Solved

I cannot get GPOs to run below the domain level

Posted on 2016-07-22
12
63 Views
Last Modified: 2016-08-03
I have written a few successful GPOs but all have been at the domain level, I recently began trying to push out a GPO for laptop encryption software and was having difficulties. I decided to start testing in a practice OU instead of at the domain level, but none of the GPOs I have linked to my practice OU seem to be recognized by the workstations it. I have done everything exactly the same, but when I go to a workstation that is in my test OU and run a GPRESULT /R it does not even show up. Is there another step to creating GPOs when linking them below the domain level?
0
Comment
Question by:Thor2923
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41725230
Run Group Policy Results Wizard and analyze the results - what is applied, what is not, and why.
0
 
LVL 1

Author Comment

by:Thor2923
ID: 41725328
I have all my GPOs reporting as applied....I assume that is good??
GPOWizard.PNG
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41725413
Yes, it is good - assuming that they are Encryption...GPO on the picture. If you see that it's applied, the next step is to check the actual settings that are enforced. They are on the tab "Settings" of the results.

Curious, why several GPO's with similar names, why not one?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:Thor2923
ID: 41728060
My encryption process requires 3 installs of MSI files that need to go in a specific order. I have inquired about running order and I got conflicting answers on how to make them run in proper order. At this point, I only want to get the first GPO to run and install my "preinstall software" once I finally have that working, I will see about run order or possibly bulking all 3 MSIs into one GPO. At this point it looks like everything is right and most MSI files I have tried do install when I put them in the GPO path, except the ones I really need. I contacted Sophos to see if they have any suggestions
0
 
LVL 40

Accepted Solution

by:
Vadim Rapp earned 500 total points
ID: 41728354
From http://serverfault.com/questions/353626/multiple-installers-attached-to-a-single-gpo:

"You'll need to find a freeware app called "Assigned Software Sequence Manager" from a company called Sywan ICT. The order that the MSI's are installed within a single GPO is dependent on some date/time-based setting that the usual AD tools don't give you access to. Sywan's app lets you order them as you want."

It can be downloaded from http://www.sywan.nl/download/ASSM_0.3.zip
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41740037
The initial problem was "none of the GPOs I have linked to my practice OU seem to be recognized by the workstations it." Running group policy results wizard, as suggested, confirmed that they are all in fact applied, acknowledged in ID: 41725328.
0
 
LVL 1

Author Closing Comment

by:Thor2923
ID: 41740542
this solution did not work for my particular project but may still be useful for someone with GPO issues.
0
 
LVL 1

Author Comment

by:Thor2923
ID: 41740545
I didn't realize assigning points was that important, but yes you did provide good information and an answer that may help  many people with GPOs...thanks
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41740617
As for the 2nd problem, having the MSI's running in particular order, if you still need it working, feel free to open another question. There are other ways to try, although this "Assigned Software Sequence Manager" seems like addressing this exact problem, so if you tried it and it did not work, maybe you could at least post some details (did not work at all? was misrepresented? etc.)

Btw, it took some effort to find it, it's not on the current website, I found the link by archive.org, going back.
0
 
LVL 1

Author Comment

by:Thor2923
ID: 41740640
Thanks, I have a conf call today with the vendor and they recommend using SCCM for their MSI push solution. I will bring up GPOs but they appear to be discouraging me so I assume they have a reason. If GPOs become possible, I may come get back on here...thanks
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 41740849
The reason most likely is that they are not familiar with deployment by GPO. Not many people are.

The main advantage of deployment by SCCM is reporting - you can easily find out where it deployed and where it failed. The drawbacks are in the necessity to install the client on every workstation, plus of course SCCM itself - licensing, learning, managing; also, the installations pushed by SCCM install when the user has already logged in, so they are much more likely to interfere with him, and to request machine restart in the end.

The advantages of deployment by GPO are installation before the desktop showed up, thus zero interfering with the user; plus, it's free and less involved than SCCM. The drawback is no reporting, which we addressed in our article "How to Report Result of Installation in Active Directory Deployment"
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question