GPO Not Applying Like It Should

Folks,

My GPOs are not working the way they're supposed to. I'm trying to map drives via GPO and I've done a combination of targeting a specific OU and Item-level Targeting (one, the other, both, none) to only apply to either a specific Security Group or OU. I've linked it to the OU, used Security Filtering, none working. The only thing that seems to work is if I place the GPO at the parent level right under the domain and set filtering to Authenticated Users. No OU has inheritance blocked. No GP or GPO is set to Enforced. I'm lost here.

I have a mixed environment with two 2008 servers and two 2016 servers. Forest and Domain functional level is 2008 R2.

I've never had GPO issues like this in other environments before, so I'm inclined to think it's either something incredibly simple I'm looking over or something is broken.
Michael LPr. SysadminAsked:
Who is Participating?
 
Britt ThompsonConnect With a Mentor Sr. Systems EngineerCommented:
If you run a gpresult as admin and the policy isn't showing at all and your not seeing any indication in the event logs showing a failure applying the GPO, then the GPO isn't getting applied for whatever reason.

If this is a test OU and there's only the one user in the OU, I suggest starting from scratch with a new GPO and no changes to the securities. Once you confirm the GPO is applying, start trimming the security by adding your item-level targeting.
0
 
Britt ThompsonSr. Systems EngineerCommented:
When setting up the security on the GPO, make sure you have something in the delegation list to allow the machines the users are logging into to read the GPO. Although a mapped drive policy is a user based policy, the machines must be allowed to see the policy for it to apply. That's why setting authenticated users allows the maps to work. If you use authenticated users in the delegation and then use item-level targeting to apply to the subset of users you need you should be able to get it working as you expect.
0
 
Michael LPr. SysadminAuthor Commented:
I'm pretty sure I added Domain Computers in Delegation, but I'm doing it all again. I've relinked the GPO to a test OU where my test group resides. Security Filtering has Authenticated Users in it, Delegation has Authenticated Users and Domain Computers (and other admin groups and SYSTEM). I removed Item-level Targeting. I'll let it sit for a few minutes to make sure it gets a chance to propagate. Anything I'm missing while I wait?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Britt ThompsonSr. Systems EngineerCommented:
Security filtering is what I mean when adding the delegation. So, you should just need to add authenticated users there and then manage the item-level targeting to a group of users. All the defaults under delegation should be fine out of the box.

Propagation time will get you, as will mapped drives or drives that already contain the same drive letter. If those drives already exist or there's a script that maps drives on top of the GPO, you'll get beat up by the results. If you had a script in place that mapped drives, make sure you create some deletes in your GPO to delete the existing mapped drives prior to the new maps occurring. This happens from top to bottom in the GPO so make sure your drive deletes happen first. If you have a script somewhere out there or there's a profile based AD script applied to users, make sure it's gone before banging your head against the wall with the GPO.
0
 
Michael LPr. SysadminAuthor Commented:
I cleared the scripts on my accounts and disconnected all mapped drives so this wouldn't be a conflict. So, you mean I should add Domain Computers to Security Filtering and leave Delegation default?
0
 
Britt ThompsonSr. Systems EngineerCommented:
if you have authenticated uses in the security filtering section (the default setting) that actually includes Domain Computers so you don't have to add it explicitly.
0
 
Michael LPr. SysadminAuthor Commented:
A couple gpupdate /force and relogs later and the GPO still isn't applied to my test OU :(
0
 
RobertSystem AdminCommented:
Try running a gpresult /h C:\temp\report.html this should generate a report that will show what policies are applying and not applying and the reason they are not.
0
 
Michael LPr. SysadminAuthor Commented:
I do a gpresult /r after every logon and no the GPO isn't showing as being applied. Still isn't applying.
0
 
Britt ThompsonConnect With a Mentor Sr. Systems EngineerCommented:
Just to be sure - your test user account is inside this test ou? Also, is the domain controller you're creating the GPO on in the same site as your workstation? If you have multiple DC's have you confirmed the GPO has replicated to all servers?

You can go to \\SERVERNAME\SYSVOL\Policies on each DC to see if the GUID for your GPO matches any of the folders. If you see nothing in gpresult it may not be replicated yet. Or, make sure you're running gpresult as admin to ensure you're seeing all the details.
0
 
Michael LPr. SysadminAuthor Commented:
Test account is in the test Security Group, which is in the test OU.
The DC is servicing the site this subnet is in.
Checked all the DCs' policy folders and the matching GUID folder is in them all.
0
 
MaheshConnect With a Mentor ArchitectCommented:
two things here

U have applied policy to users, but added domain computers in security filtering, this is not going to work
your users must be reside in same ou as policy applied or under sub OU of that OU, now either you place authenticated users under security filtering or place security group there containing users there else policy will not work
If you don't want / or cannot place policy on Ou where user account resides, apply policy to domain level and replace security filetring with security group containing test users, it will work because when you apply policy at domain level you are targeting all locations with security filtering

The other option could be link your policy to OU containing computers with default security filtering as authenticated users and enable loop back processing in same GPO, now no matter whoever logs on to computer, he should get the policy
enable loopback processing:
https://support.microsoft.com/en-in/help/231287/loopback-processing-of-group-policy
0
 
Michael LPr. SysadminAuthor Commented:
@Britt Thompson - I started from scratch, GPO still being dumb.

@Mahesh - I've tried linking to Domain, too, but I'll try it again. The only change I made when I linked it to the Domain was removed Auth Users from Security Filters and added the test security group named Test-GPO. I'll report my results in a few...

Thanks so far!
0
 
Michael LPr. SysadminAuthor Commented:
Still nothing. I'm going to add Authenticated Users to the Delegation tab and wit to see what happens. If that works, I'll see if I can further target an OU with Item-level Targeting in the GPO settings.
0
 
MaheshArchitectCommented:
make sure the ou where test user exists, gpo inheritance is not blocked on that ou, else policy will get blocked
0
 
Michael LPr. SysadminAuthor Commented:
Some progress:

The domain level linked GPO applies, but is denied to users in the Test-GPO I have targeted by the GPO. Users outside of the test group do not get the GPO applied to them. The GPO does not apply to the targeted users when I RDC into a server.

Edit: Inheritance is not blocked.

Update 1: Ran another gpupdate and results changed from "Denied" to "Not applied (empty)" which makes sense because there are no settings configured.
Update 2: Added Drive Mapping and gpresult now shows GPO being applied, not empty, but the drive's not mapping "yet".
Update 3: GPO drive mapping is applying to everything but domain controllers now.
0
 
MaheshArchitectCommented:
the policy will apply to domain controller only if test user logon to dc
how u r mapping drives, through gp preferences, correct?

in that case edit gp preferences item and on common tab select "run in logged on user security context" and then check with gpupdate etc
0
 
Michael LPr. SysadminAuthor Commented:
I added my admin account to the test group and still will not apply when RDCing into a DC. I am mapping via GP Preferences, yes. I do have "run in logged on user security context" checked :)
0
 
Michael LPr. SysadminAuthor Commented:
Well, it works when applied at the domain level, but still not from the OU level. Closing this question for now. Thanks all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.