Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

GPOs not applying in existing OUs

Posted on 2013-05-23
19
Medium Priority
?
180 Views
Last Modified: 2013-06-04
I am new to the company and am in the process of cleaning up the GPOs in the domain. The company is made up of roughly 5 domain controllers spread throughout the US, with headquarters in the south. I have full control of the north east US branch of the OU structure.

My problem is that new GPOs will not take effect on existing OUs whether the GPOs are linked directly or through inheritance. Any new OUs I have made seem to work fine. When I look under the Group Policy Inheritance tab in Group Policy Management, everything appears to be displayed properly. Although, when I run GPRESULT /R on a user in the affected OU, the policy is not mentioned under Applied Group Policy Settings or the filtered ones. Any ideas?

I have tried GPUPDATE /FORCE many times and let the policy sit overnight to ensure it wasn't a replication issue.
0
Comment
Question by:Matthew13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39190795
So if you run an RSoP report in GPMC it shows that the new GPO doesn't apply.  Does it show up under the inheritance tab if you link it directly to an old OU?

Any errors in your logs?

Thanks

Mike
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190799
What kind of settings are you applying? Can you upload a copy of your GPO? You shouldn't have to do a /force. If you change the GPO, it will apply after 120 minutes (at the most).

Also: check this out: http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 

Author Comment

by:Matthew13
ID: 39190851
mkline71: RSoP from the a client logged in as an affected user doesn't show the GPO as existing as opposed to existing but not being applied. It does show up under the inheritance tab if it is liked directly to an old OU.

jmoody10: I am starting with something simple which is mapping a user based network drive. I am doing a /force for testing purposes so I don't have to wait 120 minutes between changes.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190870
You could run a simple GPUpdate if you don't want to wait. If you are using Group Policy Preferences Drive Mappings, remember that it will only map the drive on login.
0
 

Author Comment

by:Matthew13
ID: 39190882
jmoody10: I understand this, GPRESULT /R is not seeing the policy at all. That is the issue.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190993
Can you upload a copy of that GPO? You can right click on it and select Save report.
0
 

Author Comment

by:Matthew13
ID: 39191059
Sure. I have changed some of the names around for security purposes.
map-drives.htm
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39191072
I like your names!

Two things:

1. You have authenticated users in your security filtering. You don't need any additional groups.

2. Remove the WMI filter and see if the GPO applies. You can use Item Level Targeting on the drive mappings to specify OS levels.
0
 

Author Comment

by:Matthew13
ID: 39191122
jmoody10:

1. I only added myself to test if it was a permission issue.

2. I added that filter for testing since some of the GPOs that were applying properly actually had it. I don't need it. It still doesn't work without it.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39191164
Can you run a GPResult /h as a user that should get this GPO and upload that report here?

EX: GPResult /h Report.htm

Just upload the report.htm file.
0
 

Author Comment

by:Matthew13
ID: 39191197
For some reason, I can never get that command to work so I just redirected the output of GPRESULT /R to a text file.
gpresult.txt
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191697
Since the new GPO settings are applied at logon, go ahead and do a gpupdate /force (again) log off and log back on and then check the event log (i believe it is application log). Do you see any Group Policy errors in the logs? This will give you any ideas if there is something wrong the account/computer processing GPO.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191715
another thing you can try, if you have it enabled, is to go in Active Directory and locate a workstation that is having the issue. Right click - and do "Resultant Set of Policy Logging". Select the user that is having the issue and run it. This will show you the current policies on the workstation/user and what GPO it is grabbing from. You can drill down through the User Preferences and see if the network mappings are configured there and what GPO it is grabbing from..

And like Jmoody suggested - remove the WMI filters (for simplicity)
0
 

Author Comment

by:Matthew13
ID: 39191914
ThinkPaper: Does the RSoP report only show policies that are applied? For example, If no IE settings are specified in group policy, would IE setting be missing from the RSoP report?
0
 

Author Comment

by:Matthew13
ID: 39192228
We have gone another route and decided to start a new OU structure as a solution to this issue.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39198083
I know I'm late into chiming in here but here are some suggestions:

1) What OS are your DC's running?
2) What OS are your clients running?
3) Are the users or computers which you want to apply your settings in the OU which you have linked your GP?
4) Are there any special permission applied to the OU which you are trying to apply GP's to?
5) On one of your test workstation have you enabled verbose GP logging?
6) Any GP errors in the event logs on your DC's or workstations?
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39201901
Creating new OU allows you to move forward but doesn't explain why you were not able to link and process GP's to existing OU's..... ;-)
0
 

Accepted Solution

by:
Matthew13 earned 0 total points
ID: 39208648
compdigit44: You are correct. However, I don't have time to diagnose the problem at this this time. The OU structure needs revamped anyway. Thanks for your help.
0
 

Author Closing Comment

by:Matthew13
ID: 39218401
workaround
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question