Darrel Winbush
asked on
Group Policy will not work
I've been trying to get some basic group policies to work but have had no success. I am attempting to run a GPO where a specific shared folder on a network server maps as a network drive. For testing purposes i have setup an OU called test in AD and assigned myself as a member. I have of course granted myself full read write capabilities to the folder and created a linked GPO and assigned the specific location on a different server. I have run gpupdate /force and logged off a client to test and it doesn't work. I have gone over multiple articles and followed each very closely as well as watched videos on this procedure which seems fairly straight forward, but it does not work. I have previously attempted creating a GPO for a firewall rule i wanted to implement regarding spiceworks and that hasn't worked either. I would like to begin implementing certain policies and securities such as mandatory password resets but since i cant get this to work i am at an impass. The environment includes the following servers and software.
*see attached for screen shot of GPO
DC - server 2013 (DNS, DHCP) - location where i attempting to apply GPO
DC - server 2008 R2 (virtual)
DC - server 2003 SP2 (soon to be phased out)
EXCHANGE 2010 - on a server 2012
FILE server - server 2003 SP2
I would appreciate any insight you guys could give me.
thank you
Untitled9.jpg
*see attached for screen shot of GPO
DC - server 2013 (DNS, DHCP) - location where i attempting to apply GPO
DC - server 2008 R2 (virtual)
DC - server 2003 SP2 (soon to be phased out)
EXCHANGE 2010 - on a server 2012
FILE server - server 2003 SP2
I would appreciate any insight you guys could give me.
thank you
Untitled9.jpg
Hello,
in the past i did this with a simple bat file in logon policy.
you can try this command line in a bat file:
net use Y: /persistent:yes \\servername\share /u:domainaccount password
#persistent if you want to reconect
#/u just if the drive have special permissions
good luck!
in the past i did this with a simple bat file in logon policy.
you can try this command line in a bat file:
net use Y: /persistent:yes \\servername\share /u:domainaccount password
#persistent if you want to reconect
#/u just if the drive have special permissions
good luck!
ASKER
mcsween thanks so much for responding.
-I have verified the settings under the common tab.
-I have attached the screen shot you requested ( I think its the correct one).
-It's not an xp client its windows 7
I did run the cmd and here are the results ( it appears that the GPO is applied)
RSOP data for SOUTHEAST\lxxxxxxx on SEW0518 : Logging Mode
-------------------------- ---------- ---------- ---------- ---
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\lxxxxxx
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Louis xxxxxx,OU=Test,DC=Southeas t,DC=South east
Last time Group Policy was applied: 1/12/2014 at 10:29:21 AM
Group Policy was applied from: ntserver7.Southeast.Southe ast
Group Policy slow link threshold: 500 kbps
Domain Name: SOUTHEAST
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
drivemaptest
drivetousers
Controlled Internet Access
Default Domain Policy
Local Group Policy
screenshot.png
-I have verified the settings under the common tab.
-I have attached the screen shot you requested ( I think its the correct one).
-It's not an xp client its windows 7
I did run the cmd and here are the results ( it appears that the GPO is applied)
RSOP data for SOUTHEAST\lxxxxxxx on SEW0518 : Logging Mode
--------------------------
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\lxxxxxx
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Louis xxxxxx,OU=Test,DC=Southeas
Last time Group Policy was applied: 1/12/2014 at 10:29:21 AM
Group Policy was applied from: ntserver7.Southeast.Southe
Group Policy slow link threshold: 500 kbps
Domain Name: SOUTHEAST
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
drivemaptest
drivetousers
Controlled Internet Access
Default Domain Policy
Local Group Policy
screenshot.png
It looks like you have a bunch of policies enforced; you don't need that as you aren't blocking inheritance at any OU. This is not what is causing your issue though.
At the client start, run, rsop.msc. Right click User Information, Properties then click on the Error information tab; review this and see if it says what's going on.
You can also review entries in the System log that may reveal what is going on. Look for events that happened right after logging onto the client.
If you open a command prompt at the client and type the following line does it map the drive under My Computer?
At the client start, run, rsop.msc. Right click User Information, Properties then click on the Error information tab; review this and see if it says what's going on.
You can also review entries in the System log that may reveal what is going on. Look for events that happened right after logging onto the client.
If you open a command prompt at the client and type the following line does it map the drive under My Computer?
net use y: \\ntserver4\Technology
You are using GPP (Group Policy Preferences). For some (maybe all) you need to enable them with the function keys.
F5: Enable All
F6: Enable Current
F7: Disable Current
F8: Disable All
I've had problems with GPP in the past with IE settings and had to create a new policy as editing the old one refused to work.
Try creating a new test one and when you are in the screenshot page press F5.
Further info:
http://technet.microsoft.com/en-us/magazine/hh848751.aspx
Alternatively, try a GPO and run a rsop.msc from a client PC to check the results match what you see in GPMC. You can also do GPO Modelling from GPMC which can help identify what should be sent to the client.
F5: Enable All
F6: Enable Current
F7: Disable Current
F8: Disable All
I've had problems with GPP in the past with IE settings and had to create a new policy as editing the old one refused to work.
Try creating a new test one and when you are in the screenshot page press F5.
Further info:
http://technet.microsoft.com/en-us/magazine/hh848751.aspx
Alternatively, try a GPO and run a rsop.msc from a client PC to check the results match what you see in GPMC. You can also do GPO Modelling from GPMC which can help identify what should be sent to the client.
ASKER
Well I have tried a few different scenarios hoping to find resolution with this but still nothing.
-I have looked at the rsop.msc results and it says drive maps completed successfully (verified that the show drives and reconnect is checked).
-the only error is related to Internet explorer - not branding
-I have tried creating a new GPO with a different test user name
-verified user rights to the folder
-did a group policy results wizard and verified there are no errors
-tried applying the f5 option for enable all
- looked at event viewer and that indicates the GPO applied correctly.
- when applying a "net use" command the drive is mapped
could this have anything to do with "fast link" or "fast startup"?
also could the fact the internet explorer gpo is failing have an affect on this?
**see attached screen shot for wizard results
Untitled13.png
-I have looked at the rsop.msc results and it says drive maps completed successfully (verified that the show drives and reconnect is checked).
-the only error is related to Internet explorer - not branding
-I have tried creating a new GPO with a different test user name
-verified user rights to the folder
-did a group policy results wizard and verified there are no errors
-tried applying the f5 option for enable all
- looked at event viewer and that indicates the GPO applied correctly.
- when applying a "net use" command the drive is mapped
could this have anything to do with "fast link" or "fast startup"?
also could the fact the internet explorer gpo is failing have an affect on this?
**see attached screen shot for wizard results
Untitled13.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok so after numerous attempts and different scenarios I decided to attempt a new test GPO from a different server. A virtual 2008 R2 server and it worked fine. Any and all GPO's I applied worked flawlessly. My concern now is why is it not working on my 2012 server? if that in fact would be a factor?
This 2012 server is a new DC and DHCP server.
Is there an issue with applying group policy from a 2012 server or is there a specific add in i need to install?
This 2012 server is a new DC and DHCP server.
Is there an issue with applying group policy from a 2012 server or is there a specific add in i need to install?
To confirm, all clients are Win 7? What SP do they have and are they fully patched?
If you have XP then you'll need Client Side Extensions installed.
As Mcsween says, ensure you have an Update as well. When we use GPP for printers we have a create for new systems and update for existing incase they've changed it. Remember, GPP is not like a GPO and can be changed by users if that's their 'preference'.
Other than that, I'm not too sure why it would work from 2008 R2 and not from 2012. The GPO template may well be newer, but I'd expect the drive mapping to work from GPP.
If you have XP then you'll need Client Side Extensions installed.
As Mcsween says, ensure you have an Update as well. When we use GPP for printers we have a create for new systems and update for existing incase they've changed it. Remember, GPP is not like a GPO and can be changed by users if that's their 'preference'.
Other than that, I'm not too sure why it would work from 2008 R2 and not from 2012. The GPO template may well be newer, but I'd expect the drive mapping to work from GPP.
1. Click on the common tab and make sure "run in logged on user's security context" is checked otherwise it gets processed as the SYSTEM user. Also make sure there isn't any Item Level targeting enabled that might be filtering you out.
2. Make sure the GPO is linked in Active Directory to the OU where the user account you are using to test resides or above it and block inheritance isn't on any of the OUs. Can you post a screenshot with the window in the current one closed so I can see where the policies are linked?
3. If the client is XP make sure you have the Group Policy Client Side Extensions installed. http://www.microsoft.com/en-us/download/details.aspx?id=3628
4. Open a command prompt (not elevated) and type
Open in new window
Make sure the policy is listed under "Applied Group Policy objects" If it isn't then you are likely having a DNS issue or something else is preventing the polices from applying.