Group Policy Denied, Empty

Posted on 2014-01-20
Medium Priority
Last Modified: 2014-02-17

New to AD and Group Policy.
I have an issue with GPO's being denied.
AD is a single domain, with OU's per site.
GPO are assigend as:
1) Domain level; default GPO unchanged, non-Default with changes
      nonDefault Domain Policy
      Default Domain Policy

2) site OU level; site specific GPO's
3) site sub OU Computers; computer group specific GPO

Now, we are not sure when this happened but only the site OU GPO's are applied, all other GPO's are listed as Denied Empty in gpresult output.
The only GPO that is applied is gpo<site.Name> with AD (2), Sysvol (2).

Appreciate any assistance in how to trouble shoot this.
Note that edit GPO --> Right click GPO name --> Properties; both Computer and User settings are enabled.

OS is server 2008 R2.

Thanks in advance.
Question by:hairylots
  • 4
  • 2
LVL 40

Expert Comment

ID: 39796288
Do you really required Site level GPOs and some thing is not achievable through domain level \ OU level polices ?
You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains

Also you need to check on GPO delegation tab and security filtering that you have not explicit denied granted for authenticated users \ users \ groups

In reality site level GPOs are override by domain level polices and ou level policies unless you enforced site level GPO

Also cleanup you AD for orphaned GPOs , unlinked GPO, check below thread to do that

Also run rsop.msc and gpresult /h <path to html file> to  identify which GPOs are applying and any other issues

LVL 53

Expert Comment

by:Will Szymkowski
ID: 39796635
Processing starts from Top to bottom and works its way down. Processing order is follows...
- Local GP Objects
- Site
- Domain
- Organizational Units
This processing order is Top to bottom, where the lower level GPO's Domain, Organizational Units have the highest precedence as they are processed last.

With that being said, it typically is not necessary to use Site Level GPO's based on the Active Directory Site that the computer/user is part of.

You typically use Domain/OU structured GPO's. Although you are using site level GPO's while group policy is processing domain level GPO's are higher (precedence) then site and OU are higher than domain. So if there is conflicts in processing the last GPO that is linked to the OU (moving from top to bottom) will process last and that user/computer get the settings.

Now that you know how the process works, i would start by looking at the 3 following things...
- Security Filtering (for the GPO's)
- Blocked Inheritance
- Enforce

If you have policies that do not have proper Security they simply will not be applied even if they are linked to the domain or OU. make sure you check this. This is typically common when you get Filtering <empty> issues. Another thing to consider is enforce policies. If you enforce a policy that is at the site level it will continue to process this policy through the chain and Enforce takes precedence, so make sure that you check that as well.

Last thing is blocked inheritance. Make sure that you are not blocking inheritance on any of the GPO's that are being applied. If you block inheritance at the Site level those will be the only policies that get applied because it ignors the processing order and nothing else will apply from the domain or OU.

Login to a machine with the issue and use rsop.msc from the "RUN" and see what computer policies / user policies are being applied. When you can see what policies are being applied check that level and see if Security filtering/Blocked inheritance/Enforce have not been enabled.

One last thing that you might want to check is loop back processing policy. Make sure that this is not enabled. Depending on how it is set "merge or replace" mode this may also be wiping out your GPO's.

You should not apply GPOs at site level unless you have genuine requirements, because it can affect multiple domains
- this is not correct as GPO only affects a single domain. The Site level is used for specific Acitve Directory Sites and Services, and that is what it affects not multiple domains.

You can find additonal info at the below link about GPO processing order...

Group Policy Processing Order

LVL 40

Expert Comment

ID: 39796744
Its not the case.
GPOs applied to site level are applied to all computers and servers in that site since site is the object in configuration container and common to all domains in site
If your network consists of one site and multiple domains, a site-level GPO affects all network objects in all domains.
To manage site GPOs, you need to be a member of the Enterprise Administrators group.
When you implement a Group Policy for a site, the GPO is stored in only one domain in the site.
Computers in other domains need to contact the appropriate domain controller before the policy can be applied.

The reason why to avoid site level GPOs unless you have real genuine reason is, the client will need to pull content from a DC in the neighboring domain which can be a very slow process. For this reason, site levelGPOs are not generally recommended.


Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.


Author Comment

ID: 39813941
Hello Mahesh, Will

Thanks for the response and very appreciated.
Newbe, lesson learnt:
1) My reference to site is not correct, the gpo's are applied as Domain, an OU, and sub-OU's. We do not have a GPO applied at the AD site level. My OU's are listed as physical sites, Sub-OU's are groupings such as computers and user containers. .
2) what privileges should be used to run rsop.msc and gpresult /H:gpresult.html? for both user and computer settings report. When run as member of domain admin group or as domain admin we get message: "INFO: The user "domain\user" does not have RSOP data."

I am having issue with one GPO, applied to sub OU for testing. The GPO has one setting: create a folder as c:\<name>
This folder is never created.
The GPO is listed as applied.
I have tried placing the folder create in both user and computer preference section of the GPO.
All settings are default, GPO is listed as linked, Enforced = No.

How can I troubleshoot further?
You assistance is appreciated.
LVL 40

Expert Comment

ID: 39826168
What is the client OS version ?


Author Comment

ID: 39827268
Hello Mahesh

Thanks for responding, OS are Win 7, Vista and XP all with latest service packs applied, server / AD OS is win2k8 R2. I have now successfully fixed issue on Win 7 and Vista, still not working on XP tho. I need to test XP a bit further.
Possible fix on win 7 and vista was to apply  selective targeting.

LVL 40

Accepted Solution

Mahesh earned 2000 total points
ID: 39827392
For XP You 1st need to apply \ install CSE on XP Machines, so that it can work with GP Preferences
Download CSE for XP:

Even if you created new folder in user preferences in GPO. it should work as GP preferences work with system account

Best Regards

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question