Solved

Group policy does not appear to be applying to workstations in group.

Posted on 2016-08-09
11
55 Views
Last Modified: 2016-08-23
I've applied a group policy that is supposed to create a system restore point on a weekly basis.  In the production environment, nor my test environment, can I get the group policy to apply.  When I use the gpresult command I do not see my group policy at all.  I've run gpupdate /force on multiple occasions as well as probably 30 reboots since the policy was implemented.  gpupdate /force says I need to reboot but doesn't change anything after the reboot.

This is the other EE question I posted and was advised to cross-post to try to find a group policy expert.  I can't find any kind of group policy tags with which to tag this question.

https://www.experts-exchange.com/questions/28961031/I'd-like-to-set-a-group-policy-forcing-a-weekly-system-restore-point-creation.html?anchor=a41749366#a41749366
0
Comment
Question by:Daniel Checksum
  • 7
  • 3
11 Comments
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
Comment Utility
Are these computers in a security group?  Right-click the gpo you created for this, go to the delegation tab, add the group that these computers are in then in the permissions make sure Apply group policy is selected.

ref link:  https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
Comment Utility
I just created a security group called "test group" -- added myself and station to it -- added test group to the delegation under the GPO i've created.  Rescheduled my timing for 5 minutes after my gpupdate /force -- same results.  Nothing showing in gpresult.html and no restore point was created.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
Comment Utility
Are you linking the GPO to an OU where the users or computers you want to apply the policies to are located? Or are you linking it to the OU the security group is located (with the users/computers in another OU)? GPOs don't apply to the groups in the OUs they are linked to. They will only apply to user objects or computer objects that are in the OUs they are linked to. If you want to restrict application by a group, you link the GPO to the OU with the users in it, then add the group to the GPO security filtering to prevent specific users from reading the policy.
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
Comment Utility
I'm getting very confused reading your post, Adam.  Let me break it down as best I can:

I am a user.  My user in Active Directory Users and Computers is located here:  
DOMAIN -> City(OU) -> Laptops(OU)

I am a member of "test group" -- "test group" is located DOMAIN -> Groups(OU)  (in ADU&C)

In Group Policy Management -- Forest -> Domains -> Domain(our domain) -> City(OU) -> Test Group(OU?) -> GPO

I've attached how it's currently set up in a screenshot.  Am I doing something wrong here?  I get confused going between ADUC and GPM.
Blurred-GPO-Location.png
0
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
Comment Utility
Furthermore -- Should I have this set to "Create" or "Update"?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
Comment Utility
The OUs in GPMC Reflect all your OUs in ADUC. Based on what you have there, Any computer objects that you move to the "Forest -> Domains -> Domain (your domain) -> City -> Test Group" OU in ADUC
will apply the policy where it is currently linked in GPMC.

My question was to make sure that you were not linking the GPO to the OU that held the group you wanted the GPO to apply to ((Your domain) > Groups OU), which is a common mistake.

The policy you show in your linked question is meant to apply only to Computer objects, so only Computer Objects in that Test Group OU will apply the policy. A user account that is located in that OU will not apply the policy because it contains Computer Configuration settings. So if you want that policy to apply to the computer you use, you would first need to find your Computer object in ADUC, then move it to the Test Group OU that you have the policy linked to. Once that's done, run
GPUpdate /Force
from your the computer that you moved the object for (don't run it on the Domain Controller). After the policy finishes applying, you should see the scheduled task show up in Task Scheduler.

Does that make sense?
1
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 0 total points
Comment Utility
It made more sense for sure.  I am just getting back to this project, I have added both my machine and my user account to the test group group.  Does test group have to be a member of something as well?  

I'm still not getting the group policy applied.  I appreciate all of your help so far.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
Comment Utility
Test Group needs to be listed in the Security Filtering of the GPO. If you click on the GPO, you'll see the details screen on the right side of GPMC. If you click on the Scope tab, it will give you two more panes that show where the GPO is linked at the top and which users/computers/groups the policy applies to on the bottom. That one on the bottom is where you need to specify the Test Group as a group that can apply the policy. From there, once the GPO is linked to an OU with computers, only the computers that are a part of the Test Group will apply the policy.
1
 
LVL 1

Author Comment

by:Daniel Checksum
Comment Utility
Thank you, i've added test group to the security filtering.  Will wait for Monday to find out if it worked or not, too close to the end of the workday to test now.
0
 
LVL 1

Author Comment

by:Daniel Checksum
Comment Utility
We've decided to use another method to accomplish this.  Thank you to everyone who assisted.
0
 
LVL 1

Author Closing Comment

by:Daniel Checksum
Comment Utility
Going a different route, thanks everyone.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now