Link to home
Start Free TrialLog in
Avatar of funkytechmonkey
funkytechmonkeyFlag for United States of America

asked on

Ways to troubleshoot GPOs not being applied?

I have a mix of 2008 and up windows servers in 4 different OUs. I wrote a script for each of these OUs to import them into WSUS. For some reason these scripts are not applying to all of there servers just a secret random few. Could you guys get me in the right direction to what I need to look at so I can figure out why these servers are not getting these policies.  

Thanks.

Btw the are linked and enforced
Avatar of Robin CM
Robin CM
Flag of United Kingdom of Great Britain and Northern Ireland image

Run the following command from an elevated command prompt:
gpresult /h %userprofile%\Desktop\gpr.html /f
This will create you a Group Policy Results file on the desktop, this'll show you all kinds of info such as which GPOs have been applied, and which individual policy settings have been applied - and which GPO they came from.
Avatar of funkytechmonkey

ASKER

Robincm thank you for the reply. I am familiar with the gpresults command sorry I should have been more specific. What I am trying to find is a way to troubleshoot failed GPOs.  Here is an example. The Event ID is very vague....

The processing of Group Policy failed. Windows attempted to read the file \\DOMAIN123.com\SysVol\DOMAIN123.com\Policies\{0CD5B078-7760-42F5-A396-C4460D862032}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled
Robincm... I found another one of your post. Reading up on it now.

Can the member machines (Win7 & 2012) contact the DCs? Do they have valid IP addresses, DNS server settings?
Can you resolve your AD name via DNS with nslookup from the problem machines?
Check the solution here: https://social.technet.microsoft.com/Forums/en-US/c2fdf665-837b-41d8-9212-762bbbdd8c44/group-policy-failed-to-apply-to-user?forum=winserverGP
There's also some info here, note the comment at the bottom about disabling IPv6 (if you don't need it): https://technet.microsoft.com/en-us/library/cc727337(v=ws.10).aspx
OK, here is what I found. The GPO is created, in Group Policy Mgt you are able to see the GPO on all DCs. However, if you browse to the \\DOMAIN123.com\SysVol\DOMAIN123.com\Policies\ I am not able to see the {0CD5B078-7760-42F5-A396-C4460D862032} folder.  BUT if I log into the default DC and browse locally for the {0CD5B078-7760-42F5-A396-C4460D862032} folder it IS there.

For some reason it is not replicating to the other DCs.

I did some minor searching and I am not able to find anything. Its getting late so I am calling it a night. Hopefully someone can provide some additional help so I can get this resolved in the morning.

Thanks,
brian
ASKER CERTIFIED SOLUTION
Avatar of Robin CM
Robin CM
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial