Link to home
Start Free TrialLog in
Avatar of benlloydtt
benlloydtt

asked on

'Missing' GPOs

Hi

Our GPOs seem to be frozen in time.

What I mean by that is, if I change an existing GPO the changes don't apply to the affected users/PCs, and if I create a new one it doesn't even show up in the results from GPRESULT.

Yesterday I created a test GPO and applied it to a test OU which contains a test account as well as my own day-to-day account. When I run GPResult against either account the GPO doesn't show up at all. GPUpdate /force makes no difference.

However, if I run GP Modeling the new GPO does show up (albeit as Empty, which I'd expect because, you know, it's empty!), but not when I run the GP Results wizard.

Note also that some GPOs that have been in existence, and working, for years are not showing in the output from GPResult (but yes, they do still exist in the GP Management MMC).

We have no known replication issues (Spotlight on AD, and MS SCOM), It's like only a subset of GPOs are being 'delivered' to client accounts (User or Computer).

There are no processing errors in the client PCs' event viewer.

Can anyone advise what might be going on here?
Avatar of Mark Bill
Mark Bill
Flag of Ireland image

Can you run DCDIAG on the primary domain controller please.

Please post any errors/failures. Or the whole DCDIAG.
Avatar of benlloydtt
benlloydtt

ASKER

Thanks for the response. There is one error, but this article https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0 states the error can be disregarded as we don't have Read Only DCs.

Anyway, here's the full output:
C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: London\DC02
      Starting test: Connectivity
         ......................... DC02 passed test Connectivity

Doing primary tests

   Testing server: London\DC02
      Starting test: Advertising
         ......................... DC02 passed test Advertising
      Starting test: FrsEvent
         ......................... DC02 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC02 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC02 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC02 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=<domain>,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=<domain>,DC=com
         ......................... DC02 failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC02 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC02 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC02 passed test Replications
      Starting test: RidManager
         ......................... DC02 passed test RidManager
      Starting test: Services
         ......................... DC02 passed test Services
      Starting test: SystemLog
         ......................... DC02 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : <domain>
      Starting test: CheckSDRefDom
         ......................... <domain> passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... <domain> passed test CrossRefValidation

   Running enterprise tests on : <domain>.com
      Starting test: LocatorCheck
         ......................... <domain>.com passed test LocatorCheck
      Starting test: Intersite
         ......................... <domain>.com passed test Intersite

Open in new window

YE I disregard that error as per article says in them conditions.

How many domain controllers have you got? version of OS?
What is the domain functional level? and the forest functional level?
Servers are 2008 R2 Standard (not Enterprise as I'd previously erroneously stated), except for the DC in Hong Kong which is 2012 R2 Standard.

Two DCs in this site (London), one at each of our other three sites (one just outside of London, one in Hong Kong, and one in New York), so a total of five.

Domain and Forest Functional level is 2003
Is there any reason why the Domain and Functional Level is not 2008 R2?

Which DC hosts all roles? DC02 right? can you create a GPO on this one even?

If not I would raise the functional and forest levels at a convenient time for you to do so and with the relevant backups taken.
We've just not done it yet, mainly because we've had to NEED to. We have Exchange 2013 coming along later this year, but even that only needs a functional level of 2003.

Yes, DC02 is the FSMO role holder, and I can create GPOs there, but they don't show up at the target computer/user.
A little addendum, I realised I'd made an assumption about Computer GPOs, so tested the same, and found that a GPO applied to a computers OU DOES show up in the Computer Configuration settings section of GPRESULT...but oddly, also shows up the the user's User Configuration settings section!
some policies only work when applied to a user or a computer. for example user configuration policies applied to user accounts and computer configuration apply to computer accounts.

You need to create a group policy object in group policy management and apply that in group policy management to the correct OU containing the users or computers or at a higher level.
You stated that you do not have any replication issues? If you run the following commands do they all come back clean?

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
netdom query fsmo
netdom query dc

Also when you create a GPO on say "DC02" does this GPO get replicated to the Sysvol Folder on DC01? It is possible that GPO's are just not replicating between each other and the Sysvol Share is inaccurate.

Another thought is that the GPO you are applying to does not have correct security filtering applied. This is another thing to check.

Will.
@Mark Bill - I understand all that, but there's a difference between a GPO not applying because it contains Computer Configuration settings but has been linked to a Users OU, and it not appearing at all in the output from GPRESULT.

If a Computer Configuration GPO has been linked to a Users OU then the GPRESULT output for that user would show it like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Test PC Config Group Policy
        Filtering:  Not Applied (Empty)

Open in new window


The problem I've got is that a USER Configuration GPO that has been applied to a USERS OU is not showing up AT ALL in the GPRESULT output for the user.
@Will Szymkowski

No errors in the output from all those commands. All looks lovely and clean.

As per my update to Mark Bill, if the problem was with the Security Filtering then I'd still expect to see the GPO listed like this in the GPRESULT output:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    DOM CONFIG Password ScreenSaver (v5)
        Filtering:  Denied (Security)

Open in new window

But many of the GPOs just aren't being listed at all...
ASKER CERTIFIED SOLUTION
Avatar of benlloydtt
benlloydtt

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Glad that you found your answer.

Will.
I'm accepting my own comment as the solution because it's the right answer.