• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1238
  • Last Modified:

Group Policy Denied, Empty


New to AD and Group Policy.
I have an issue with GPO's being denied.
AD is a single domain, with OU's per site.
GPO are assigend as:
1) Domain level; default GPO unchanged, non-Default with changes
      nonDefault Domain Policy
      Default Domain Policy

2) site OU level; site specific GPO's
3) site sub OU Computers; computer group specific GPO

Now, we are not sure when this happened but only the site OU GPO's are applied, all other GPO's are listed as Denied Empty in gpresult output.
The only GPO that is applied is gpo<site.Name> with AD (2), Sysvol (2).

Appreciate any assistance in how to trouble shoot this.
Note that edit GPO --> Right click GPO name --> Properties; both Computer and User settings are enabled.

OS is server 2008 R2.

Thanks in advance.
  • 4
  • 2
1 Solution
Do you really required Site level GPOs and some thing is not achievable through domain level \ OU level polices ?
You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains

Also you need to check on GPO delegation tab and security filtering that you have not explicit denied granted for authenticated users \ users \ groups

In reality site level GPOs are override by domain level polices and ou level policies unless you enforced site level GPO

Also cleanup you AD for orphaned GPOs , unlinked GPO, check below thread to do that

Also run rsop.msc and gpresult /h <path to html file> to  identify which GPOs are applying and any other issues

Will SzymkowskiSenior Solution ArchitectCommented:
Processing starts from Top to bottom and works its way down. Processing order is follows...
- Local GP Objects
- Site
- Domain
- Organizational Units
This processing order is Top to bottom, where the lower level GPO's Domain, Organizational Units have the highest precedence as they are processed last.

With that being said, it typically is not necessary to use Site Level GPO's based on the Active Directory Site that the computer/user is part of.

You typically use Domain/OU structured GPO's. Although you are using site level GPO's while group policy is processing domain level GPO's are higher (precedence) then site and OU are higher than domain. So if there is conflicts in processing the last GPO that is linked to the OU (moving from top to bottom) will process last and that user/computer get the settings.

Now that you know how the process works, i would start by looking at the 3 following things...
- Security Filtering (for the GPO's)
- Blocked Inheritance
- Enforce

If you have policies that do not have proper Security they simply will not be applied even if they are linked to the domain or OU. make sure you check this. This is typically common when you get Filtering <empty> issues. Another thing to consider is enforce policies. If you enforce a policy that is at the site level it will continue to process this policy through the chain and Enforce takes precedence, so make sure that you check that as well.

Last thing is blocked inheritance. Make sure that you are not blocking inheritance on any of the GPO's that are being applied. If you block inheritance at the Site level those will be the only policies that get applied because it ignors the processing order and nothing else will apply from the domain or OU.

Login to a machine with the issue and use rsop.msc from the "RUN" and see what computer policies / user policies are being applied. When you can see what policies are being applied check that level and see if Security filtering/Blocked inheritance/Enforce have not been enabled.

One last thing that you might want to check is loop back processing policy. Make sure that this is not enabled. Depending on how it is set "merge or replace" mode this may also be wiping out your GPO's.

You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains
- this is not correct as GPO only affects a single domain. The Site level is used for specific Acitve Directory Sites and Services, and that is what it affects not multiple domains.

You can find additonal info at the below link about GPO processing order...

Group Policy Processing Order

Its not the case.
GPOs applied to site level are applied to all computers and servers in that site since site is the object in configuration container and common to all domains in site
If your network consists of one site and multiple domains, a site-level GPO affects all network objects in all domains.
To manage site GPOs, you need to be a member of the Enterprise Administrators group.
When you implement a Group Policy for a site, the GPO is stored in only one domain in the site.
Computers in other domains need to contact the appropriate domain controller before the policy can be applied.

The reason why to avoid site level GPOs unless you have real genuine reason is, the client will need to pull content from a DC in the neighboring domain which can be a very slow process. For this reason, site levelGPOs are not generally recommended.


Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

hairylotsAuthor Commented:
Hello Mahesh, Will

Thanks for the response and very appreciated.
Newbe, lesson learnt:
1) My reference to site is not correct, the gpo's are applied as Domain, an OU, and sub-OU's. We do not have a GPO applied at the AD site level. My OU's are listed as physical sites, Sub-OU's are groupings such as computers and user containers. .
2) what privileges should be used to run rsop.msc and gpresult /H:gpresult.html? for both user and computer settings report. When run as member of domain admin group or as domain admin we get message: "INFO: The user "domain\user" does not have RSOP data."

I am having issue with one GPO, applied to sub OU for testing. The GPO has one setting: create a folder as c:\<name>
This folder is never created.
The GPO is listed as applied.
I have tried placing the folder create in both user and computer preference section of the GPO.
All settings are default, GPO is listed as linked, Enforced = No.

How can I troubleshoot further?
You assistance is appreciated.
What is the client OS version ?

hairylotsAuthor Commented:
Hello Mahesh

Thanks for responding, OS are Win 7, Vista and XP all with latest service packs applied, server / AD OS is win2k8 R2. I have now successfully fixed issue on Win 7 and Vista, still not working on XP tho. I need to test XP a bit further.
Possible fix on win 7 and vista was to apply  selective targeting.

For XP You 1st need to apply \ install CSE on XP Machines, so that it can work with GP Preferences
Download CSE for XP:

Even if you created new folder in user preferences in GPO. it should work as GP preferences work with system account

Best Regards

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now