Solved

Group policy does not appear to be applying to workstations in group.

Posted on 2016-08-09
11
62 Views
Last Modified: 2016-08-23
I've applied a group policy that is supposed to create a system restore point on a weekly basis.  In the production environment, nor my test environment, can I get the group policy to apply.  When I use the gpresult command I do not see my group policy at all.  I've run gpupdate /force on multiple occasions as well as probably 30 reboots since the policy was implemented.  gpupdate /force says I need to reboot but doesn't change anything after the reboot.

This is the other EE question I posted and was advised to cross-post to try to find a group policy expert.  I can't find any kind of group policy tags with which to tag this question.

https://www.experts-exchange.com/questions/28961031/I'd-like-to-set-a-group-policy-forcing-a-weekly-system-restore-point-creation.html?anchor=a41749366#a41749366
0
Comment
Question by:Daniel Checksum
  • 7
  • 3
11 Comments
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
ID: 41749391
Are these computers in a security group?  Right-click the gpo you created for this, go to the delegation tab, add the group that these computers are in then in the permissions make sure Apply group policy is selected.

ref link:  https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749459
I just created a security group called "test group" -- added myself and station to it -- added test group to the delegation under the GPO i've created.  Rescheduled my timing for 5 minutes after my gpupdate /force -- same results.  Nothing showing in gpresult.html and no restore point was created.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749467
Are you linking the GPO to an OU where the users or computers you want to apply the policies to are located? Or are you linking it to the OU the security group is located (with the users/computers in another OU)? GPOs don't apply to the groups in the OUs they are linked to. They will only apply to user objects or computer objects that are in the OUs they are linked to. If you want to restrict application by a group, you link the GPO to the OU with the users in it, then add the group to the GPO security filtering to prevent specific users from reading the policy.
1
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749496
I'm getting very confused reading your post, Adam.  Let me break it down as best I can:

I am a user.  My user in Active Directory Users and Computers is located here:  
DOMAIN -> City(OU) -> Laptops(OU)

I am a member of "test group" -- "test group" is located DOMAIN -> Groups(OU)  (in ADU&C)

In Group Policy Management -- Forest -> Domains -> Domain(our domain) -> City(OU) -> Test Group(OU?) -> GPO

I've attached how it's currently set up in a screenshot.  Am I doing something wrong here?  I get confused going between ADUC and GPM.
Blurred-GPO-Location.png
0
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749554
Furthermore -- Should I have this set to "Create" or "Update"?
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749567
The OUs in GPMC Reflect all your OUs in ADUC. Based on what you have there, Any computer objects that you move to the "Forest -> Domains -> Domain (your domain) -> City -> Test Group" OU in ADUC
will apply the policy where it is currently linked in GPMC.

My question was to make sure that you were not linking the GPO to the OU that held the group you wanted the GPO to apply to ((Your domain) > Groups OU), which is a common mistake.

The policy you show in your linked question is meant to apply only to Computer objects, so only Computer Objects in that Test Group OU will apply the policy. A user account that is located in that OU will not apply the policy because it contains Computer Configuration settings. So if you want that policy to apply to the computer you use, you would first need to find your Computer object in ADUC, then move it to the Test Group OU that you have the policy linked to. Once that's done, run
GPUpdate /Force
from your the computer that you moved the object for (don't run it on the Domain Controller). After the policy finishes applying, you should see the scheduled task show up in Task Scheduler.

Does that make sense?
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41754325
It made more sense for sure.  I am just getting back to this project, I have added both my machine and my user account to the test group group.  Does test group have to be a member of something as well?  

I'm still not getting the group policy applied.  I appreciate all of your help so far.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41754400
Test Group needs to be listed in the Security Filtering of the GPO. If you click on the GPO, you'll see the details screen on the right side of GPMC. If you click on the Scope tab, it will give you two more panes that show where the GPO is linked at the top and which users/computers/groups the policy applies to on the bottom. That one on the bottom is where you need to specify the Test Group as a group that can apply the policy. From there, once the GPO is linked to an OU with computers, only the computers that are a part of the Test Group will apply the policy.
1
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41754436
Thank you, i've added test group to the security filtering.  Will wait for Monday to find out if it worked or not, too close to the end of the workday to test now.
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41766974
We've decided to use another method to accomplish this.  Thank you to everyone who assisted.
0
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41766975
Going a different route, thanks everyone.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question