How to apply new Group Policy to users

I've create a new group policy which I've called "Trust Center", and linked it to my domain:
GPO.jpg
The group policy results wizard does not show this GPO in effect for users. How do I apply it to users?  I don't do this often enough to remember the procedure. I'll save the answer to this question for future reference.
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ganesh Kumar ASr Infrastructure SpecialistCommented:
You can apply the group policy to the  LSDOU which gets applied hierarchically.

L - LOCAL
S - SITE
D - DOMAIN
OU - ORGANIZATIONAL UNIT

To force the group policy, run gpupdate /force to refresh the policy.
GPUpdate1.png
Refer some of the steps to force GPO and methods : https://technet.microsoft.com/en-us/library/jj134201.aspx

OU policies are applied starting at the "root", and then downwards, refer this link explains about GPO processing..
0
yo_beeDirector of Information TechnologyCommented:
There are two areas that settings are applied,  computers or users.

If you keep your Trusted GPO where it is all objects in the domain will get the settings.

Next you want to decide what you want to configure. Since you mentioned Users then you will focus  the User Configuration Node.

As mentioned by the previous Expert you can move the link GPO to another OU to control who or what objects get the GPO.

Keep in mind as mentioned GPO are inherited from higher levels so if you want to keep a GPO from applying you will need to block inheritance

There also is security filtering to control how and who get the GPO.  There is also WMI filtering.

Here is MS KB article that really explains GPO

https://msdn.microsoft.com/en-us/library/Bb742376.aspx
0
Will SzymkowskiSenior Solution ArchitectCommented:
In order for a Group Policy to apply properly to a machine or user you need to ensure that the following are correct...
- Security Filtering is set correctly  (authenticated users applies to both users and computers)
- make sure that whatever OU or domain you apply the policy to that it has the affecting users or computers in it
- make sure that there are no Deny settings under the Delegation Tab
- make sure that blocked inheritance is not enabled on a OU where the user is present
- make sure that the User policy settings are not disabled on the GPO

Will.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jmarkfoleyAuthor Commented:
Thanks for the responses. I'll address them in order.

Ganesh Kumar A: The first phrase of your link reference expresses my feeling exactly, "Group Policy is a complicated infrastructure ...". Otherwise, that link didn't tell me much. I have run gpupdate /force. Doesn't seem to help. My RSAT dialog doesn't look like yours. I don't have a selection labeled "Group Policy Update ..." See image for what I get when I right-click on the polcies or groups.
My RSAT AD users and GPO Managementyo_bee:
If you keep your Trusted GPO where it is all objects in the domain will get the settings.
Well, nothing seems to be getting the "setting". When I run Group Policy Results for a given user, this policy shows neither under 'Applied GPOs' nor 'Denied GPOs'

Next you want to decide what you want to configure. Since you mentioned Users then you will focus  the User Configuration Node.
Yes, this is a user policy to add a site to permit a trusted location in the Trust Center (User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center > Trusted Location #1)
As mentioned by the previous Expert you can move the link GPO to another OU to control who or what objects get the GPO.
That's the million dollar question ... How?

I read through your link. I do get the basic concepts of GPO and I understand that they are associated with OUs. What the link doesn't tell me (or I'm missing it) is how to do that. I've created several working GPOs already, and the new one mentioned above. But for example the Remote Desktop GPO asked for the Group to assign it to. My Redirected Folder GPO instructions say, "10.Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy." I must have done that, becuase it works, but I don't remember how I linked the GPO to an OU. That's my question.

My image shows AD Users and Computers and the OUs defined there. Does that help?

Will Szymkowski:
In order for a Group Policy to apply properly to a machine or user you need to ensure that the following are correct...
 - Security Filtering is set correctly  (authenticated users applies to both users and computers)
Set, see image below:
"Trust Center" GPO Security Filtering

 - make sure that whatever OU or domain you apply the policy to that it has the affecting users or computers in it
I think I'm applying the GPO to the hprs.local domain and I want it to affect all "Authenticated Users". Am I doing that?
- make sure that there are no Deny settings under the Delegation Tab
Appears to be no deny settings:
Trust Center Delegation tab
- make sure that blocked inheritance is not enabled on a OU where the user is present
Would that be the "Inherited" column on the Delegation tab? If so, does "no" mean blocked?
- make sure that the User policy settings are not disabled on the GPO
Below are the GPO settings. 'User Configuration' is "enabled". Is that what you're referring to?
Tust Center GPO settings tabThis is probably simpler than I'm making it. After all, I did it once (only once) before, but I don't know what I did.

Thanks for your continued input.
0
yo_beeDirector of Information TechnologyCommented:
From a quick glance at all the images does not look like Trust Center GPO is not linked to any OU.

As stated earlier GPO's are inherited from the parent OU.
So if you want this to apply to your entire Domain then you need to link your Trust Center GPO to where the other 4 are linked. If you want to control it a bit more and only have it apply to a child OU then link it to one of the child ones like the highlighted one Security in your screenshot.

By just creating a GPO in GPO container in GPMC this will not apply until linked to a OU.

Security filtering shows that it will apply to authenticated users. So where ever you place this all authenticated objects (computers or users) that reside in the parent or child OU will get the GPO. If the object resides outside the tree hierarchy then it will not get the settings.
0
jmarkfoleyAuthor Commented:
yo_bee:
From a quick glance at all the images does not look like Trust Center GPO is not linked to any OU.
(Do you have too many "nots" this this sentence?)
As stated earlier GPO's are inherited from the parent OU.
 So if you want this to apply to your entire Domain then you need to link your Trust Center GPO to where the other 4 are linked.
If you look at the image in my initial posting, I do have my "Trust Center" GPO linked under the domain hprs.local. (red arrow). This is apparently not sufficient. Should it work just with this link?
0
yo_beeDirector of Information TechnologyCommented:
Sorry for the double negatives.

With your last set of images I do not see Trust Center GPO linked to anything. That is what I was replying to .  

If you have it at the top level like your first image and it is being applied to Authenticated Users with no Blocked Inheritance (from what I can see) this should apply to all users within your domain.  If you run RSoP from the local computer you are testing or Group Policy Result Wizard from GPMC are you seeing anything like Access Denied in the report?
0
jmarkfoleyAuthor Commented:
yo_bee:
With your last set of images I do not see Trust Center GPO linked to anything. That is what I was replying to .  
Sorry for the inconsistency. I've been moving this !@#$ GPO around trying to see if a different OU would work and must have posted an intermediary image. My "Trust Center" GPO is back as shown in my initial post.
If you have it at the top level like your first image and it is being applied to Authenticated Users with no Blocked Inheritance (from what I can see) this should apply to all users within your domain.
Well, I agree. Hence my posting. Why does it not apply? Is my GPO configured incorrectly? (see last image in my post ID 40955918 2015-08-31)
If you run RSoP from the local computer you are testing or Group Policy Result Wizard from GPMC are you seeing anything like Access Denied in the report?
I've attached the GPO Results report for one user who definitely has Office 2013.  I don't see any "access denied", but there are "Denied GPOs" and 'Trust Center' is in that list. I don't really understand what that means because 'HPRS Redirected Folders' is also in the "denied" list, but that policy works just fine. Do you see anything funny in this report?
GroupPolicyResults.jpg
0
DrDave242Commented:
Trust Center is only in the Denied GPOs list for the Computer Configuration section, with the reason given as "Empty." Since the GPO only contains user settings, this is expected (there aren't any Computer Configuration settings to apply). If you look down in the User Configuration section, Trust Center is listed as an applied GPO, so that part at least appears to be working correctly. Click the Settings tab of that report and see whether the setting in the GPO is being applied.
0
jmarkfoleyAuthor Commented:
I've selected the settings tab and show the User Configuration (image). It says it's enabled as far as I can tell, yet I still get the "Protected View" message. Is it possible that the "Path" syntax is different here than it is in the Word 2013 Trust Center on the local workstation? Is it possible this GPO simply doesn't work?

Can you see *anything* I'm doing wrong?
UserSettings.jpg
0
jmarkfoleyAuthor Commented:
I though I had a brilliant insight, only to have my hopes dashed!

I had configured 2 users' local Trust Center to trust the location \\mail.hprs.local. I found out today that setting this in Word's Trust Center does not affect the apparently different Trust Center for Excel. Users were still getting "Protected Mode" warnings on spreadsheets. So, I set this location for Excel's trust center also and the message disappeared. Good 'ole Microsoft, always going the extra mile to make things just a little more difficult than necessary for their customers!

This made me notice a couple of things on my "Trust Center" GPO. First, the computer I'm testing on has Office 2010, not Office 2013 (as my GPO is set for). 2nd, I've set the Trusted site for "Office" not "Word". So, I created a new "Trust Center Office 2010" GPO as shown in the attached GPOresults report. Everything look good to me, however, it still doesn't work. Documents still get the "Protected Mode" message for this user on this computer.

So, either I'm setting this up wrong (Path syntax?) or the GPO simply doesn't work. I doubt if it's the latter.

This GPO must be set in SBS20xx or Server 20xx because apparently Word does not recognize the path of its own AD/DC as not being "from the Internet". So, can anyone who has an official Windows AD server look up this Policy on their own system and see what working settings should look like?

I've already spent way more time on this than I should have, so if I don't get it resolved from this angle in the next few days I'll try setting the GPO that disables the message entirely!
Word2010GPO.jpg
0
jmarkfoleyAuthor Commented:
more info ... Partial Success. I can now open Word 2010 documents without the "Protected View" warning! The secret was setting an addition GPO attribute: "All Trusted Locations on the network". I have 2 GPOs, "Protected View, Trust Center Office 2010" and "Protected View, Trust Center Office 2013".  The attached image is a Group Policy Results report for the user I've been testing with.

Unfortunately, the GPO is not working for Word 2013. I've run gpupdate several times on the Admin workstation and the target workstation (having Word 2013). I've logged the user on/off multiple time, rebooted the workstation and even rebooted the AD/DC. Nothing worked. The settings compared with Word 2010 look identical to me. Perhaps there are additional settings needed for Word 2013? Suggestions?

I'll test again after business hours tomorrow and see if the policy just "takes", but I'm not hopeful. Working for Word 2010 but not 2013 is not going to be acceptable since the office is migrating to Office 2013. :(

Quick postscript nano-moments after posting the above -- Word 2013 is now working! Before shutting down for the evening I thought I'd try Excel spreadsheets. They worked OK, So, gee, let's try Word one more time, and voila! No "Protected View" message. Sheesh! Nothing like making me work for it. Why did it work for Word 2010 and not Word 2013? I created the policies at the same time ... Dunno what changed except maybe just waaaiiitttting looooonger.

Any final comments before I stick a fork in this question?
Protected-View-GPO-settings.jpg
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
I guess next time you run into a situation like this I would try applying a non-Office Policy to see if it even applies.  If it does then you know that you are missing something in the Office settings.

I think you pretty much isolated the cause being the network location check box.

Good Luck
0
jmarkfoleyAuthor Commented:
Sadly, I did check the "network location" box on the local Word/Excel Trust Centers. Just didn't see it on the GPO settings.

Thanks all for your participation!
0
jmarkfoleyAuthor Commented:
I figured it out - "network location"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.