Solved

GPOs not applying in existing OUs

Posted on 2013-05-23
19
173 Views
Last Modified: 2013-06-04
I am new to the company and am in the process of cleaning up the GPOs in the domain. The company is made up of roughly 5 domain controllers spread throughout the US, with headquarters in the south. I have full control of the north east US branch of the OU structure.

My problem is that new GPOs will not take effect on existing OUs whether the GPOs are linked directly or through inheritance. Any new OUs I have made seem to work fine. When I look under the Group Policy Inheritance tab in Group Policy Management, everything appears to be displayed properly. Although, when I run GPRESULT /R on a user in the affected OU, the policy is not mentioned under Applied Group Policy Settings or the filtered ones. Any ideas?

I have tried GPUPDATE /FORCE many times and let the policy sit overnight to ensure it wasn't a replication issue.
0
Comment
Question by:Matthew13
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39190795
So if you run an RSoP report in GPMC it shows that the new GPO doesn't apply.  Does it show up under the inheritance tab if you link it directly to an old OU?

Any errors in your logs?

Thanks

Mike
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190799
What kind of settings are you applying? Can you upload a copy of your GPO? You shouldn't have to do a /force. If you change the GPO, it will apply after 120 minutes (at the most).

Also: check this out: http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 

Author Comment

by:Matthew13
ID: 39190851
mkline71: RSoP from the a client logged in as an affected user doesn't show the GPO as existing as opposed to existing but not being applied. It does show up under the inheritance tab if it is liked directly to an old OU.

jmoody10: I am starting with something simple which is mapping a user based network drive. I am doing a /force for testing purposes so I don't have to wait 120 minutes between changes.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190870
You could run a simple GPUpdate if you don't want to wait. If you are using Group Policy Preferences Drive Mappings, remember that it will only map the drive on login.
0
 

Author Comment

by:Matthew13
ID: 39190882
jmoody10: I understand this, GPRESULT /R is not seeing the policy at all. That is the issue.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39190993
Can you upload a copy of that GPO? You can right click on it and select Save report.
0
 

Author Comment

by:Matthew13
ID: 39191059
Sure. I have changed some of the names around for security purposes.
map-drives.htm
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39191072
I like your names!

Two things:

1. You have authenticated users in your security filtering. You don't need any additional groups.

2. Remove the WMI filter and see if the GPO applies. You can use Item Level Targeting on the drive mappings to specify OS levels.
0
 

Author Comment

by:Matthew13
ID: 39191122
jmoody10:

1. I only added myself to test if it was a permission issue.

2. I added that filter for testing since some of the GPOs that were applying properly actually had it. I don't need it. It still doesn't work without it.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39191164
Can you run a GPResult /h as a user that should get this GPO and upload that report here?

EX: GPResult /h Report.htm

Just upload the report.htm file.
0
 

Author Comment

by:Matthew13
ID: 39191197
For some reason, I can never get that command to work so I just redirected the output of GPRESULT /R to a text file.
gpresult.txt
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191697
Since the new GPO settings are applied at logon, go ahead and do a gpupdate /force (again) log off and log back on and then check the event log (i believe it is application log). Do you see any Group Policy errors in the logs? This will give you any ideas if there is something wrong the account/computer processing GPO.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191715
another thing you can try, if you have it enabled, is to go in Active Directory and locate a workstation that is having the issue. Right click - and do "Resultant Set of Policy Logging". Select the user that is having the issue and run it. This will show you the current policies on the workstation/user and what GPO it is grabbing from. You can drill down through the User Preferences and see if the network mappings are configured there and what GPO it is grabbing from..

And like Jmoody suggested - remove the WMI filters (for simplicity)
0
 

Author Comment

by:Matthew13
ID: 39191914
ThinkPaper: Does the RSoP report only show policies that are applied? For example, If no IE settings are specified in group policy, would IE setting be missing from the RSoP report?
0
 

Author Comment

by:Matthew13
ID: 39192228
We have gone another route and decided to start a new OU structure as a solution to this issue.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39198083
I know I'm late into chiming in here but here are some suggestions:

1) What OS are your DC's running?
2) What OS are your clients running?
3) Are the users or computers which you want to apply your settings in the OU which you have linked your GP?
4) Are there any special permission applied to the OU which you are trying to apply GP's to?
5) On one of your test workstation have you enabled verbose GP logging?
6) Any GP errors in the event logs on your DC's or workstations?
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39201901
Creating new OU allows you to move forward but doesn't explain why you were not able to link and process GP's to existing OU's..... ;-)
0
 

Accepted Solution

by:
Matthew13 earned 0 total points
ID: 39208648
compdigit44: You are correct. However, I don't have time to diagnose the problem at this this time. The OU structure needs revamped anyway. Thanks for your help.
0
 

Author Closing Comment

by:Matthew13
ID: 39218401
workaround
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 73
PHP7 and Sql Server Windows 2008 R2 13 85
AD Account Lockout 22 36
ADFS Passive Request = "There are no registered protocol handlers" 2 45
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now