Solved

Group Policy will not work

Posted on 2014-01-11
9
709 Views
Last Modified: 2014-01-17
I've been trying to get some basic group policies to work but have had no success.  I am attempting to run a GPO where a specific shared folder on a network server maps as a network drive.  For testing purposes i have setup an OU called test in AD and assigned myself as a member.  I have of course granted myself full read write capabilities to the folder and created a linked GPO and assigned the specific location on a different server.  I have run gpupdate /force and logged off a client to test and it doesn't work. I have gone over multiple articles and followed each very closely as well as watched videos on this procedure which seems fairly straight forward, but it does not work. I have previously attempted creating a GPO for a firewall rule i wanted to implement regarding spiceworks and that hasn't worked either. I would like to begin implementing certain policies and securities such as mandatory password resets but since i cant get this to work i am at an impass.  The environment includes the following servers and software.
*see attached for screen shot of GPO

DC - server 2013 (DNS, DHCP) - location where i attempting to apply GPO
DC - server 2008 R2 (virtual)
DC - server 2003 SP2 (soon to be phased out)
EXCHANGE 2010 - on a server 2012
FILE server - server 2003 SP2

I would appreciate any insight you guys could give me.
thank you
Untitled9.jpg
0
Comment
Question by:telperiongroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 39774044
A couple things to check.

1. Click on the common tab and make sure "run in logged on user's security context" is checked otherwise it gets processed as the SYSTEM user.  Also make sure there isn't any Item Level targeting enabled that might be filtering you out.

2. Make sure the GPO is linked in Active Directory to the OU where the user account you are using to test resides or above it and block inheritance isn't on any of the OUs.  Can you post a screenshot with the window in the current one closed so I can see where the policies are linked?

3. If the client is XP make sure you have the Group Policy Client Side Extensions installed. http://www.microsoft.com/en-us/download/details.aspx?id=3628

4. Open a command prompt (not elevated) and type
gpresult /r /SCOPE USER

Open in new window

Make sure the policy is listed under "Applied Group Policy objects"  If it isn't then you are likely having a DNS issue or something else is preventing the polices from applying.
0
 
LVL 1

Expert Comment

by:Gustavete
ID: 39774378
Hello,
in the past i did this with a simple bat file in logon policy.

you can try this command line in a bat file:

net use Y: /persistent:yes \\servername\share /u:domainaccount password

#persistent if you want to reconect
#/u just if the drive have special permissions

good luck!
0
 

Author Comment

by:telperiongroup
ID: 39774888
mcsween thanks so much for responding.
-I have verified the settings under the common tab.
-I have attached the screen shot you requested ( I think its the correct one).
-It's not an xp client its windows 7
I did run the cmd and here are the results ( it appears that the GPO is applied)


RSOP data for SOUTHEAST\lxxxxxxx on SEW0518 : Logging Mode
-----------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\lxxxxxx
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Louis xxxxxx,OU=Test,DC=Southeast,DC=Southeast
    Last time Group Policy was applied: 1/12/2014 at 10:29:21 AM
    Group Policy was applied from:      ntserver7.Southeast.Southeast
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        SOUTHEAST
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        drivemaptest
        drivetousers
        Controlled Internet Access
        Default Domain Policy
        Local Group Policy
screenshot.png
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 22

Expert Comment

by:mcsween
ID: 39775200
It looks like you have a bunch of policies enforced; you don't need that as you aren't blocking  inheritance at any OU.  This is not what is causing your issue though.

At the client start, run, rsop.msc. Right click User Information, Properties then click on the Error information tab; review this and see if it says what's going on.

You can also review entries in the System log that may reveal what is going on.  Look for events that happened right after logging onto the client.

If you open a command prompt at the client and type the following line does it map the drive under My Computer?
net use y: \\ntserver4\Technology

Open in new window

0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 39777524
You are using GPP (Group Policy Preferences).  For some (maybe all) you need to enable them with the function keys.

    F5: Enable All
    F6: Enable Current
    F7: Disable Current
    F8: Disable All

I've had problems with GPP in the past with IE settings and had to create a new policy as editing the old one refused to work.

Try creating a new test one and when you are in the screenshot page press F5.

Further info:
http://technet.microsoft.com/en-us/magazine/hh848751.aspx

Alternatively, try a GPO and run a rsop.msc from a client PC to check the results match what you see in GPMC.  You can also do GPO Modelling from GPMC which can help identify what should be sent to the client.
0
 

Author Comment

by:telperiongroup
ID: 39780412
Well I have tried a few different scenarios hoping to find resolution with this but still nothing.

-I have looked at the rsop.msc results and it says drive maps completed successfully (verified that the show drives and reconnect is checked).

-the only error is related to Internet explorer - not branding
-I have tried creating a new GPO with a different test user name
-verified user rights to the folder
-did a group policy results wizard and verified there are no errors
-tried applying the f5 option for enable all
- looked at event viewer and that indicates the GPO applied correctly.
- when applying a "net use" command the drive is mapped

could this have anything to do with "fast link" or "fast startup"?
also could the fact the internet explorer gpo is failing have an affect on this?
**see attached screen shot for wizard results
Untitled13.png
0
 
LVL 22

Accepted Solution

by:
mcsween earned 500 total points
ID: 39782246
I have 2 suggestions left and I'd like you to double check something.

1. Make sure "Run in logged on user's security context" is checked on the common tab of the drive map entry in the GPO.

2. Set this policy enabled - Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

3. Yikes, I just looked at your original screen shot again.  Change the action from Create to Update.  Update will create it if it isn't there, update it otherwise.  I've had bad luck with create.
0
 

Author Comment

by:telperiongroup
ID: 39783590
ok so after numerous attempts and different scenarios I decided to attempt a new test GPO from a different server.  A virtual 2008 R2 server and it worked fine.  Any and all GPO's I applied worked flawlessly.  My concern now is why is it not working on my 2012 server? if that in fact would be a factor?

This 2012 server is a new DC and DHCP server.

Is there an issue with applying group policy from a 2012 server or is there a specific add in i need to install?
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 39783756
To confirm, all clients are Win 7? What SP do they have and are they fully patched?

If you have XP then you'll need Client Side Extensions installed.

As Mcsween says, ensure you have an Update as well.  When we use GPP for printers we have a create for new systems and update for existing incase they've changed it. Remember, GPP is not like a GPO and can be changed by users if that's their 'preference'.

Other than that, I'm not too sure why it would work from 2008 R2 and not from 2012. The GPO template may well be newer, but I'd expect the drive mapping to work from GPP.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question