Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 181
  • Last Modified:

GPOs not applying in existing OUs

I am new to the company and am in the process of cleaning up the GPOs in the domain. The company is made up of roughly 5 domain controllers spread throughout the US, with headquarters in the south. I have full control of the north east US branch of the OU structure.

My problem is that new GPOs will not take effect on existing OUs whether the GPOs are linked directly or through inheritance. Any new OUs I have made seem to work fine. When I look under the Group Policy Inheritance tab in Group Policy Management, everything appears to be displayed properly. Although, when I run GPRESULT /R on a user in the affected OU, the policy is not mentioned under Applied Group Policy Settings or the filtered ones. Any ideas?

I have tried GPUPDATE /FORCE many times and let the policy sit overnight to ensure it wasn't a replication issue.
0
Matthew13
Asked:
Matthew13
  • 9
  • 5
  • 2
  • +2
1 Solution
 
Mike KlineCommented:
So if you run an RSoP report in GPMC it shows that the new GPO doesn't apply.  Does it show up under the inheritance tab if you link it directly to an old OU?

Any errors in your logs?

Thanks

Mike
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
What kind of settings are you applying? Can you upload a copy of your GPO? You shouldn't have to do a /force. If you change the GPO, it will apply after 120 minutes (at the most).

Also: check this out: http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 
Matthew13Author Commented:
mkline71: RSoP from the a client logged in as an affected user doesn't show the GPO as existing as opposed to existing but not being applied. It does show up under the inheritance tab if it is liked directly to an old OU.

jmoody10: I am starting with something simple which is mapping a user based network drive. I am doing a /force for testing purposes so I don't have to wait 120 minutes between changes.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Joseph MoodyBlogger and wearer of all hats.Commented:
You could run a simple GPUpdate if you don't want to wait. If you are using Group Policy Preferences Drive Mappings, remember that it will only map the drive on login.
0
 
Matthew13Author Commented:
jmoody10: I understand this, GPRESULT /R is not seeing the policy at all. That is the issue.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Can you upload a copy of that GPO? You can right click on it and select Save report.
0
 
Matthew13Author Commented:
Sure. I have changed some of the names around for security purposes.
map-drives.htm
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
I like your names!

Two things:

1. You have authenticated users in your security filtering. You don't need any additional groups.

2. Remove the WMI filter and see if the GPO applies. You can use Item Level Targeting on the drive mappings to specify OS levels.
0
 
Matthew13Author Commented:
jmoody10:

1. I only added myself to test if it was a permission issue.

2. I added that filter for testing since some of the GPOs that were applying properly actually had it. I don't need it. It still doesn't work without it.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Can you run a GPResult /h as a user that should get this GPO and upload that report here?

EX: GPResult /h Report.htm

Just upload the report.htm file.
0
 
Matthew13Author Commented:
For some reason, I can never get that command to work so I just redirected the output of GPRESULT /R to a text file.
gpresult.txt
0
 
ThinkPaperCommented:
Since the new GPO settings are applied at logon, go ahead and do a gpupdate /force (again) log off and log back on and then check the event log (i believe it is application log). Do you see any Group Policy errors in the logs? This will give you any ideas if there is something wrong the account/computer processing GPO.
0
 
ThinkPaperCommented:
another thing you can try, if you have it enabled, is to go in Active Directory and locate a workstation that is having the issue. Right click - and do "Resultant Set of Policy Logging". Select the user that is having the issue and run it. This will show you the current policies on the workstation/user and what GPO it is grabbing from. You can drill down through the User Preferences and see if the network mappings are configured there and what GPO it is grabbing from..

And like Jmoody suggested - remove the WMI filters (for simplicity)
0
 
Matthew13Author Commented:
ThinkPaper: Does the RSoP report only show policies that are applied? For example, If no IE settings are specified in group policy, would IE setting be missing from the RSoP report?
0
 
Matthew13Author Commented:
We have gone another route and decided to start a new OU structure as a solution to this issue.
0
 
compdigit44Commented:
I know I'm late into chiming in here but here are some suggestions:

1) What OS are your DC's running?
2) What OS are your clients running?
3) Are the users or computers which you want to apply your settings in the OU which you have linked your GP?
4) Are there any special permission applied to the OU which you are trying to apply GP's to?
5) On one of your test workstation have you enabled verbose GP logging?
6) Any GP errors in the event logs on your DC's or workstations?
0
 
compdigit44Commented:
Creating new OU allows you to move forward but doesn't explain why you were not able to link and process GP's to existing OU's..... ;-)
0
 
Matthew13Author Commented:
compdigit44: You are correct. However, I don't have time to diagnose the problem at this this time. The OU structure needs revamped anyway. Thanks for your help.
0
 
Matthew13Author Commented:
workaround
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 9
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now