?
Solved

GPO stopped applying all of the sudden

Posted on 2016-07-14
2
Medium Priority
?
122 Views
1 Endorsement
Last Modified: 2016-08-22
Hello everyone,

I have a group policy that has been working perfectly for the past few months, it's sets the Start layout, does folder redirection, disables a bunch of unnecessary things such as mail, store, etc, and does drive mapping. The policy applies to Windows 10 computers and about 70 users. It's been working perfectly, until very recently. I noticed it was no longer working when I logged in to a computer as a newly created user. The policy doesn't apply to that user. When I run the GP results on 2012 AD server, it doesn't even show up as one of the policies in the GP results. On a 2008 R2 AD server, the policy's GUID shows in GP result, but it's one of the denied policies, the reason for it being denied is "Inaccessible".

I have now tested it with several users and computers, and getting the same result as above (policy is not applying)

Any ideas? I am desperate.
1
Comment
Question by:NewAvenues
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 15

Accepted Solution

by:
LockDown32 earned 2000 total points
ID: 41711368
Microsoft put out an update the week of 6/13/2016 that wreaked havoc on GPOs. See if you have KB3159398 installed on the server or any workstations.

If you do: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41711715
New Avenue:

Execute the below PowerShell script on yuour domain controller to fix this  issue:

$allGPOs = get-gpo -all
foreach ($gpo in $allGPOs)
{
    #first check to see if GPO has per-user settings, since this fix really only needs to apply to per user GPOs. Remove this check if you really want to modify all GPOs
    if ($gpo.user.DSVersion -gt 0)
    {
        # first read the GPO permissions to find out if Authn Users and Domain Computers is missing. Note--depending upon the version of Windows/GPMC you are on--Get-GPPermission might be Get-GPPermissionS
        $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users" -TargetType group -ErrorAction SilentlyContinue
        $perm2 = Get-GPPermission -Guid $gpo.id -TargetName "Domain Computers" -TargetType group -ErrorAction SilentlyContinue
        if ($perm1 -eq $null -and $perm2 -eq $null) # if no authn users or domain computers is found, then add Authn Users read perm
        {
            Set-GPPermission -Guid $gpo.Id -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group
            Write-Host $gpo.DisplayName "has been modified to grant Authenticated Users read access"
        }
    }

}

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question