OU's is probably not the best method.
You do not want to name OU's with the idea of what GPO is going to be applied.

You might want to create a OU structure that is Standard User, Admin User or departmental.
since this is the way you will probably apply GPO's.

As you can see mine is User, Computers and Admin Computers.
Then I apply the GPO's that I want to the masses that way.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Here is another piece of info.
When Domain GPO's apply they start from the OU level and those take precedence.
then inherited GPO's are applied unless there is a setting that is already applied from the OU level.
example:
Drive mappings:  There is one in the Domain level and one in the OU level both mapping to the X:\ drive.  The x:\ drive mapping at the OU level take precedence and will be the one that applies.
No need to set enforcement on the GPO.

Author

Commented:
i think i created UsersLogonMapping to be for the users... im only guessing here never done that sort of a thing ...
Director of Information Technology
CERTIFIED EXPERT
Commented:
Ok.

So this is how it works. If you link a GPO to a OU (ie UsersLogonMapping) and there are none of the User Objects (Accounts) are in that OU (Active Directory Users and Computers Console) then what ever GPO that is Linked to that OU will not apply.

You will need to move the user objects (accounts) in the OU that you have the GPO linked to.

This is what I was talking about in reply 38286280 & 38286304.

You need to figure how you want to manage your AD then you can apply Linked GPO's

Does that make sense?

Mike

Author

Commented:
i see... well my OU had a group but i suppose that wouldnt do the trick. I thought of dragging users from users to a different ou but then not done it just in case...
presumably id have only user settings in that gp and have a separate gp only for computers with computers settings only?
Joe
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Here is a link that you should go to.  It is how Group Policy works
http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

This is probably the document you want to read:
http://www.microsoft.com/en-us/download/details.aspx?id=22478

Author

Commented:
I didit as you suggested and guess what it worked the first time :)
The only thing is that's it's doesn't remember the password for a share that's on a different domain , but I guess I'll look online or start another thread
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
You should post a new question since that was never part of your original thread.
To help out you want to look into Domain Trust between two domains or more.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.