Solved

Group policy does not appear to be applying to workstations in group.

Posted on 2016-08-09
11
63 Views
Last Modified: 2016-08-23
I've applied a group policy that is supposed to create a system restore point on a weekly basis.  In the production environment, nor my test environment, can I get the group policy to apply.  When I use the gpresult command I do not see my group policy at all.  I've run gpupdate /force on multiple occasions as well as probably 30 reboots since the policy was implemented.  gpupdate /force says I need to reboot but doesn't change anything after the reboot.

This is the other EE question I posted and was advised to cross-post to try to find a group policy expert.  I can't find any kind of group policy tags with which to tag this question.

https://www.experts-exchange.com/questions/28961031/I'd-like-to-set-a-group-policy-forcing-a-weekly-system-restore-point-creation.html?anchor=a41749366#a41749366
0
Comment
Question by:Daniel Checksum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
ID: 41749391
Are these computers in a security group?  Right-click the gpo you created for this, go to the delegation tab, add the group that these computers are in then in the permissions make sure Apply group policy is selected.

ref link:  https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749459
I just created a security group called "test group" -- added myself and station to it -- added test group to the delegation under the GPO i've created.  Rescheduled my timing for 5 minutes after my gpupdate /force -- same results.  Nothing showing in gpresult.html and no restore point was created.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749467
Are you linking the GPO to an OU where the users or computers you want to apply the policies to are located? Or are you linking it to the OU the security group is located (with the users/computers in another OU)? GPOs don't apply to the groups in the OUs they are linked to. They will only apply to user objects or computer objects that are in the OUs they are linked to. If you want to restrict application by a group, you link the GPO to the OU with the users in it, then add the group to the GPO security filtering to prevent specific users from reading the policy.
1
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749496
I'm getting very confused reading your post, Adam.  Let me break it down as best I can:

I am a user.  My user in Active Directory Users and Computers is located here:  
DOMAIN -> City(OU) -> Laptops(OU)

I am a member of "test group" -- "test group" is located DOMAIN -> Groups(OU)  (in ADU&C)

In Group Policy Management -- Forest -> Domains -> Domain(our domain) -> City(OU) -> Test Group(OU?) -> GPO

I've attached how it's currently set up in a screenshot.  Am I doing something wrong here?  I get confused going between ADUC and GPM.
Blurred-GPO-Location.png
0
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749554
Furthermore -- Should I have this set to "Create" or "Update"?
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749567
The OUs in GPMC Reflect all your OUs in ADUC. Based on what you have there, Any computer objects that you move to the "Forest -> Domains -> Domain (your domain) -> City -> Test Group" OU in ADUC
will apply the policy where it is currently linked in GPMC.

My question was to make sure that you were not linking the GPO to the OU that held the group you wanted the GPO to apply to ((Your domain) > Groups OU), which is a common mistake.

The policy you show in your linked question is meant to apply only to Computer objects, so only Computer Objects in that Test Group OU will apply the policy. A user account that is located in that OU will not apply the policy because it contains Computer Configuration settings. So if you want that policy to apply to the computer you use, you would first need to find your Computer object in ADUC, then move it to the Test Group OU that you have the policy linked to. Once that's done, run
GPUpdate /Force
from your the computer that you moved the object for (don't run it on the Domain Controller). After the policy finishes applying, you should see the scheduled task show up in Task Scheduler.

Does that make sense?
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41754325
It made more sense for sure.  I am just getting back to this project, I have added both my machine and my user account to the test group group.  Does test group have to be a member of something as well?  

I'm still not getting the group policy applied.  I appreciate all of your help so far.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41754400
Test Group needs to be listed in the Security Filtering of the GPO. If you click on the GPO, you'll see the details screen on the right side of GPMC. If you click on the Scope tab, it will give you two more panes that show where the GPO is linked at the top and which users/computers/groups the policy applies to on the bottom. That one on the bottom is where you need to specify the Test Group as a group that can apply the policy. From there, once the GPO is linked to an OU with computers, only the computers that are a part of the Test Group will apply the policy.
1
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41754436
Thank you, i've added test group to the security filtering.  Will wait for Monday to find out if it worked or not, too close to the end of the workday to test now.
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41766974
We've decided to use another method to accomplish this.  Thank you to everyone who assisted.
0
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41766975
Going a different route, thanks everyone.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question