• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1112
  • Last Modified:

GPO not accessible issue

I am having an issue with a GPO not executing as expected (it's a pretty simple drive mapping policy but anyhow I guess the content itself is irrelevant).

Using the "GPO modeling" wizard I see that said GPO is not executing because it has a denied access (security filtering) issue.

I muss confess I can't figure out why it would not be readable in this context (user / machine).

Is there any way to explicitly find out what mechanism is blocking this GPO ?

Thanks for any pointer / advice in the matter (this is w2k8 domain)
0
Alexandre Takacs
Asked:
Alexandre Takacs
  • 2
  • 2
  • 2
1 Solution
 
Cliff GaliherCommented:
Sounds like the wizard has already given you the problem. None of the security groups associated with the policy have the AD object you want to apply as a member. A WMI filter issue would report differently.
0
 
MaheshArchitectCommented:
Those users \ computers to whom you wanted to apply GPO through security filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning it will not work if the OU on which you applied GPO is different from OU that contains actual user\computer

I think that is the issue here

Mahesh
0
 
Alexandre TakacsCTOAuthor Commented:
thanks for your input

> Those users \ computers to whom you wanted to apply GPO through security
> filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning
> it will not work if the OU on which you applied GPO is different from OU that
> contains actual user\computer

I confirm that both the intended users and the GPO are in the same OU

> None of the security groups associated with the policy have the AD object you want
> to apply as a member. A WMI filter issue would report differently.

Not sure I understand your point. Here is what I have

OU = myComp

in said OU I have a group - say gTargetGPO with some user of the OU

I also have a GPO under myComp. I have set it apply to gTargetGPO.

What am I missing ?!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
MaheshArchitectCommented:
Not sure if this is orphaned GPOs issue
please download PowerShell script in below link and find orphaned GPOs
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
Just remove those orphaned GPOs and check if now GPOs are applying correctly

Check below thread for complete information
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28309861.html

Mahesh
0
 
Cliff GaliherCommented:
OUs are not security groups. Group policies can have security group filters applied and the error you posted occurs if the filter does not include your user or computer. Here is a technet on changing a policy's security filter.

http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
0
 
Alexandre TakacsCTOAuthor Commented:
Thanks for clarifying
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now