some users getting group policy some are not when connected to another domain controller

hi Experts,

I have created a print queue and "deployed with group policy"

When connected to one domain controller some computers get the policy and the printer, everything works ok. But, users who are not getting the printer gpo are attached to another domain controller.

echo %logonserver% shows consistently one domain controller for users who are not getting the policy. When updating the policy I force replication successfully, no errors.

any ideas why some users are not getting the policy?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does gpresult /R (run with elevated prompt) show it as being applied?
Will SzymkowskiSenior Solution ArchitectCommented:
Unless your DC's are not replicating properly then it should not matter what DC is the logon server. I would run the below commands to ensure replication is working.

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDiag /v

If replication is working (which i would suspect it is) then you need to check where you have linked the GPO to and also what group/users you have in the Security Filtering section.

This is a more probable case, when working with GPO's.

Also, how long are you waiting before trying and are you running gpupdate /force on the computers that are NOT getting the policy?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

WAMSINCAuthor Commented:
so gpresult /r show the policy is not there at all. After adding the policy this morning at 5 am, I forced replication, and went on site at around 830 am. I tested this on my PC and worked ok immediately after gpupdate /force.

We have about 100 printers and everything is set up the same, each departments group of computers is put in an OU, and the policy is linked. Only thing I have noticed, is computers who have connected to one DC are not getting the policy
Will SzymkowskiSenior Solution ArchitectCommented:
Have you checked replication between your DC's as i have stated in my first comment?

Also double check where you are targeting your GPO Links. And also what are you using for Security Filtering, Authenticated Users?

Is this a Computer or User Policy?

WAMSINCAuthor Commented:
working on that now, the first one, repadmin /replsum is taking a long time, still running, will update you asap.

This is a computer policy, and under scope, authenticated users is listed in security filtering.
WAMSINCAuthor Commented:
message sent
It sounds like it's not replicating to one of the DCs, are accounts replicating ok? Can you check GPO via the one DC then log on the other and check it there for the same GPO? Any errors in the logs on either DC?
Will SzymkowskiSenior Solution ArchitectCommented:
What I would do is create a Testing OU and add a machine to it link the GPO and see if it works. Then start looking at the other machines in the other OU's.

Another thing you can do is RSOP.msc from the machine locally or you can also do this from the ADUC console. This will tell you where policies are being applied.

Can you provide a screenshot of the machine/policies that are applied and the RSOP.msc screenshot of the data as well?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WAMSINCAuthor Commented:
We already tested on the test ou and it worked ok. I will try the other suggestions in the morning
WAMSINCAuthor Commented:
we narrowed this down to one server and decommissioned it to resolve
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.