Group Policy Denied, Empty

Posted on 2014-01-20
Medium Priority
Last Modified: 2014-02-17

New to AD and Group Policy.
I have an issue with GPO's being denied.
AD is a single domain, with OU's per site.
GPO are assigend as:
1) Domain level; default GPO unchanged, non-Default with changes
      nonDefault Domain Policy
      Default Domain Policy

2) site OU level; site specific GPO's
3) site sub OU Computers; computer group specific GPO

Now, we are not sure when this happened but only the site OU GPO's are applied, all other GPO's are listed as Denied Empty in gpresult output.
The only GPO that is applied is gpo<site.Name> with AD (2), Sysvol (2).

Appreciate any assistance in how to trouble shoot this.
Note that edit GPO --> Right click GPO name --> Properties; both Computer and User settings are enabled.

OS is server 2008 R2.

Thanks in advance.
Question by:hairylots
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 38

Expert Comment

ID: 39796288
Do you really required Site level GPOs and some thing is not achievable through domain level \ OU level polices ?
You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains

Also you need to check on GPO delegation tab and security filtering that you have not explicit denied granted for authenticated users \ users \ groups

In reality site level GPOs are override by domain level polices and ou level policies unless you enforced site level GPO

Also cleanup you AD for orphaned GPOs , unlinked GPO, check below thread to do that

Also run rsop.msc and gpresult /h <path to html file> to  identify which GPOs are applying and any other issues

LVL 53

Expert Comment

by:Will Szymkowski
ID: 39796635
Processing starts from Top to bottom and works its way down. Processing order is follows...
- Local GP Objects
- Site
- Domain
- Organizational Units
This processing order is Top to bottom, where the lower level GPO's Domain, Organizational Units have the highest precedence as they are processed last.

With that being said, it typically is not necessary to use Site Level GPO's based on the Active Directory Site that the computer/user is part of.

You typically use Domain/OU structured GPO's. Although you are using site level GPO's while group policy is processing domain level GPO's are higher (precedence) then site and OU are higher than domain. So if there is conflicts in processing the last GPO that is linked to the OU (moving from top to bottom) will process last and that user/computer get the settings.

Now that you know how the process works, i would start by looking at the 3 following things...
- Security Filtering (for the GPO's)
- Blocked Inheritance
- Enforce

If you have policies that do not have proper Security they simply will not be applied even if they are linked to the domain or OU. make sure you check this. This is typically common when you get Filtering <empty> issues. Another thing to consider is enforce policies. If you enforce a policy that is at the site level it will continue to process this policy through the chain and Enforce takes precedence, so make sure that you check that as well.

Last thing is blocked inheritance. Make sure that you are not blocking inheritance on any of the GPO's that are being applied. If you block inheritance at the Site level those will be the only policies that get applied because it ignors the processing order and nothing else will apply from the domain or OU.

Login to a machine with the issue and use rsop.msc from the "RUN" and see what computer policies / user policies are being applied. When you can see what policies are being applied check that level and see if Security filtering/Blocked inheritance/Enforce have not been enabled.

One last thing that you might want to check is loop back processing policy. Make sure that this is not enabled. Depending on how it is set "merge or replace" mode this may also be wiping out your GPO's.

You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains
- this is not correct as GPO only affects a single domain. The Site level is used for specific Acitve Directory Sites and Services, and that is what it affects not multiple domains.

You can find additonal info at the below link about GPO processing order...

Group Policy Processing Order

LVL 38

Expert Comment

ID: 39796744
Its not the case.
GPOs applied to site level are applied to all computers and servers in that site since site is the object in configuration container and common to all domains in site
If your network consists of one site and multiple domains, a site-level GPO affects all network objects in all domains.
To manage site GPOs, you need to be a member of the Enterprise Administrators group.
When you implement a Group Policy for a site, the GPO is stored in only one domain in the site.
Computers in other domains need to contact the appropriate domain controller before the policy can be applied.

The reason why to avoid site level GPOs unless you have real genuine reason is, the client will need to pull content from a DC in the neighboring domain which can be a very slow process. For this reason, site levelGPOs are not generally recommended.


NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 39813941
Hello Mahesh, Will

Thanks for the response and very appreciated.
Newbe, lesson learnt:
1) My reference to site is not correct, the gpo's are applied as Domain, an OU, and sub-OU's. We do not have a GPO applied at the AD site level. My OU's are listed as physical sites, Sub-OU's are groupings such as computers and user containers. .
2) what privileges should be used to run rsop.msc and gpresult /H:gpresult.html? for both user and computer settings report. When run as member of domain admin group or as domain admin we get message: "INFO: The user "domain\user" does not have RSOP data."

I am having issue with one GPO, applied to sub OU for testing. The GPO has one setting: create a folder as c:\<name>
This folder is never created.
The GPO is listed as applied.
I have tried placing the folder create in both user and computer preference section of the GPO.
All settings are default, GPO is listed as linked, Enforced = No.

How can I troubleshoot further?
You assistance is appreciated.
LVL 38

Expert Comment

ID: 39826168
What is the client OS version ?


Author Comment

ID: 39827268
Hello Mahesh

Thanks for responding, OS are Win 7, Vista and XP all with latest service packs applied, server / AD OS is win2k8 R2. I have now successfully fixed issue on Win 7 and Vista, still not working on XP tho. I need to test XP a bit further.
Possible fix on win 7 and vista was to apply  selective targeting.

LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 39827392
For XP You 1st need to apply \ install CSE on XP Machines, so that it can work with GP Preferences
Download CSE for XP:

Even if you created new folder in user preferences in GPO. it should work as GP preferences work with system account

Best Regards

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question