Link to home
Start Free TrialLog in
Avatar of Matthew13
Matthew13Flag for United States of America

asked on

GPOs not applying in existing OUs

I am new to the company and am in the process of cleaning up the GPOs in the domain. The company is made up of roughly 5 domain controllers spread throughout the US, with headquarters in the south. I have full control of the north east US branch of the OU structure.

My problem is that new GPOs will not take effect on existing OUs whether the GPOs are linked directly or through inheritance. Any new OUs I have made seem to work fine. When I look under the Group Policy Inheritance tab in Group Policy Management, everything appears to be displayed properly. Although, when I run GPRESULT /R on a user in the affected OU, the policy is not mentioned under Applied Group Policy Settings or the filtered ones. Any ideas?

I have tried GPUPDATE /FORCE many times and let the policy sit overnight to ensure it wasn't a replication issue.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

So if you run an RSoP report in GPMC it shows that the new GPO doesn't apply.  Does it show up under the inheritance tab if you link it directly to an old OU?

Any errors in your logs?


What kind of settings are you applying? Can you upload a copy of your GPO? You shouldn't have to do a /force. If you change the GPO, it will apply after 120 minutes (at the most).

Also: check this out:
Avatar of Matthew13


mkline71: RSoP from the a client logged in as an affected user doesn't show the GPO as existing as opposed to existing but not being applied. It does show up under the inheritance tab if it is liked directly to an old OU.

jmoody10: I am starting with something simple which is mapping a user based network drive. I am doing a /force for testing purposes so I don't have to wait 120 minutes between changes.
You could run a simple GPUpdate if you don't want to wait. If you are using Group Policy Preferences Drive Mappings, remember that it will only map the drive on login.
jmoody10: I understand this, GPRESULT /R is not seeing the policy at all. That is the issue.
Can you upload a copy of that GPO? You can right click on it and select Save report.
Sure. I have changed some of the names around for security purposes.
I like your names!

Two things:

1. You have authenticated users in your security filtering. You don't need any additional groups.

2. Remove the WMI filter and see if the GPO applies. You can use Item Level Targeting on the drive mappings to specify OS levels.

1. I only added myself to test if it was a permission issue.

2. I added that filter for testing since some of the GPOs that were applying properly actually had it. I don't need it. It still doesn't work without it.
Can you run a GPResult /h as a user that should get this GPO and upload that report here?

EX: GPResult /h Report.htm

Just upload the report.htm file.
For some reason, I can never get that command to work so I just redirected the output of GPRESULT /R to a text file.
Since the new GPO settings are applied at logon, go ahead and do a gpupdate /force (again) log off and log back on and then check the event log (i believe it is application log). Do you see any Group Policy errors in the logs? This will give you any ideas if there is something wrong the account/computer processing GPO.
another thing you can try, if you have it enabled, is to go in Active Directory and locate a workstation that is having the issue. Right click - and do "Resultant Set of Policy Logging". Select the user that is having the issue and run it. This will show you the current policies on the workstation/user and what GPO it is grabbing from. You can drill down through the User Preferences and see if the network mappings are configured there and what GPO it is grabbing from..

And like Jmoody suggested - remove the WMI filters (for simplicity)
ThinkPaper: Does the RSoP report only show policies that are applied? For example, If no IE settings are specified in group policy, would IE setting be missing from the RSoP report?
We have gone another route and decided to start a new OU structure as a solution to this issue.
Avatar of compdigit44

I know I'm late into chiming in here but here are some suggestions:

1) What OS are your DC's running?
2) What OS are your clients running?
3) Are the users or computers which you want to apply your settings in the OU which you have linked your GP?
4) Are there any special permission applied to the OU which you are trying to apply GP's to?
5) On one of your test workstation have you enabled verbose GP logging?
6) Any GP errors in the event logs on your DC's or workstations?
Creating new OU allows you to move forward but doesn't explain why you were not able to link and process GP's to existing OU's..... ;-)
Avatar of Matthew13
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial