Solved

Group policy does not appear to be applying to workstations in group.

Posted on 2016-08-09
11
57 Views
Last Modified: 2016-08-23
I've applied a group policy that is supposed to create a system restore point on a weekly basis.  In the production environment, nor my test environment, can I get the group policy to apply.  When I use the gpresult command I do not see my group policy at all.  I've run gpupdate /force on multiple occasions as well as probably 30 reboots since the policy was implemented.  gpupdate /force says I need to reboot but doesn't change anything after the reboot.

This is the other EE question I posted and was advised to cross-post to try to find a group policy expert.  I can't find any kind of group policy tags with which to tag this question.

https://www.experts-exchange.com/questions/28961031/I'd-like-to-set-a-group-policy-forcing-a-weekly-system-restore-point-creation.html?anchor=a41749366#a41749366
0
Comment
Question by:Daniel Checksum
  • 7
  • 3
11 Comments
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
ID: 41749391
Are these computers in a security group?  Right-click the gpo you created for this, go to the delegation tab, add the group that these computers are in then in the permissions make sure Apply group policy is selected.

ref link:  https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749459
I just created a security group called "test group" -- added myself and station to it -- added test group to the delegation under the GPO i've created.  Rescheduled my timing for 5 minutes after my gpupdate /force -- same results.  Nothing showing in gpresult.html and no restore point was created.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749467
Are you linking the GPO to an OU where the users or computers you want to apply the policies to are located? Or are you linking it to the OU the security group is located (with the users/computers in another OU)? GPOs don't apply to the groups in the OUs they are linked to. They will only apply to user objects or computer objects that are in the OUs they are linked to. If you want to restrict application by a group, you link the GPO to the OU with the users in it, then add the group to the GPO security filtering to prevent specific users from reading the policy.
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749496
I'm getting very confused reading your post, Adam.  Let me break it down as best I can:

I am a user.  My user in Active Directory Users and Computers is located here:  
DOMAIN -> City(OU) -> Laptops(OU)

I am a member of "test group" -- "test group" is located DOMAIN -> Groups(OU)  (in ADU&C)

In Group Policy Management -- Forest -> Domains -> Domain(our domain) -> City(OU) -> Test Group(OU?) -> GPO

I've attached how it's currently set up in a screenshot.  Am I doing something wrong here?  I get confused going between ADUC and GPM.
Blurred-GPO-Location.png
0
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41749554
Furthermore -- Should I have this set to "Create" or "Update"?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 41749567
The OUs in GPMC Reflect all your OUs in ADUC. Based on what you have there, Any computer objects that you move to the "Forest -> Domains -> Domain (your domain) -> City -> Test Group" OU in ADUC
will apply the policy where it is currently linked in GPMC.

My question was to make sure that you were not linking the GPO to the OU that held the group you wanted the GPO to apply to ((Your domain) > Groups OU), which is a common mistake.

The policy you show in your linked question is meant to apply only to Computer objects, so only Computer Objects in that Test Group OU will apply the policy. A user account that is located in that OU will not apply the policy because it contains Computer Configuration settings. So if you want that policy to apply to the computer you use, you would first need to find your Computer object in ADUC, then move it to the Test Group OU that you have the policy linked to. Once that's done, run
GPUpdate /Force
from your the computer that you moved the object for (don't run it on the Domain Controller). After the policy finishes applying, you should see the scheduled task show up in Task Scheduler.

Does that make sense?
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
ID: 41754325
It made more sense for sure.  I am just getting back to this project, I have added both my machine and my user account to the test group group.  Does test group have to be a member of something as well?  

I'm still not getting the group policy applied.  I appreciate all of your help so far.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41754400
Test Group needs to be listed in the Security Filtering of the GPO. If you click on the GPO, you'll see the details screen on the right side of GPMC. If you click on the Scope tab, it will give you two more panes that show where the GPO is linked at the top and which users/computers/groups the policy applies to on the bottom. That one on the bottom is where you need to specify the Test Group as a group that can apply the policy. From there, once the GPO is linked to an OU with computers, only the computers that are a part of the Test Group will apply the policy.
1
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41754436
Thank you, i've added test group to the security filtering.  Will wait for Monday to find out if it worked or not, too close to the end of the workday to test now.
0
 
LVL 1

Author Comment

by:Daniel Checksum
ID: 41766974
We've decided to use another method to accomplish this.  Thank you to everyone who assisted.
0
 
LVL 1

Author Closing Comment

by:Daniel Checksum
ID: 41766975
Going a different route, thanks everyone.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now