Group Policy will not work

Posted on 2014-01-11
Last Modified: 2014-01-17
I've been trying to get some basic group policies to work but have had no success.  I am attempting to run a GPO where a specific shared folder on a network server maps as a network drive.  For testing purposes i have setup an OU called test in AD and assigned myself as a member.  I have of course granted myself full read write capabilities to the folder and created a linked GPO and assigned the specific location on a different server.  I have run gpupdate /force and logged off a client to test and it doesn't work. I have gone over multiple articles and followed each very closely as well as watched videos on this procedure which seems fairly straight forward, but it does not work. I have previously attempted creating a GPO for a firewall rule i wanted to implement regarding spiceworks and that hasn't worked either. I would like to begin implementing certain policies and securities such as mandatory password resets but since i cant get this to work i am at an impass.  The environment includes the following servers and software.
*see attached for screen shot of GPO

DC - server 2013 (DNS, DHCP) - location where i attempting to apply GPO
DC - server 2008 R2 (virtual)
DC - server 2003 SP2 (soon to be phased out)
EXCHANGE 2010 - on a server 2012
FILE server - server 2003 SP2

I would appreciate any insight you guys could give me.
thank you
Question by:telperiongroup
  • 3
  • 3
  • 2
  • +1
LVL 21

Expert Comment

Comment Utility
A couple things to check.

1. Click on the common tab and make sure "run in logged on user's security context" is checked otherwise it gets processed as the SYSTEM user.  Also make sure there isn't any Item Level targeting enabled that might be filtering you out.

2. Make sure the GPO is linked in Active Directory to the OU where the user account you are using to test resides or above it and block inheritance isn't on any of the OUs.  Can you post a screenshot with the window in the current one closed so I can see where the policies are linked?

3. If the client is XP make sure you have the Group Policy Client Side Extensions installed.

4. Open a command prompt (not elevated) and type
gpresult /r /SCOPE USER

Open in new window

Make sure the policy is listed under "Applied Group Policy objects"  If it isn't then you are likely having a DNS issue or something else is preventing the polices from applying.

Expert Comment

Comment Utility
in the past i did this with a simple bat file in logon policy.

you can try this command line in a bat file:

net use Y: /persistent:yes \\servername\share /u:domainaccount password

#persistent if you want to reconect
#/u just if the drive have special permissions

good luck!

Author Comment

Comment Utility
mcsween thanks so much for responding.
-I have verified the settings under the common tab.
-I have attached the screen shot you requested ( I think its the correct one).
-It's not an xp client its windows 7
I did run the cmd and here are the results ( it appears that the GPO is applied)

RSOP data for SOUTHEAST\lxxxxxxx on SEW0518 : Logging Mode

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\lxxxxxx
Connected over a slow link?: No

    CN=Louis xxxxxx,OU=Test,DC=Southeast,DC=Southeast
    Last time Group Policy was applied: 1/12/2014 at 10:29:21 AM
    Group Policy was applied from:      ntserver7.Southeast.Southeast
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        SOUTHEAST
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
        Controlled Internet Access
        Default Domain Policy
        Local Group Policy
LVL 21

Expert Comment

Comment Utility
It looks like you have a bunch of policies enforced; you don't need that as you aren't blocking  inheritance at any OU.  This is not what is causing your issue though.

At the client start, run, rsop.msc. Right click User Information, Properties then click on the Error information tab; review this and see if it says what's going on.

You can also review entries in the System log that may reveal what is going on.  Look for events that happened right after logging onto the client.

If you open a command prompt at the client and type the following line does it map the drive under My Computer?
net use y: \\ntserver4\Technology

Open in new window

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

LVL 15

Expert Comment

by:Rob Stone
Comment Utility
You are using GPP (Group Policy Preferences).  For some (maybe all) you need to enable them with the function keys.

    F5: Enable All
    F6: Enable Current
    F7: Disable Current
    F8: Disable All

I've had problems with GPP in the past with IE settings and had to create a new policy as editing the old one refused to work.

Try creating a new test one and when you are in the screenshot page press F5.

Further info:

Alternatively, try a GPO and run a rsop.msc from a client PC to check the results match what you see in GPMC.  You can also do GPO Modelling from GPMC which can help identify what should be sent to the client.

Author Comment

Comment Utility
Well I have tried a few different scenarios hoping to find resolution with this but still nothing.

-I have looked at the rsop.msc results and it says drive maps completed successfully (verified that the show drives and reconnect is checked).

-the only error is related to Internet explorer - not branding
-I have tried creating a new GPO with a different test user name
-verified user rights to the folder
-did a group policy results wizard and verified there are no errors
-tried applying the f5 option for enable all
- looked at event viewer and that indicates the GPO applied correctly.
- when applying a "net use" command the drive is mapped

could this have anything to do with "fast link" or "fast startup"?
also could the fact the internet explorer gpo is failing have an affect on this?
**see attached screen shot for wizard results
LVL 21

Accepted Solution

mcsween earned 500 total points
Comment Utility
I have 2 suggestions left and I'd like you to double check something.

1. Make sure "Run in logged on user's security context" is checked on the common tab of the drive map entry in the GPO.

2. Set this policy enabled - Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

3. Yikes, I just looked at your original screen shot again.  Change the action from Create to Update.  Update will create it if it isn't there, update it otherwise.  I've had bad luck with create.

Author Comment

Comment Utility
ok so after numerous attempts and different scenarios I decided to attempt a new test GPO from a different server.  A virtual 2008 R2 server and it worked fine.  Any and all GPO's I applied worked flawlessly.  My concern now is why is it not working on my 2012 server? if that in fact would be a factor?

This 2012 server is a new DC and DHCP server.

Is there an issue with applying group policy from a 2012 server or is there a specific add in i need to install?
LVL 15

Expert Comment

by:Rob Stone
Comment Utility
To confirm, all clients are Win 7? What SP do they have and are they fully patched?

If you have XP then you'll need Client Side Extensions installed.

As Mcsween says, ensure you have an Update as well.  When we use GPP for printers we have a create for new systems and update for existing incase they've changed it. Remember, GPP is not like a GPO and can be changed by users if that's their 'preference'.

Other than that, I'm not too sure why it would work from 2008 R2 and not from 2012. The GPO template may well be newer, but I'd expect the drive mapping to work from GPP.

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now