Solved

GPO stopped applying all of the sudden

Posted on 2016-07-14
2
75 Views
1 Endorsement
Last Modified: 2016-08-22
Hello everyone,

I have a group policy that has been working perfectly for the past few months, it's sets the Start layout, does folder redirection, disables a bunch of unnecessary things such as mail, store, etc, and does drive mapping. The policy applies to Windows 10 computers and about 70 users. It's been working perfectly, until very recently. I noticed it was no longer working when I logged in to a computer as a newly created user. The policy doesn't apply to that user. When I run the GP results on 2012 AD server, it doesn't even show up as one of the policies in the GP results. On a 2008 R2 AD server, the policy's GUID shows in GP result, but it's one of the denied policies, the reason for it being denied is "Inaccessible".

I have now tested it with several users and computers, and getting the same result as above (policy is not applying)

Any ideas? I am desperate.
1
Comment
Question by:NewAvenues
2 Comments
 
LVL 15

Accepted Solution

by:
LockDown32 earned 500 total points
ID: 41711368
Microsoft put out an update the week of 6/13/2016 that wreaked havoc on GPOs. See if you have KB3159398 installed on the server or any workstations.

If you do: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41711715
New Avenue:

Execute the below PowerShell script on yuour domain controller to fix this  issue:

$allGPOs = get-gpo -all
foreach ($gpo in $allGPOs)
{
    #first check to see if GPO has per-user settings, since this fix really only needs to apply to per user GPOs. Remove this check if you really want to modify all GPOs
    if ($gpo.user.DSVersion -gt 0)
    {
        # first read the GPO permissions to find out if Authn Users and Domain Computers is missing. Note--depending upon the version of Windows/GPMC you are on--Get-GPPermission might be Get-GPPermissionS
        $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users" -TargetType group -ErrorAction SilentlyContinue
        $perm2 = Get-GPPermission -Guid $gpo.id -TargetName "Domain Computers" -TargetType group -ErrorAction SilentlyContinue
        if ($perm1 -eq $null -and $perm2 -eq $null) # if no authn users or domain computers is found, then add Authn Users read perm
        {
            Set-GPPermission -Guid $gpo.Id -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group
            Write-Host $gpo.DisplayName "has been modified to grant Authenticated Users read access"
        }
    }

}

Open in new window

0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now