Solved

GPO not accessible issue

Posted on 2014-01-03
6
855 Views
Last Modified: 2014-02-03
I am having an issue with a GPO not executing as expected (it's a pretty simple drive mapping policy but anyhow I guess the content itself is irrelevant).

Using the "GPO modeling" wizard I see that said GPO is not executing because it has a denied access (security filtering) issue.

I muss confess I can't figure out why it would not be readable in this context (user / machine).

Is there any way to explicitly find out what mechanism is blocking this GPO ?

Thanks for any pointer / advice in the matter (this is w2k8 domain)
0
Comment
Question by:atak2983
  • 2
  • 2
  • 2
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39753397
Sounds like the wizard has already given you the problem. None of the security groups associated with the policy have the AD object you want to apply as a member. A WMI filter issue would report differently.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39753482
Those users \ computers to whom you wanted to apply GPO through security filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning it will not work if the OU on which you applied GPO is different from OU that contains actual user\computer

I think that is the issue here

Mahesh
0
 
LVL 1

Author Comment

by:atak2983
ID: 39755762
thanks for your input

> Those users \ computers to whom you wanted to apply GPO through security
> filtering must need to be in same OU \ sub OU in the hierarchy as GPO, meaning
> it will not work if the OU on which you applied GPO is different from OU that
> contains actual user\computer

I confirm that both the intended users and the GPO are in the same OU

> None of the security groups associated with the policy have the AD object you want
> to apply as a member. A WMI filter issue would report differently.

Not sure I understand your point. Here is what I have

OU = myComp

in said OU I have a group - say gTargetGPO with some user of the OU

I also have a GPO under myComp. I have set it apply to gTargetGPO.

What am I missing ?!
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a trade show? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39755771
Not sure if this is orphaned GPOs issue
please download PowerShell script in below link and find orphaned GPOs
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
Just remove those orphaned GPOs and check if now GPOs are applying correctly

Check below thread for complete information
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28309861.html

Mahesh
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39756069
OUs are not security groups. Group policies can have security group filters applied and the error you posted occurs if the filter does not include your user or computer. Here is a technet on changing a policy's security filter.

http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
0
 
LVL 1

Author Closing Comment

by:atak2983
ID: 39829388
Thanks for clarifying
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now