Solved

Group Policy Denied, Empty

Posted on 2014-01-20
7
1,095 Views
Last Modified: 2014-02-17
Hello

New to AD and Group Policy.
I have an issue with GPO's being denied.
AD is a single domain, with OU's per site.
GPO are assigend as:
1) Domain level; default GPO unchanged, non-Default with changes
      nonDefault Domain Policy
      Default Domain Policy

2) site OU level; site specific GPO's
     gpo<site.Name>
     gpo.IE.Security.Zone
3) site sub OU Computers; computer group specific GPO
       wsus.<day>

Now, we are not sure when this happened but only the site OU GPO's are applied, all other GPO's are listed as Denied Empty in gpresult output.
The only GPO that is applied is gpo<site.Name> with AD (2), Sysvol (2).

Appreciate any assistance in how to trouble shoot this.
Note that edit GPO --> Right click GPO name --> Properties; both Computer and User settings are enabled.

OS is server 2008 R2.

Thanks in advance.
0
Comment
Question by:hairylots
  • 4
  • 2
7 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39796288
Do you really required Site level GPOs and some thing is not achievable through domain level \ OU level polices ?
You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains

Also you need to check on GPO delegation tab and security filtering that you have not explicit denied granted for authenticated users \ users \ groups

In reality site level GPOs are override by domain level polices and ou level policies unless you enforced site level GPO

Also cleanup you AD for orphaned GPOs , unlinked GPO, check below thread to do that
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324240.html

Also run rsop.msc and gpresult /h <path to html file> to  identify which GPOs are applying and any other issues

Mahesh
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39796635
Processing starts from Top to bottom and works its way down. Processing order is follows...
- Local GP Objects
- Site
- Domain
- Organizational Units
This processing order is Top to bottom, where the lower level GPO's Domain, Organizational Units have the highest precedence as they are processed last.

With that being said, it typically is not necessary to use Site Level GPO's based on the Active Directory Site that the computer/user is part of.

You typically use Domain/OU structured GPO's. Although you are using site level GPO's while group policy is processing domain level GPO's are higher (precedence) then site and OU are higher than domain. So if there is conflicts in processing the last GPO that is linked to the OU (moving from top to bottom) will process last and that user/computer get the settings.

Now that you know how the process works, i would start by looking at the 3 following things...
- Security Filtering (for the GPO's)
- Blocked Inheritance
- Enforce

If you have policies that do not have proper Security they simply will not be applied even if they are linked to the domain or OU. make sure you check this. This is typically common when you get Filtering <empty> issues. Another thing to consider is enforce policies. If you enforce a policy that is at the site level it will continue to process this policy through the chain and Enforce takes precedence, so make sure that you check that as well.

Last thing is blocked inheritance. Make sure that you are not blocking inheritance on any of the GPO's that are being applied. If you block inheritance at the Site level those will be the only policies that get applied because it ignors the processing order and nothing else will apply from the domain or OU.

Login to a machine with the issue and use rsop.msc from the "RUN" and see what computer policies / user policies are being applied. When you can see what policies are being applied check that level and see if Security filtering/Blocked inheritance/Enforce have not been enabled.

One last thing that you might want to check is loop back processing policy. Make sure that this is not enabled. Depending on how it is set "merge or replace" mode this may also be wiping out your GPO's.

@Mahesh
You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains
- this is not correct as GPO only affects a single domain. The Site level is used for specific Acitve Directory Sites and Services, and that is what it affects not multiple domains.

You can find additonal info at the below link about GPO processing order...

Group Policy Processing Order

Will.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39796744
Its not the case.
GPOs applied to site level are applied to all computers and servers in that site since site is the object in configuration container and common to all domains in site
If your network consists of one site and multiple domains, a site-level GPO affects all network objects in all domains.
To manage site GPOs, you need to be a member of the Enterprise Administrators group.
When you implement a Group Policy for a site, the GPO is stored in only one domain in the site.
Computers in other domains need to contact the appropriate domain controller before the policy can be applied.
http://www.cramerz.com/mcse/mcse_group_policy
http://www.alc.amadeus.com/content/public/alw/skillsoft/cbtlib/113994/114009/eng/thin/transcript.html

The reason why to avoid site level GPOs unless you have real genuine reason is, the client will need to pull content from a DC in the neighboring domain which can be a very slow process. For this reason, site levelGPOs are not generally recommended.

http://community.spiceworks.com/topic/432471-linking-gpos-across-domains
http://www.pcreview.co.uk/forums/site-level-and-domain-level-plicies-t2655939.html

Mahesh
0
 

Author Comment

by:hairylots
ID: 39813941
Hello Mahesh, Will

Thanks for the response and very appreciated.
Newbe, lesson learnt:
1) My reference to site is not correct, the gpo's are applied as Domain, an OU, and sub-OU's. We do not have a GPO applied at the AD site level. My OU's are listed as physical sites, Sub-OU's are groupings such as computers and user containers. .
2) what privileges should be used to run rsop.msc and gpresult /H:gpresult.html? for both user and computer settings report. When run as member of domain admin group or as domain admin we get message: "INFO: The user "domain\user" does not have RSOP data."

I am having issue with one GPO, applied to sub OU for testing. The GPO has one setting: create a folder as c:\<name>
This folder is never created.
The GPO is listed as applied.
I have tried placing the folder create in both user and computer preference section of the GPO.
All settings are default, GPO is listed as linked, Enforced = No.


How can I troubleshoot further?
You assistance is appreciated.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39826168
What is the client OS version ?

Mahesh
0
 

Author Comment

by:hairylots
ID: 39827268
Hello Mahesh

Thanks for responding, OS are Win 7, Vista and XP all with latest service packs applied, server / AD OS is win2k8 R2. I have now successfully fixed issue on Win 7 and Vista, still not working on XP tho. I need to test XP a bit further.
Possible fix on win 7 and vista was to apply  selective targeting.


Regards
Andrew
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39827392
For XP You 1st need to apply \ install CSE on XP Machines, so that it can work with GP Preferences
Download CSE for XP:
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Even if you created new folder in user preferences in GPO. it should work as GP preferences work with system account

Best Regards
Mahesh
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now