?
Solved

GPO not accessible issue

Posted on 2014-01-03
6
Medium Priority
?
985 Views
Last Modified: 2014-02-03
I am having an issue with a GPO not executing as expected (it's a pretty simple drive mapping policy but anyhow I guess the content itself is irrelevant).

Using the "GPO modeling" wizard I see that said GPO is not executing because it has a denied access (security filtering) issue.

I muss confess I can't figure out why it would not be readable in this context (user / machine).

Is there any way to explicitly find out what mechanism is blocking this GPO ?

Thanks for any pointer / advice in the matter (this is w2k8 domain)
0
Comment
Question by:Alexandre Takacs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39753397
Sounds like the wizard has already given you the problem. None of the security groups associated with the policy have the AD object you want to apply as a member. A WMI filter issue would report differently.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39753482
Those users \ computers to whom you wanted to apply GPO through security filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning it will not work if the OU on which you applied GPO is different from OU that contains actual user\computer

I think that is the issue here

Mahesh
0
 
LVL 1

Author Comment

by:Alexandre Takacs
ID: 39755762
thanks for your input

> Those users \ computers to whom you wanted to apply GPO through security
> filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning
> it will not work if the OU on which you applied GPO is different from OU that
> contains actual user\computer

I confirm that both the intended users and the GPO are in the same OU

> None of the security groups associated with the policy have the AD object you want
> to apply as a member. A WMI filter issue would report differently.

Not sure I understand your point. Here is what I have

OU = myComp

in said OU I have a group - say gTargetGPO with some user of the OU

I also have a GPO under myComp. I have set it apply to gTargetGPO.

What am I missing ?!
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 37

Expert Comment

by:Mahesh
ID: 39755771
Not sure if this is orphaned GPOs issue
please download PowerShell script in below link and find orphaned GPOs
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
Just remove those orphaned GPOs and check if now GPOs are applying correctly

Check below thread for complete information
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28309861.html

Mahesh
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1500 total points
ID: 39756069
OUs are not security groups. Group policies can have security group filters applied and the error you posted occurs if the filter does not include your user or computer. Here is a technet on changing a policy's security filter.

http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
0
 
LVL 1

Author Closing Comment

by:Alexandre Takacs
ID: 39829388
Thanks for clarifying
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month9 days, 5 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question