• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 138
  • Last Modified:

GPO stopped applying all of the sudden

Hello everyone,

I have a group policy that has been working perfectly for the past few months, it's sets the Start layout, does folder redirection, disables a bunch of unnecessary things such as mail, store, etc, and does drive mapping. The policy applies to Windows 10 computers and about 70 users. It's been working perfectly, until very recently. I noticed it was no longer working when I logged in to a computer as a newly created user. The policy doesn't apply to that user. When I run the GP results on 2012 AD server, it doesn't even show up as one of the policies in the GP results. On a 2008 R2 AD server, the policy's GUID shows in GP result, but it's one of the denied policies, the reason for it being denied is "Inaccessible".

I have now tested it with several users and computers, and getting the same result as above (policy is not applying)

Any ideas? I am desperate.
1
NewAvenues
Asked:
NewAvenues
1 Solution
 
LockDown32Commented:
Microsoft put out an update the week of 6/13/2016 that wreaked havoc on GPOs. See if you have KB3159398 installed on the server or any workstations.

If you do: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/
1
 
Senior IT System EngineerIT ProfessionalCommented:
New Avenue:

Execute the below PowerShell script on yuour domain controller to fix this  issue:

$allGPOs = get-gpo -all
foreach ($gpo in $allGPOs)
{
    #first check to see if GPO has per-user settings, since this fix really only needs to apply to per user GPOs. Remove this check if you really want to modify all GPOs
    if ($gpo.user.DSVersion -gt 0)
    {
        # first read the GPO permissions to find out if Authn Users and Domain Computers is missing. Note--depending upon the version of Windows/GPMC you are on--Get-GPPermission might be Get-GPPermissionS
        $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users" -TargetType group -ErrorAction SilentlyContinue
        $perm2 = Get-GPPermission -Guid $gpo.id -TargetName "Domain Computers" -TargetType group -ErrorAction SilentlyContinue
        if ($perm1 -eq $null -and $perm2 -eq $null) # if no authn users or domain computers is found, then add Authn Users read perm
        {
            Set-GPPermission -Guid $gpo.Id -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group
            Write-Host $gpo.DisplayName "has been modified to grant Authenticated Users read access"
        }
    }

}

Open in new window

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now