Solved

GPO's not always applying, or partially applying

Posted on 2014-03-28
32
1,938 Views
Last Modified: 2014-04-29
So I've got a Windows Server 2008R2 and Server 2012R2 Active Directory domain.  3 domain controllers.

Most departements seem to get their Group Policies applied correctly.  A few don't seem to be.  The most obvious ones not working (randomly?) are shortcuts not getting applied to their desktops.

I've worked on this a lot, and tried a lot of things, so I'm taking several steps back and putting it out there for help!

I'm attaching a screenshot of a GP Results Report.  Will sure appreciate any and all help.  Also attaching some AD and OU layout information.

active directory layout
results wizard report
error from one of the clients event log
0
Comment
Question by:hutch_ks_itguy
  • 12
  • 12
  • 2
  • +4
32 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962292
Right off the bat it looks like a permissions issue to me on the GPOs.  Can you check the security of the GPOs in question and make sure that the correct security settings are set?
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962322
Well I thought that too, and as far as I can tell, they're OK.  Having said that, here is what I see..  Authenticated Users

security
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962332
Deeper than just the security filtering, actually click on authenticated users and then click Properties to see what their rights are.

Also, check the membership of someone who isn't getting the GPO applied.  I had a situation once where the previous IT provider at one of our clients put several people in the domain admins group foolishly and I couldn't figure out why they weren't getting certain GPOs.  Check that.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962433
Odd, when I right click it, Properties is grayed out.  I can only Remove the group.

I then checked in ADUC, and searched for Authenticated Users.  Not sure how to find them!
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962599
They are in the Users group.  Also, if the properties are grayed out for you, that means you don't have permission or something has happened to the GPO.  Do this, just recreate the GPO from scratch and reapply it.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962626
Well, is this maybe part of the issue?  Every one of the 25+ group policies has Authenticated Users, and I can't look at the properties on any of them.  Even a new one I just created.  

That's the default domain policy, I don't think I can (or should) just delete and recreate it...  even if they're all that way..  ?

I did try adding Domain Users and I'm able to hit Properties on that.

?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962636
Yeah, you must have local server admin rights rather than domain admin rights.

I'd talk to someone who can give you rights higher than yours and then report back.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962647
I am the only admin, and I'm using Domain admin account.. but I can try a lesser account, if that's what your suggesting.  In fact, I just checked a domain controller for another of my domains, and it's the exact same way.  No Authenticated Users group anywhere in ADUC, and also can't click Properties on it in GPMC.

Anyone else have any ideas?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962651
No, don't use a lesser account.

The authenticated users simply implies domain users that are able to authenticate against DCs.  This is the correct group.  Can you click Remove on the authenticated users on the GPO in question?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962658
If you can, then you're ok on permissions, then we need to look at the workstations/users again.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962659
Yes.  I can remove it, and also able to add it back.  

Could it be Share Permissions, or Security rights on the SYSVOL share on one or more of my DC's?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962667
Try looking at this:

http://support.microsoft.com/kb/2866345

And from another post:

Possible reasons for "the following GPOs were not applied because they were filtered out":
You always have to address the GPO to the correct type of objects. In other words: A GPO containing user settings has to be linked to an OU that contains user objects and vice versa. If your OU to which the GPO is linked does not contain the correct objects, the configuration settings will not take effect and gpresult will list it as "filtered out(empty)".

From that first link, sometimes the SYSVOL and AD versions of Group Policy can be off, if that's the case you will see users who get their GPO from one DC have the settings applied and users who get from another won't have it.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962685
Could it be Share Permissions, or Security rights on the SYSVOL share on one or more of my DC's?

Highly unlikely.

Do you have WMI filtering on at all too?  If so, let me know.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962719
I'm not sure how any of that relates to my situation..  the screenshot I posted doesn't show any AD / SYSVOL mismatches.

Also not using any WMI filters anywhere.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962736
the screenshot I posted doesn't show any AD / SYSVOL mismatches.
You need to make sure of this.  Do you know how?

You basically go into the GPO and click on the Details tab.  It should look like this and both versions need to be the same.

adsysvolversions
If there is a mismatch then this will cause the intermittent users getting it and others not getting issue you are describing.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962757
Here is how this GPO details looks

?

ad sysvol
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962804
Give this a look:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/2ed4b008-954a-4fb6-b90f-d8b2d70b188f/group-policy-shortcuts

Specifically the part where the guy talks about the shortcut residing on a mapped drive vs a UNC path.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39962821
Not using any mapped drives.

Brad, I appreciate your help but so far I've been down all of these paths...  no disrespect but anyone else have a different angle?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962847
Understood.  The fact of the matter is though, that your GPO is applying to some people so it's working, it's not the GPO, but something  by way of inheritance, security settings, user vs computer config, etc. that is the problem.

Try setting the security filtering to everyone, instead of authenticated users.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39978065
Anyone?  This thread has gotten pretty long, maybe better for me to delete and repost in a different section?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39978295
Anyone?  This thread has gotten pretty long, maybe better for me to delete and repost in a different section?

Maybe try asking the administrators to reach out to some of the Topic Advisors or other Experts rather than re-creating your post.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 40011384
Enable GPO debug logging on an affected client and attach the log files here

http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx

All clients with Problems are running Windows XP?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40011479
Is replication healthy? Run dcdiag against all of your domain controllers.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40011565
Use GPMC to run the group policy results wizard. There you can see the settings set AD the controlling GPO.

You can use per computer and per user to see what if any deviation occurs.
0
 
LVL 7

Expert Comment

by:D_Vante
ID: 40012546
When you come across a users who did not receive these shortcuts via GPO can you have them log off and log back on (not reboot) to see if they get these shortcuts.
0
 

Author Comment

by:hutch_ks_itguy
ID: 40012597
Sorry am out of the office today, but I will sure get on this tomorrow when I return. I sure appreciate the new responses!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40012923
Another simple thing to check would be the OS's of the workstations.  Are all your workstations Windows 7 or above?  If not, are the GPOs failing on the XP workstations?  XP needs to have SP3 and also the Group Policy Extensions installed in order to process some of the Windows 2008 or later group policies.

You could also try resetting the workstation domain account to be sure there isn't a trust issue between the workstation and your domain controllers.

Also look at the user accounts - if a user logs on to a different workstation, does he/she get the correct group policies?  If so, you can eliminate the idea that there is a permissions issue with the Authenticated Users group (which is unlikely but worth confirming).
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40012987
Also, it appears that you have a group policy that is setting the DNS servers for the workstations.  This is really not such a good idea.  The DNS servers need to be set either statically or through DHCP, so that they are present before the workstations start to process group policies. I'm not even sure how this is working, unless you also have static DNS settings, since the workstations need to be in contact with a  DNS server to contact a DC and be authenticated on the domain.
0
 

Accepted Solution

by:
hutch_ks_itguy earned 0 total points
ID: 40021217
Thanks to all who posted..  but I found the issue, workstations weren't pointed to the proper DNS servers, after we had changed around some domain controllers and replaced them.  I did in fact have a group policy that was assigning DNS servers, which I've since removed.  We manually had to touch the machines to accomplish this.

Sorry I'd been out of the office with a family issue and hadn't been able to get this thread updated and closed.
0
 

Author Closing Comment

by:hutch_ks_itguy
ID: 40029069
Found the issue, closing it.  Thanks for those that had posted trying to help!
0

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now