Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Group Policy will not work

Posted on 2014-01-11
Medium Priority
Last Modified: 2014-01-17
I've been trying to get some basic group policies to work but have had no success.  I am attempting to run a GPO where a specific shared folder on a network server maps as a network drive.  For testing purposes i have setup an OU called test in AD and assigned myself as a member.  I have of course granted myself full read write capabilities to the folder and created a linked GPO and assigned the specific location on a different server.  I have run gpupdate /force and logged off a client to test and it doesn't work. I have gone over multiple articles and followed each very closely as well as watched videos on this procedure which seems fairly straight forward, but it does not work. I have previously attempted creating a GPO for a firewall rule i wanted to implement regarding spiceworks and that hasn't worked either. I would like to begin implementing certain policies and securities such as mandatory password resets but since i cant get this to work i am at an impass.  The environment includes the following servers and software.
*see attached for screen shot of GPO

DC - server 2013 (DNS, DHCP) - location where i attempting to apply GPO
DC - server 2008 R2 (virtual)
DC - server 2003 SP2 (soon to be phased out)
EXCHANGE 2010 - on a server 2012
FILE server - server 2003 SP2

I would appreciate any insight you guys could give me.
thank you
Question by:telperiongroup
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 22

Expert Comment

ID: 39774044
A couple things to check.

1. Click on the common tab and make sure "run in logged on user's security context" is checked otherwise it gets processed as the SYSTEM user.  Also make sure there isn't any Item Level targeting enabled that might be filtering you out.

2. Make sure the GPO is linked in Active Directory to the OU where the user account you are using to test resides or above it and block inheritance isn't on any of the OUs.  Can you post a screenshot with the window in the current one closed so I can see where the policies are linked?

3. If the client is XP make sure you have the Group Policy Client Side Extensions installed.

4. Open a command prompt (not elevated) and type
gpresult /r /SCOPE USER

Open in new window

Make sure the policy is listed under "Applied Group Policy objects"  If it isn't then you are likely having a DNS issue or something else is preventing the polices from applying.

Expert Comment

ID: 39774378
in the past i did this with a simple bat file in logon policy.

you can try this command line in a bat file:

net use Y: /persistent:yes \\servername\share /u:domainaccount password

#persistent if you want to reconect
#/u just if the drive have special permissions

good luck!

Author Comment

ID: 39774888
mcsween thanks so much for responding.
-I have verified the settings under the common tab.
-I have attached the screen shot you requested ( I think its the correct one).
-It's not an xp client its windows 7
I did run the cmd and here are the results ( it appears that the GPO is applied)

RSOP data for SOUTHEAST\lxxxxxxx on SEW0518 : Logging Mode

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\lxxxxxx
Connected over a slow link?: No

    CN=Louis xxxxxx,OU=Test,DC=Southeast,DC=Southeast
    Last time Group Policy was applied: 1/12/2014 at 10:29:21 AM
    Group Policy was applied from:      ntserver7.Southeast.Southeast
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        SOUTHEAST
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
        Controlled Internet Access
        Default Domain Policy
        Local Group Policy
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

LVL 22

Expert Comment

ID: 39775200
It looks like you have a bunch of policies enforced; you don't need that as you aren't blocking  inheritance at any OU.  This is not what is causing your issue though.

At the client start, run, rsop.msc. Right click User Information, Properties then click on the Error information tab; review this and see if it says what's going on.

You can also review entries in the System log that may reveal what is going on.  Look for events that happened right after logging onto the client.

If you open a command prompt at the client and type the following line does it map the drive under My Computer?
net use y: \\ntserver4\Technology

Open in new window

LVL 15

Expert Comment

by:Rob Stone
ID: 39777524
You are using GPP (Group Policy Preferences).  For some (maybe all) you need to enable them with the function keys.

    F5: Enable All
    F6: Enable Current
    F7: Disable Current
    F8: Disable All

I've had problems with GPP in the past with IE settings and had to create a new policy as editing the old one refused to work.

Try creating a new test one and when you are in the screenshot page press F5.

Further info:

Alternatively, try a GPO and run a rsop.msc from a client PC to check the results match what you see in GPMC.  You can also do GPO Modelling from GPMC which can help identify what should be sent to the client.

Author Comment

ID: 39780412
Well I have tried a few different scenarios hoping to find resolution with this but still nothing.

-I have looked at the rsop.msc results and it says drive maps completed successfully (verified that the show drives and reconnect is checked).

-the only error is related to Internet explorer - not branding
-I have tried creating a new GPO with a different test user name
-verified user rights to the folder
-did a group policy results wizard and verified there are no errors
-tried applying the f5 option for enable all
- looked at event viewer and that indicates the GPO applied correctly.
- when applying a "net use" command the drive is mapped

could this have anything to do with "fast link" or "fast startup"?
also could the fact the internet explorer gpo is failing have an affect on this?
**see attached screen shot for wizard results
LVL 22

Accepted Solution

mcsween earned 2000 total points
ID: 39782246
I have 2 suggestions left and I'd like you to double check something.

1. Make sure "Run in logged on user's security context" is checked on the common tab of the drive map entry in the GPO.

2. Set this policy enabled - Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

3. Yikes, I just looked at your original screen shot again.  Change the action from Create to Update.  Update will create it if it isn't there, update it otherwise.  I've had bad luck with create.

Author Comment

ID: 39783590
ok so after numerous attempts and different scenarios I decided to attempt a new test GPO from a different server.  A virtual 2008 R2 server and it worked fine.  Any and all GPO's I applied worked flawlessly.  My concern now is why is it not working on my 2012 server? if that in fact would be a factor?

This 2012 server is a new DC and DHCP server.

Is there an issue with applying group policy from a 2012 server or is there a specific add in i need to install?
LVL 15

Expert Comment

by:Rob Stone
ID: 39783756
To confirm, all clients are Win 7? What SP do they have and are they fully patched?

If you have XP then you'll need Client Side Extensions installed.

As Mcsween says, ensure you have an Update as well.  When we use GPP for printers we have a create for new systems and update for existing incase they've changed it. Remember, GPP is not like a GPO and can be changed by users if that's their 'preference'.

Other than that, I'm not too sure why it would work from 2008 R2 and not from 2012. The GPO template may well be newer, but I'd expect the drive mapping to work from GPP.

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question