Solved

GPOs not applying in existing OUs

Posted on 2013-05-23
19
172 Views
Last Modified: 2013-06-04
I am new to the company and am in the process of cleaning up the GPOs in the domain. The company is made up of roughly 5 domain controllers spread throughout the US, with headquarters in the south. I have full control of the north east US branch of the OU structure.

My problem is that new GPOs will not take effect on existing OUs whether the GPOs are linked directly or through inheritance. Any new OUs I have made seem to work fine. When I look under the Group Policy Inheritance tab in Group Policy Management, everything appears to be displayed properly. Although, when I run GPRESULT /R on a user in the affected OU, the policy is not mentioned under Applied Group Policy Settings or the filtered ones. Any ideas?

I have tried GPUPDATE /FORCE many times and let the policy sit overnight to ensure it wasn't a replication issue.
0
Comment
Question by:Matthew13
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39190795
So if you run an RSoP report in GPMC it shows that the new GPO doesn't apply.  Does it show up under the inheritance tab if you link it directly to an old OU?

Any errors in your logs?

Thanks

Mike
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39190799
What kind of settings are you applying? Can you upload a copy of your GPO? You shouldn't have to do a /force. If you change the GPO, it will apply after 120 minutes (at the most).

Also: check this out: http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 

Author Comment

by:Matthew13
ID: 39190851
mkline71: RSoP from the a client logged in as an affected user doesn't show the GPO as existing as opposed to existing but not being applied. It does show up under the inheritance tab if it is liked directly to an old OU.

jmoody10: I am starting with something simple which is mapping a user based network drive. I am doing a /force for testing purposes so I don't have to wait 120 minutes between changes.
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39190870
You could run a simple GPUpdate if you don't want to wait. If you are using Group Policy Preferences Drive Mappings, remember that it will only map the drive on login.
0
 

Author Comment

by:Matthew13
ID: 39190882
jmoody10: I understand this, GPRESULT /R is not seeing the policy at all. That is the issue.
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39190993
Can you upload a copy of that GPO? You can right click on it and select Save report.
0
 

Author Comment

by:Matthew13
ID: 39191059
Sure. I have changed some of the names around for security purposes.
map-drives.htm
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39191072
I like your names!

Two things:

1. You have authenticated users in your security filtering. You don't need any additional groups.

2. Remove the WMI filter and see if the GPO applies. You can use Item Level Targeting on the drive mappings to specify OS levels.
0
 

Author Comment

by:Matthew13
ID: 39191122
jmoody10:

1. I only added myself to test if it was a permission issue.

2. I added that filter for testing since some of the GPOs that were applying properly actually had it. I don't need it. It still doesn't work without it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Expert Comment

by:Joseph Moody
ID: 39191164
Can you run a GPResult /h as a user that should get this GPO and upload that report here?

EX: GPResult /h Report.htm

Just upload the report.htm file.
0
 

Author Comment

by:Matthew13
ID: 39191197
For some reason, I can never get that command to work so I just redirected the output of GPRESULT /R to a text file.
gpresult.txt
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191697
Since the new GPO settings are applied at logon, go ahead and do a gpupdate /force (again) log off and log back on and then check the event log (i believe it is application log). Do you see any Group Policy errors in the logs? This will give you any ideas if there is something wrong the account/computer processing GPO.
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 39191715
another thing you can try, if you have it enabled, is to go in Active Directory and locate a workstation that is having the issue. Right click - and do "Resultant Set of Policy Logging". Select the user that is having the issue and run it. This will show you the current policies on the workstation/user and what GPO it is grabbing from. You can drill down through the User Preferences and see if the network mappings are configured there and what GPO it is grabbing from..

And like Jmoody suggested - remove the WMI filters (for simplicity)
0
 

Author Comment

by:Matthew13
ID: 39191914
ThinkPaper: Does the RSoP report only show policies that are applied? For example, If no IE settings are specified in group policy, would IE setting be missing from the RSoP report?
0
 

Author Comment

by:Matthew13
ID: 39192228
We have gone another route and decided to start a new OU structure as a solution to this issue.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39198083
I know I'm late into chiming in here but here are some suggestions:

1) What OS are your DC's running?
2) What OS are your clients running?
3) Are the users or computers which you want to apply your settings in the OU which you have linked your GP?
4) Are there any special permission applied to the OU which you are trying to apply GP's to?
5) On one of your test workstation have you enabled verbose GP logging?
6) Any GP errors in the event logs on your DC's or workstations?
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39201901
Creating new OU allows you to move forward but doesn't explain why you were not able to link and process GP's to existing OU's..... ;-)
0
 

Accepted Solution

by:
Matthew13 earned 0 total points
ID: 39208648
compdigit44: You are correct. However, I don't have time to diagnose the problem at this this time. The OU structure needs revamped anyway. Thanks for your help.
0
 

Author Closing Comment

by:Matthew13
ID: 39218401
workaround
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Resolve DNS query failed errors for Exchange
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now