GPO not applying to all systems

I have setup a gpo to apply to system that in a group. I set this group in the gpo filtering, so any system in the group will get the gpo.

I see some systems got the gpo without a reboot, but most are not getting the gpo, even after setting the gpo 20hrs ago.

I have set the gpo to be applied to an OU that has all the other OU's off of that and the gpo is replicated to all the dc's.

Any thoughts how I can fix this?
Who is Participating?
Restart the clients not getting the policy. What settings are contained within the GPO?

I would do this to see if the GPO or the machines are at fault. Remove the link of the GPO from the OU its applying to right now, Create a Test OU, Put the clients not getting the policy into that OU, once in the OU then remove the security group you have applied via Security Filtering and then put the authenticated users back in. If then the clients receive the policy then we can troubleshoot futher.
So to clarify,

You have a GPO setup, this GPOs Security Filtering has been amended from Authenticated Users to Security Group which has computers in it? That GPO is then applied to the OU which has those Computers within it?

Could you maybe share a screenshot of the GPO Scope Tab, Where the GPO is applying to aswell?

Try running a GPResult on the clients that are meant to be receiving the policy to see if they are. Also ensure the machines that need to receive the policy are in the Security Group as you specified within the Security Filtering and also within the OU where the GPO is applied.
rdefinoAuthor Commented:
This is all correct. I have applied the gpo to an OU that has multiple OUs under it, so they should get the gpo through inheritance. Non of these OU have "blocked inheritance" enabled.

I have run gpresult on some of the workstations and the gpo is not shown in the list of applied gpos.

Now, these systems should get this gpo applied without a reboot, correct?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Providing the required machines are in the Pilot-banner-login-remove Security Group.

Try running a GPUpdate /force on the machines not getting the policy. Although it sounds strange how they haven't receive the policy already the GP Refresh should have enabled them to receive the new policy/policies.

i'm also assuming the GPO is link enabled? the setting your trying to apply i'm guessing its a computer configuration correct?
rdefinoAuthor Commented:
I did run gpupdate ./force on a system and it's not getting the GPO.

GPO is link enabled and it is a computer configuration.
Will SzymkowskiSenior Solution ArchitectCommented:
Is this in fact a computer policy? And do you have the correct computers in the Group you are using for Security Filtering? If not then that would be the reason why it is not applying.

Also do the OU's beneath the OU (where you applied this policy) have any other policies applied to them which could possibly be blocking them from being applied?

If you run rsop.msc on the machine that is not getting the policies, right click on Computer Config and check the policies that are being applied. If you have the correct Computers in the Security Filtering the policy should be listed there. If not you will see that it was filtered out during policy processing.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.