One computer in the domain not getting all the Group Policy Objects

one computer is only getting the Default Domain policy and local policy.  The other GPO's are not there.
I verified it is in the correct OU.  I am logged on as a local admin and I am an Domain Admin.
J.R. SitmanIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITguy565Commented:
Log in with an account other than a local admin account on the box and see if the computer pulls the policies.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Try running GPRESULT /R on the affected computer when logged in as the affected user, or GPRESULT /R /USER <DOMAIN\AFFECTEDUSER> /S <AFFECTEDSYSTEM> to generate the RSoP report.  It should tell you what policies are inherited and applied and which are filtered out.

Alternatively, you can run the Result Set of Policies or Group Policy Modeling tool from the Group Policy Management Console (gpmc.msc).

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758010(v=ws.10)
GPMC.png
ITguy565Commented:
When you logged in with an account other than the Administrator, did the filtered policies apply?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

J.R. SitmanIT DirectorAuthor Commented:
Logged in as a non admin user the policies did show up, but not all of them.  I am researching the one that did not.  Any thoughts?

I did run Gpresult /r
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
If you're not familiar with evaluating the results of GPRESULT /R, the GPMC modeling wizard and RSoP tool in the Group Policy Management Console rolls it into an easier-to-digest report.
Shaun VermaakTechnical SpecialistCommented:
Authenticated User have Read rights?
J.R. SitmanIT DirectorAuthor Commented:
I have Authenticated user, but how do I check the "rights"
Shaun VermaakTechnical SpecialistCommented:
You edit GPO, open Properties and click on the Security tab
J.R. SitmanIT DirectorAuthor Commented:
Yes, they have "Read" permission.

I just noticed one problem.  I added a new GPO, linked to Authenticated users.  Did a gpupdate /force on a computer.  did Gpresult /r and the new GPO is not there?
Shaun VermaakTechnical SpecialistCommented:
GPO applying to correct object? Correct object type in the location GPO linked?
J.R. SitmanIT DirectorAuthor Commented:
See attached

gpo
Shaun VermaakTechnical SpecialistCommented:
Is it a user GPO? If so it will not apply because I assume those OUs have computers in them.

PS: I would not create OUs per OS. You can target OS with GPO WMI filtering/item level filtering
J.R. SitmanIT DirectorAuthor Commented:
It is actually a computer GPO.  I am trying to get information every time a user logs on or off the computer
ITguy565Commented:
J.R. SitmanIT DirectorAuthor Commented:
Thanks, but I need to get this working.  I works at our other 2 locations.   I've even compared the settings.  I "know" I am missing something, just what?
ITguy565Commented:
JR, can you provide the settings portion of the GPO object. I don't need any scripts, but I have a feeling what the problem is has already been presented.
J.R. SitmanIT DirectorAuthor Commented:
Not sure exactly what you want but see if this is it.

settings
ITguy565Commented:
OK, so that helps.

If you log onto the machine locally and run :
Active Administrator 8.2 Workstation Audit Agent.msi what happens? Does the script run without issue?


If the script completes and the audit begins to work, then we can focus on the GPO.

If the script "does not" run successfully then we have to look at access either to the Active Administrator Server or to the script location.

In addition to this, is this a user level script or a computer level script? Please verify that on one of your working boxes as you said you had this running in two other locations.
ITguy565Commented:
After you have verified that.. Check where it is applied. I would assume you have this applied to a test OU and not to a production OU for testing. If that isn't the case I would highly recommend that you create a test OU to test this policy so we don't take a chance on advertantly causing issues with other boxes that may get the GPO.
ITguy565Commented:
  • Move a Test computer to the Test OU and then attempt to run the policy.
  • Run GPupdate /Force on the workstation.
  • Run GPresult /R on the Workstation and see if the policy attempts to run or if it is filtered.
  • If the Policy is filtered then you just need to determine what access right you are missing. If the policy doesn't show then you need to determine why the policy isn't being pushed to the workstation.
  • I would check the event log as a starting point on that workstation to determine what if any errors you see related to GPO.
J.R. SitmanIT DirectorAuthor Commented:
ok, give me some time to set up a test OU.  Then run some tests
J.R. SitmanIT DirectorAuthor Commented:
when I run Gpresult /r why does it not always show the GPO's applied to the computer.  e.g. it show no computer settings.
ITguy565Commented:
What operating system are you trying to apply this to?
J.R. SitmanIT DirectorAuthor Commented:
7 and 10
ITguy565Commented:
For testing, use the Windows 7 machine. Once you get it working on seven will work on 10.
ITguy565Commented:
Let me know how the test goes on seven
ITguy565Commented:
J.R. SitmanIT DirectorAuthor Commented:
I ran the gpresult.exe /H gp_report.html.   But have no idea where it put the report?
ITguy565Commented:
It placed the report in the root of where you ran the command from
J.R. SitmanIT DirectorAuthor Commented:
found the report.   It states no errors detected.
ITguy565Commented:
Review the last link I put up
J.R. SitmanIT DirectorAuthor Commented:
The GPO is installing on all computers now.  What I did was remove the OU's from the GPO.  Closed GPMC.  Opened it back up and readded the OU's for some odd reason this worked.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITguy565Commented:
Glad you were able to get it resolved.
J.R. SitmanIT DirectorAuthor Commented:
you were very helpful.  Do you know why if I log on as a domain Admin, the gpresult /r does not give the true results?
ITguy565Commented:
Some policies don't apply to local admins. Or domain admins.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
It depends a lot of things:

  • whether it's a user or computer policy that's configured
  • where it's been configured and scoped correctly (is it a user policy configured that was applied to a computer container or vice versa)
  • if "No Override" or "disable inheritance" have been selected
  • security group (typically user, but can be computer) filtering or WMI filtering
  • if a "Deny" ACL has been set
  • if a GPO closer to the affected object has a conflicting setting
  • if loopback processing is enabled

So, if you're logging on to a computer as yourself that you think should have a policy applied but isn't, the first thing you should check is whether or not the policy is targeted to include your user account (for example, if the IT admin account you're using to test with exists in OU=admins,DC=domain,DC=com but the policy is linked to OU=Marketing,OU=Users,DC=domain,DC=com, the policy will NEVER apply to you).  That's what the GPResult /User <domain\username> parameter exists--so you can test RSoP against that particular user.

There are some good tools over on GPO Guy (https://sdmsoftware.com/gpoguy/free-tools/library/) that can help in troubleshooting application as well.  The GPO modeling wizard is very helpful because it can help you understand what policies *should* apply to particular users or computers based on their OUs, simulated group memberships, and more.
Shaun VermaakTechnical SpecialistCommented:
Some policies don't apply to local admins. Or domain admins.
All policies by default apply to Authenticated which includes Local Admins and Domain Admins
J.R. SitmanIT DirectorAuthor Commented:
one thing I found out is that if you do not rum CMD as Administrator the computer results do not show up.

Thanks for all the help.   My post 42515583, fixed my issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.