[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 83
  • Last Modified:

Group policy does not appear to be applying to workstations in group.

I've applied a group policy that is supposed to create a system restore point on a weekly basis.  In the production environment, nor my test environment, can I get the group policy to apply.  When I use the gpresult command I do not see my group policy at all.  I've run gpupdate /force on multiple occasions as well as probably 30 reboots since the policy was implemented.  gpupdate /force says I need to reboot but doesn't change anything after the reboot.

This is the other EE question I posted and was advised to cross-post to try to find a group policy expert.  I can't find any kind of group policy tags with which to tag this question.

https://www.experts-exchange.com/questions/28961031/I'd-like-to-set-a-group-policy-forcing-a-weekly-system-restore-point-creation.html?anchor=a41749366#a41749366
0
Daniel Checksum
Asked:
Daniel Checksum
  • 7
  • 3
8 Solutions
 
FOXActive Directory/Exchange EngineerCommented:
Are these computers in a security group?  Right-click the gpo you created for this, go to the delegation tab, add the group that these computers are in then in the permissions make sure Apply group policy is selected.

ref link:  https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
1
 
Daniel ChecksumAuthor Commented:
I just created a security group called "test group" -- added myself and station to it -- added test group to the delegation under the GPO i've created.  Rescheduled my timing for 5 minutes after my gpupdate /force -- same results.  Nothing showing in gpresult.html and no restore point was created.
0
 
Adam BrownSr Solutions ArchitectCommented:
Are you linking the GPO to an OU where the users or computers you want to apply the policies to are located? Or are you linking it to the OU the security group is located (with the users/computers in another OU)? GPOs don't apply to the groups in the OUs they are linked to. They will only apply to user objects or computer objects that are in the OUs they are linked to. If you want to restrict application by a group, you link the GPO to the OU with the users in it, then add the group to the GPO security filtering to prevent specific users from reading the policy.
1
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Daniel ChecksumAuthor Commented:
I'm getting very confused reading your post, Adam.  Let me break it down as best I can:

I am a user.  My user in Active Directory Users and Computers is located here:  
DOMAIN -> City(OU) -> Laptops(OU)

I am a member of "test group" -- "test group" is located DOMAIN -> Groups(OU)  (in ADU&C)

In Group Policy Management -- Forest -> Domains -> Domain(our domain) -> City(OU) -> Test Group(OU?) -> GPO

I've attached how it's currently set up in a screenshot.  Am I doing something wrong here?  I get confused going between ADUC and GPM.
Blurred-GPO-Location.png
0
 
Daniel ChecksumAuthor Commented:
Furthermore -- Should I have this set to "Create" or "Update"?
0
 
Adam BrownSr Solutions ArchitectCommented:
The OUs in GPMC Reflect all your OUs in ADUC. Based on what you have there, Any computer objects that you move to the "Forest -> Domains -> Domain (your domain) -> City -> Test Group" OU in ADUC
will apply the policy where it is currently linked in GPMC.

My question was to make sure that you were not linking the GPO to the OU that held the group you wanted the GPO to apply to ((Your domain) > Groups OU), which is a common mistake.

The policy you show in your linked question is meant to apply only to Computer objects, so only Computer Objects in that Test Group OU will apply the policy. A user account that is located in that OU will not apply the policy because it contains Computer Configuration settings. So if you want that policy to apply to the computer you use, you would first need to find your Computer object in ADUC, then move it to the Test Group OU that you have the policy linked to. Once that's done, run
GPUpdate /Force
from your the computer that you moved the object for (don't run it on the Domain Controller). After the policy finishes applying, you should see the scheduled task show up in Task Scheduler.

Does that make sense?
1
 
Daniel ChecksumAuthor Commented:
It made more sense for sure.  I am just getting back to this project, I have added both my machine and my user account to the test group group.  Does test group have to be a member of something as well?  

I'm still not getting the group policy applied.  I appreciate all of your help so far.
0
 
Adam BrownSr Solutions ArchitectCommented:
Test Group needs to be listed in the Security Filtering of the GPO. If you click on the GPO, you'll see the details screen on the right side of GPMC. If you click on the Scope tab, it will give you two more panes that show where the GPO is linked at the top and which users/computers/groups the policy applies to on the bottom. That one on the bottom is where you need to specify the Test Group as a group that can apply the policy. From there, once the GPO is linked to an OU with computers, only the computers that are a part of the Test Group will apply the policy.
1
 
Daniel ChecksumAuthor Commented:
Thank you, i've added test group to the security filtering.  Will wait for Monday to find out if it worked or not, too close to the end of the workday to test now.
0
 
Daniel ChecksumAuthor Commented:
We've decided to use another method to accomplish this.  Thank you to everyone who assisted.
0
 
Daniel ChecksumAuthor Commented:
Going a different route, thanks everyone.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now