Solved

GPO stopped applying all of the sudden

Posted on 2016-07-14
2
61 Views
1 Endorsement
Last Modified: 2016-08-22
Hello everyone,

I have a group policy that has been working perfectly for the past few months, it's sets the Start layout, does folder redirection, disables a bunch of unnecessary things such as mail, store, etc, and does drive mapping. The policy applies to Windows 10 computers and about 70 users. It's been working perfectly, until very recently. I noticed it was no longer working when I logged in to a computer as a newly created user. The policy doesn't apply to that user. When I run the GP results on 2012 AD server, it doesn't even show up as one of the policies in the GP results. On a 2008 R2 AD server, the policy's GUID shows in GP result, but it's one of the denied policies, the reason for it being denied is "Inaccessible".

I have now tested it with several users and computers, and getting the same result as above (policy is not applying)

Any ideas? I am desperate.
1
Comment
Question by:NewAvenues
2 Comments
 
LVL 15

Accepted Solution

by:
LockDown32 earned 500 total points
ID: 41711368
Microsoft put out an update the week of 6/13/2016 that wreaked havoc on GPOs. See if you have KB3159398 installed on the server or any workstations.

If you do: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41711715
New Avenue:

Execute the below PowerShell script on yuour domain controller to fix this  issue:

$allGPOs = get-gpo -all
foreach ($gpo in $allGPOs)
{
    #first check to see if GPO has per-user settings, since this fix really only needs to apply to per user GPOs. Remove this check if you really want to modify all GPOs
    if ($gpo.user.DSVersion -gt 0)
    {
        # first read the GPO permissions to find out if Authn Users and Domain Computers is missing. Note--depending upon the version of Windows/GPMC you are on--Get-GPPermission might be Get-GPPermissionS
        $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users" -TargetType group -ErrorAction SilentlyContinue
        $perm2 = Get-GPPermission -Guid $gpo.id -TargetName "Domain Computers" -TargetType group -ErrorAction SilentlyContinue
        if ($perm1 -eq $null -and $perm2 -eq $null) # if no authn users or domain computers is found, then add Authn Users read perm
        {
            Set-GPPermission -Guid $gpo.Id -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group
            Write-Host $gpo.DisplayName "has been modified to grant Authenticated Users read access"
        }
    }

}

Open in new window

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now