[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

GPO stopped applying all of the sudden

Posted on 2016-07-14
2
Medium Priority
?
130 Views
1 Endorsement
Last Modified: 2016-08-22
Hello everyone,

I have a group policy that has been working perfectly for the past few months, it's sets the Start layout, does folder redirection, disables a bunch of unnecessary things such as mail, store, etc, and does drive mapping. The policy applies to Windows 10 computers and about 70 users. It's been working perfectly, until very recently. I noticed it was no longer working when I logged in to a computer as a newly created user. The policy doesn't apply to that user. When I run the GP results on 2012 AD server, it doesn't even show up as one of the policies in the GP results. On a 2008 R2 AD server, the policy's GUID shows in GP result, but it's one of the denied policies, the reason for it being denied is "Inaccessible".

I have now tested it with several users and computers, and getting the same result as above (policy is not applying)

Any ideas? I am desperate.
1
Comment
Question by:NewAvenues
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 15

Accepted Solution

by:
LockDown32 earned 2000 total points
ID: 41711368
Microsoft put out an update the week of 6/13/2016 that wreaked havoc on GPOs. See if you have KB3159398 installed on the server or any workstations.

If you do: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41711715
New Avenue:

Execute the below PowerShell script on yuour domain controller to fix this  issue:

$allGPOs = get-gpo -all
foreach ($gpo in $allGPOs)
{
    #first check to see if GPO has per-user settings, since this fix really only needs to apply to per user GPOs. Remove this check if you really want to modify all GPOs
    if ($gpo.user.DSVersion -gt 0)
    {
        # first read the GPO permissions to find out if Authn Users and Domain Computers is missing. Note--depending upon the version of Windows/GPMC you are on--Get-GPPermission might be Get-GPPermissionS
        $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users" -TargetType group -ErrorAction SilentlyContinue
        $perm2 = Get-GPPermission -Guid $gpo.id -TargetName "Domain Computers" -TargetType group -ErrorAction SilentlyContinue
        if ($perm1 -eq $null -and $perm2 -eq $null) # if no authn users or domain computers is found, then add Authn Users read perm
        {
            Set-GPPermission -Guid $gpo.Id -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group
            Write-Host $gpo.DisplayName "has been modified to grant Authenticated Users read access"
        }
    }

}

Open in new window

0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question