Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

Group Policy is not linked or enabled but user PCs get that policy

Hello all,
There is one group policy in my organization. It is not linked to any OU, Site, or Domain but Users ' PC get applied that group policy. I have no idea. Please hint me some ideas.
Thanks,

gp1.jpg
gp2.jpg
0
dongocdung
Asked:
dongocdung
  • 18
  • 14
  • 5
  • +2
1 Solution
 
Jack LloydTechnical Services AnalystCommented:
Is there a reason it's their twice? Has that group policy been copied from an existing policy and then not reconfigured properly?

I'd suggest making a note of all the settings in the working policy you want, making a new GPO with them in and deleting anything existing called "IE Auto Script setting for google web proxy" in Group Policy objects at the bottom of the GPMC tree. You'll then need to make sure they're all properly linked again.

Jack
0
 
dongocdungAuthor Commented:
I have no idea why it is there twice. There is no duplicate group policy in Group Policy console. Do you mean that I copy the grou policy "IE Auto Script setting for google web proxy" and make a new one? I am not sure I get your point. thanks,
0
 
dan_blagutCommented:
Helo,

did you had a gpupdate /force on the target computer after you change the GPO?
Are you sure that your replication is OK in the domain?
Dan
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dongocdungAuthor Commented:
I checked and checked the GP console again.  Then, I tried to select the Entire forest in "Display link in this location" and I saw the group policy linked to these sites.

s
0
 
arnoldCommented:
Look at \\domainame\sysvol as was suggested! you may have conflicting references.
Certain policies could be cached on the client computers and if not removed correctly might still be applying.

One option trying the update force route.

Using GPMC to run a policy results wizard could identify the setting emanating from a different GPO/GPP.
0
 
yo_beeDirector of ITCommented:
Have you looked at the Group Policy Object Folder in GPMC and see what or if the GPO you have in question is linked to a OU.  
GPMC > Group Policy Object >  Click on the GPO in question and look at the Scope Tab.  See if the item is linked to OU.
0
 
dan_blagutCommented:
The GPO can be linked to OU and to Sites. So if you don't want that this GPO came to your PC remove the link  from the sites.

Dan
0
 
dongocdungAuthor Commented:
The New York site has three branches including Roschester, Buffalo and Utica. I only want to remove this group policy from Roschester in New York. However, I don't see these branches in Group Policy console. I don't want to remove thes group policy from Buffalo and Utica branches in New York. Thanks,
0
 
dan_blagutCommented:
In the GPO console you have a "SItes" link. Rigth click and select "show sites"
0
 
dongocdungAuthor Commented:
This group policy linked to SITE including New York site. I want to block this group policy from Roschester OU in domain. How do I do it? Please see the screenshot.
Thanks

d
0
 
dongocdungAuthor Commented:
I set "Enforce" for other group policies and set "Block Inheritance" for Roschester OU. I hope it will block this group policy "IE Auto Script setting for google web proxy"
0
 
dan_blagutCommented:
You have all this at domain level? And all enforced - why?
And the GPO IE Auto Script setting for google web proxy is not linked there.
Anyway a GPO can comme from:
-user account (if not in the default user OU)
-computer account (if not in the default computer OU)
-site

So find how The GPO is applyed to you.
You can use block GPO inheritance, but I prefferd that you don't use that.

Dan
0
 
dan_blagutCommented:
carrefoul: Block is for all upper GPO object....
0
 
yo_beeDirector of ITCommented:
Here is a illustration I put together that was to help explain GPO processing to some else. Maybe this will help you.

Img1
0
 
dongocdungAuthor Commented:
That group policy is linked to Sites not OU. So, users and computers under OU get inherited this group policy. I don't want Roschester OU to have this policy. That is why I set "block inheritance" in this OU.
0
 
dongocdungAuthor Commented:
I am thinking to create a new group policy which has all settings are opposite with the current one. Then, link it to Roschester OU but I am not sure it works properly.
0
 
yo_beeDirector of ITCommented:
I would test by blocking inheritance on that desired OU.
where do the Users account reside for each location?
If it worked properly there should be no Domain GPO applied.
If you see any then the user object is not in the proper OU
0
 
arnoldCommented:
You should check with the top level AD admin whether this policy is necessary to be pushed to all OUs.

Higher ups may have a specific reason they are pushing this GPO through out.  It could also be an oversight and if raised, could resolve yours and possibly others issue with regard to this and possible other.
0
 
dongocdungAuthor Commented:
I would like to remove the setting in IE "Use Automatic configuration Script". I configured another GPO and uncheck "Automatic detect configuration settings" and not configured "Automatic Browser Configuration" but I still see the proxy .pac file there.

Please take a look at the screenshots below.

a
bAM.jpg
0
 
yo_beeDirector of ITCommented:
The Loopback setting GPO needs to be placed in the OU where the computer resides.
Is that the case here?
If not then this setting will never apply to a computer a user you are targeting is on.
0
 
dongocdungAuthor Commented:
I applied the loopback already
0
 
yo_beeDirector of ITCommented:
I understand that, but I want to make sure that if GPO w/ Loopback is being applied to the proper OU that contains the computer.
If you Have a GPO linked to a lower level OU or a Blocked inheritance OU then your setting will never apply to the user.

Can you post a screenshot of your entire GPMC and all the linked GPO exposed.
If you are concerned about privacy then please message it to me.
I will send you my personal e-mail address so it is not a public advertisement.
0
 
dongocdungAuthor Commented:
here they are

d
e
Thanks,
0
 
yo_beeDirector of ITCommented:
I see that you are enforcing every GPO.
Is there a reason for this?  If you have a GPO that has a setting prior to apply the No Proxy setting the original setting takes precedence.

I would create an Isolated OU and apply the GPO without enforcement and see if it applies.

I think your Enforcements might be the cause.
0
 
dongocdungAuthor Commented:
I just linked this group policy "No Proxy" to only IT OU and removed the without enforcement but it still did not work. I still cannot remove the check on "Use Automatic configuration script". I wonder why that box is checked and the .pac file is there already. Did another GPO still linked to our domain? Please take a look at the screenshot for details. Thanks

da
dd
0
 
yo_beeDirector of ITCommented:
But I do not see Blocked Inheritance enabled.
So the enforce GPO take precedence over any GPO's

To test this properly you need to Isolate the OU by blocking any other GPO's from applying.

Note: I would put both the user and computer in this OU so you do not have any possibility of other GPO's applying.
0
 
dongocdungAuthor Commented:
other GPOs have the setting "Enforce". they still apply to any OUs even I block inheritance. It still did not work when I linked only "No proxy" GPO on Computers OU
0
 
yo_beeDirector of ITCommented:
And you have both the User and Computer in that OU?
0
 
dongocdungAuthor Commented:
I applied the "No Proxy" GPO to PCs OU only with "Merge" loopback. This time, I changed the setting "Automatically detect configuration settings" to Enabled nothing for "Automatic Browser Configuration". However, i check i IE, it still did not work. it means the group policy "No Proxy" still did not apply to PCs OU.

1
 333
0
 
yo_beeDirector of ITCommented:
But I still do not see Blocked inheritance enable for that OU.
I do understand that you are using LOOPBACK, but you need to move both User and Computer Objects that you are testing with into the OU that has those policies.
This along with Block inheritance will at least isolate any outside source (GPO) interfering or stepping on the setting you are trying to validate.
0
 
dongocdungAuthor Commented:
I created a test OU under IT and placed my account and my computer into that OU. I linked the GPO "No Proxy" into that OU and set "Block Inheritance" but it still did not work.  i checked it and see this group policy applied to my user and computer but did not work.

ee
 fgf
0
 
yo_beeDirector of ITCommented:
Your report shows a lot more than one GPO being applied for a OU that has only one GPO linked to it.

http://technet.microsoft.com/en-us/library/cc731076.aspx

GPO links that are enforced cannot be blocked from the parent container

I am going to assume that there is an enforced setting that is taking precedence as stated prior.

I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.

For the best control you want to use SCOPE, WMI  and proper OU structure for your environment.
0
 
dongocdungAuthor Commented:
I did mention above that I cannot block other group policies because of enforcement.
0
 
yo_beeDirector of ITCommented:
I am going to assume that there is an enforced setting that is taking precedence as stated prior.

 I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.

 For the best control you want to use SCOPE, WMI  and proper OU structure for your environment.

See if you can remove the enforcement.
0
 
dongocdungAuthor Commented:
I am confused. The other group policies do not relate anything to the GPO "No Proxy". Do you think removing "Enforce" setting of the other GPOs make this "No Proxy" work?
0
 
yo_beeDirector of ITCommented:
I am just saying there might be a setting you are unaware of in one of the Enforced GPO that is taking precedence over the setting you are looking to apply.

This is all speculation and that is why I asked if you could completely isolate your test objects so no other GPO apply at all.

If you do that and it still does not work you might be dealing with something else that is causing the setting not to apply.

For best practices  I would not enforce any GPO at all unless 100% needed to achieve  your desired results.
0
 
dongocdungAuthor Commented:
I just removed all GPOs ' enforcement. Let 's see what happens. Thanks,
0
 
yo_beeDirector of ITCommented:
Good luck.
0
 
dongocdungAuthor Commented:
I found out that proxy settings were configured using desktop authority. That is why I could not remove them using Group Policy. I asked my co-worker to remove that setting from desktop authority and then it works. Thanks,
0
 
yo_beeDirector of ITCommented:
Glad it worked.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 18
  • 14
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now