Solved

I cannot get GPOs to run below the domain level

Posted on 2016-07-22
12
45 Views
Last Modified: 2016-08-03
I have written a few successful GPOs but all have been at the domain level, I recently began trying to push out a GPO for laptop encryption software and was having difficulties. I decided to start testing in a practice OU instead of at the domain level, but none of the GPOs I have linked to my practice OU seem to be recognized by the workstations it. I have done everything exactly the same, but when I go to a workstation that is in my test OU and run a GPRESULT /R it does not even show up. Is there another step to creating GPOs when linking them below the domain level?
0
Comment
Question by:Thor2923
  • 6
  • 5
12 Comments
 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
Run Group Policy Results Wizard and analyze the results - what is applied, what is not, and why.
0
 
LVL 1

Author Comment

by:Thor2923
Comment Utility
I have all my GPOs reporting as applied....I assume that is good??
GPOWizard.PNG
0
 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
Yes, it is good - assuming that they are Encryption...GPO on the picture. If you see that it's applied, the next step is to check the actual settings that are enforced. They are on the tab "Settings" of the results.

Curious, why several GPO's with similar names, why not one?
0
 
LVL 1

Author Comment

by:Thor2923
Comment Utility
My encryption process requires 3 installs of MSI files that need to go in a specific order. I have inquired about running order and I got conflicting answers on how to make them run in proper order. At this point, I only want to get the first GPO to run and install my "preinstall software" once I finally have that working, I will see about run order or possibly bulking all 3 MSIs into one GPO. At this point it looks like everything is right and most MSI files I have tried do install when I put them in the GPO path, except the ones I really need. I contacted Sophos to see if they have any suggestions
0
 
LVL 40

Accepted Solution

by:
Vadim Rapp earned 500 total points
Comment Utility
From http://serverfault.com/questions/353626/multiple-installers-attached-to-a-single-gpo:

"You'll need to find a freeware app called "Assigned Software Sequence Manager" from a company called Sywan ICT. The order that the MSI's are installed within a single GPO is dependent on some date/time-based setting that the usual AD tools don't give you access to. Sywan's app lets you order them as you want."

It can be downloaded from http://www.sywan.nl/download/ASSM_0.3.zip
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
The initial problem was "none of the GPOs I have linked to my practice OU seem to be recognized by the workstations it." Running group policy results wizard, as suggested, confirmed that they are all in fact applied, acknowledged in ID: 41725328.
0
 
LVL 1

Author Closing Comment

by:Thor2923
Comment Utility
this solution did not work for my particular project but may still be useful for someone with GPO issues.
0
 
LVL 1

Author Comment

by:Thor2923
Comment Utility
I didn't realize assigning points was that important, but yes you did provide good information and an answer that may help  many people with GPOs...thanks
0
 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
As for the 2nd problem, having the MSI's running in particular order, if you still need it working, feel free to open another question. There are other ways to try, although this "Assigned Software Sequence Manager" seems like addressing this exact problem, so if you tried it and it did not work, maybe you could at least post some details (did not work at all? was misrepresented? etc.)

Btw, it took some effort to find it, it's not on the current website, I found the link by archive.org, going back.
0
 
LVL 1

Author Comment

by:Thor2923
Comment Utility
Thanks, I have a conf call today with the vendor and they recommend using SCCM for their MSI push solution. I will bring up GPOs but they appear to be discouraging me so I assume they have a reason. If GPOs become possible, I may come get back on here...thanks
0
 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
The reason most likely is that they are not familiar with deployment by GPO. Not many people are.

The main advantage of deployment by SCCM is reporting - you can easily find out where it deployed and where it failed. The drawbacks are in the necessity to install the client on every workstation, plus of course SCCM itself - licensing, learning, managing; also, the installations pushed by SCCM install when the user has already logged in, so they are much more likely to interfere with him, and to request machine restart in the end.

The advantages of deployment by GPO are installation before the desktop showed up, thus zero interfering with the user; plus, it's free and less involved than SCCM. The drawback is no reporting, which we addressed in our article "How to Report Result of Installation in Active Directory Deployment"
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now