'Missing' GPOs

Hi

Our GPOs seem to be frozen in time.

What I mean by that is, if I change an existing GPO the changes don't apply to the affected users/PCs, and if I create a new one it doesn't even show up in the results from GPRESULT.

Yesterday I created a test GPO and applied it to a test OU which contains a test account as well as my own day-to-day account. When I run GPResult against either account the GPO doesn't show up at all. GPUpdate /force makes no difference.

However, if I run GP Modeling the new GPO does show up (albeit as Empty, which I'd expect because, you know, it's empty!), but not when I run the GP Results wizard.

Note also that some GPOs that have been in existence, and working, for years are not showing in the output from GPResult (but yes, they do still exist in the GP Management MMC).

We have no known replication issues (Spotlight on AD, and MS SCOM), It's like only a subset of GPOs are being 'delivered' to client accounts (User or Computer).

There are no processing errors in the client PCs' event viewer.

Can anyone advise what might be going on here?
benlloydttAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Can you run DCDIAG on the primary domain controller please.

Please post any errors/failures. Or the whole DCDIAG.
benlloydttAuthor Commented:
Thanks for the response. There is one error, but this article https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0 states the error can be disregarded as we don't have Read Only DCs.

Anyway, here's the full output:
C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: London\DC02
      Starting test: Connectivity
         ......................... DC02 passed test Connectivity

Doing primary tests

   Testing server: London\DC02
      Starting test: Advertising
         ......................... DC02 passed test Advertising
      Starting test: FrsEvent
         ......................... DC02 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC02 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC02 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC02 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=<domain>,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=<domain>,DC=com
         ......................... DC02 failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC02 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC02 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC02 passed test Replications
      Starting test: RidManager
         ......................... DC02 passed test RidManager
      Starting test: Services
         ......................... DC02 passed test Services
      Starting test: SystemLog
         ......................... DC02 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : <domain>
      Starting test: CheckSDRefDom
         ......................... <domain> passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... <domain> passed test CrossRefValidation

   Running enterprise tests on : <domain>.com
      Starting test: LocatorCheck
         ......................... <domain>.com passed test LocatorCheck
      Starting test: Intersite
         ......................... <domain>.com passed test Intersite

Open in new window

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
YE I disregard that error as per article says in them conditions.

How many domain controllers have you got? version of OS?
What is the domain functional level? and the forest functional level?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

benlloydttAuthor Commented:
Servers are 2008 R2 Standard (not Enterprise as I'd previously erroneously stated), except for the DC in Hong Kong which is 2012 R2 Standard.

Two DCs in this site (London), one at each of our other three sites (one just outside of London, one in Hong Kong, and one in New York), so a total of five.

Domain and Forest Functional level is 2003
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Is there any reason why the Domain and Functional Level is not 2008 R2?

Which DC hosts all roles? DC02 right? can you create a GPO on this one even?

If not I would raise the functional and forest levels at a convenient time for you to do so and with the relevant backups taken.
benlloydttAuthor Commented:
We've just not done it yet, mainly because we've had to NEED to. We have Exchange 2013 coming along later this year, but even that only needs a functional level of 2003.

Yes, DC02 is the FSMO role holder, and I can create GPOs there, but they don't show up at the target computer/user.
benlloydttAuthor Commented:
A little addendum, I realised I'd made an assumption about Computer GPOs, so tested the same, and found that a GPO applied to a computers OU DOES show up in the Computer Configuration settings section of GPRESULT...but oddly, also shows up the the user's User Configuration settings section!
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
some policies only work when applied to a user or a computer. for example user configuration policies applied to user accounts and computer configuration apply to computer accounts.

You need to create a group policy object in group policy management and apply that in group policy management to the correct OU containing the users or computers or at a higher level.
Will SzymkowskiSenior Solution ArchitectCommented:
You stated that you do not have any replication issues? If you run the following commands do they all come back clean?

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
netdom query fsmo
netdom query dc

Also when you create a GPO on say "DC02" does this GPO get replicated to the Sysvol Folder on DC01? It is possible that GPO's are just not replicating between each other and the Sysvol Share is inaccurate.

Another thought is that the GPO you are applying to does not have correct security filtering applied. This is another thing to check.

Will.
benlloydttAuthor Commented:
@Mark Bill - I understand all that, but there's a difference between a GPO not applying because it contains Computer Configuration settings but has been linked to a Users OU, and it not appearing at all in the output from GPRESULT.

If a Computer Configuration GPO has been linked to a Users OU then the GPRESULT output for that user would show it like this:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Test PC Config Group Policy
        Filtering:  Not Applied (Empty)

Open in new window


The problem I've got is that a USER Configuration GPO that has been applied to a USERS OU is not showing up AT ALL in the GPRESULT output for the user.
benlloydttAuthor Commented:
@Will Szymkowski

No errors in the output from all those commands. All looks lovely and clean.

As per my update to Mark Bill, if the problem was with the Security Filtering then I'd still expect to see the GPO listed like this in the GPRESULT output:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    DOM CONFIG Password ScreenSaver (v5)
        Filtering:  Denied (Security)

Open in new window

But many of the GPOs just aren't being listed at all...
benlloydttAuthor Commented:
Well, it was loopback processing causing great confusion. I had to create a new OU and put a PC and user account in it, then apply GPOs one-by-one until it 'broke' in the same way. Thankfully it didn't take long before I found the GPO causing the blockage, and that had Loopback Processing configured to Replace. I switched that to 'Merge' and now all is well and right in the world.

Cheers to all who contributed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Glad that you found your answer.

Will.
benlloydttAuthor Commented:
I'm accepting my own comment as the solution because it's the right answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.