We help IT Professionals succeed at work.

GPO not applying

Hi all,

I have a standalone 2003 server which is a DC & I have joined 15 PCs to its Domain successfully.
I have implemented a GPO to lockdown those PCs, but the GPO isnt applying to any of the PCs.
The Link is Enabled & Enforced.
I have ran gpresult on the PCs which states that the gpo is not found.
I have made sure the securities are right i.e. Authenticated Users = Read priveleges.
I have it on the right OU, which contains accounts, Computers are in another OU.
I have only used User settings.
I dont have loopback processing enabled.
I have ran Windows Server 2003 Resource Kit Tools using gpotools cmd which says the GPO is ok.

Has anyone else got any other suggestions?
Comment
Watch Question

I've had issues like this before, and came back a day later to find it working. Computer settings sometimes take a day or two to kick in, no idea why.
Hypercat (Deb)President
BRONZE EXPERT

Commented:
What is the operating system of the workstations? Are the users logging on with domain user accounts(not local user accounts)? Check in the event logs on some of the workstations and see if there are any GPO-related errors. The source of the errors would be Userenv or SceCli.

Commented:
What are you trying to lock down? Does the GPO apply to computer or user objects? If user objects, have you tried applying the GPO as a domain administrator?

Have you checked the event logs on an affected machine to see if there are any events relating to group policies (specifically failures)?

Author

Commented:
GPO applies to User settings.
It has been a few days since I set it and still nothing.
Operating system = XP
1.Is the OU contains Users to which the GPO is linked ( user setting GPO)?
2.Login as the user and run the gpupdate /force and check if the GPO applies to the client.
3.Is the GPO not applying to any client?
4.Make sure that the user ( Authenticated) have  Read and Apply Group policy permission for the GPO.
Technical Designer
BRONZE EXPERT
Commented:
Do you have correct DNS settings?

Further as suggested by arroryn did you check event viewer for any error message related to GPO?

Further what is the result from gpresult.exe /R from the command prompt?

Author

Commented:
I have not had a chance to do the checks from above, I will complete these tomorrow. I will post the results here then.

My DNS is primarily pointed at the DC server, then secondarily pointed at the router gateway. i.e  192.168.1.5
      192.168.1.1
Is that correct?

Author

Commented:
Yes the Users are in the right OU that has the GPO applied.
The Users are logging in with Domain Accounts.
There are no entries in the Event Log of Userenv or SceCli type or of any logon nature.
I'm just trying to lockdown basic things like no Run command etc... & I'm trying to repoint the Docs & Desktop folders to the server & I have a logon script in the gpo to map a shared drive, so nothing out of the ordinary.
I have ran gpupdate /force on the clients & server & it still hasn't made a difference.
The GPO is not applying to any client.
Authenticated User has Read & Apply group policy set to allow.
Gpresult states that 'INFO: The policy object does not exist'
BRONZE EXPERT

Commented:
Hypercat (Deb)President
BRONZE EXPERT

Commented:
What OU are the users in? Where did you create and link the GPO (i.e., at the domain level or at the OU level)? Please describe how this is configured.  I know that you said it was in the right OU, but by your description of the GPResult message, it sounds as though the group policy is not being applied to the OU that contains your user accounts. In the group policy management console, click on your GPO and then do a screen capture of the Scope information.  Then click on the Settings tab. When the report appears, right-click and print it to a file and post that screen capture and file here for analysis.

You should remove the secondary DNS server (your router IP address) from the server and all workstations.  It's not doing anything useful.
Check if any GPO has been set to Nooveride ( which is applied on parent level or at the same level).To get the list of GPo applied to the user, Run gpresult and check the Nooverride setting of each GPO.

http://technet.microsoft.com/en-us/library/cc978255.aspx

Author

Commented:
All sorted. Thanks for the help

Author

Commented:
Thanks

Explore More ContentExplore courses, solutions, and other research materials related to this topic.