none
GPO not applied

    Question

  • Hello,

    I deployed a Policy from the Central Forefront Client Security Server to an OU "Test"

    In Active Directory I see this policy on the OU.

    I do not see any settings applied to the servers within this OU.

    What could be the cause?

    Other policy are applied only the FCS one do not show.

    Anyway to see a failure, error in a log for the non-application of this policy?

    Thanks,

    DOm


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Friday, February 15, 2013 6:33 PM

All replies

  • Hello,

    From the client event log I got:

    The description for Event ID 5313 from source Microsoft-Windows-GroupPolicy cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    CCP Test GP

    Denied (Security)

    CCP Root GP - Top Level

    Denied (Security)

    CareConnect Root

    Not Applied (Empty)

    FCS-Default Policy-{5650d82e-4286-4833-9116-a924723c61ea}-2

    Not Applied (Empty)

    FCS-CareConnect Citrix Servers-{ceeb0709-81d3-46d7-b3aa-fd243d77e7b9}-2

    Not Applied (Empty)

    <GPO ID="{D404188B-6881-43C9-8DC2-10EA55729817}"><Name>CCP Test GP</Name><Version>-65521</Version><SOM>LDAP://OU=Test,OU=EHRCTX,OU=CareConnect,OU=Windows,OU=Servers,DC=ad</SOM><FSPath>\\ad\sysvol\ad\Policies\{D404188B-6881-43C9-8DC2-10EA55729817}\User</FSPath><Reason>DENIED-SECURITY</Reason></GPO><GPO ID="{66ACBC50-B1FC-487C-96B9-5EC39FEBEC94}"><Name>CCP Root GP - Top Level</Name><Version>-65372</Version><SOM>LDAP://OU=EHRCTX,OU=CareConnect,OU=Windows,OU=MITS Servers,DC=ad</SOM><FSPath>\\ad\SysVol\ad\Policies\{66ACBC50-B1FC-487C-96B9-5EC39FEBEC94}\User</FSPath><Reason>DENIED-SECURITY</Reason></GPO><GPO ID="{2A6161CE-E9E4-4A5A-A6C3-56822E46A46B}"><Name>CareConnect Root</Name><Version>0</Version><SOM>LDAP://OU=CareConnect,OU=Windows,OU=MITS Servers,DC=ad</SOM><FSPath>\\ad\SysVol\ad\Policies\{2A6161CE-E9E4-4A5A-A6C3-56822E46A46B}\User</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO ID="{46613A6C-F85F-4186-BA8C-CA1EE7EB52F0}"><Name>FCS-Default Policy-{5650d82e-4286-4833-9116-a924723c61ea}-2</Name><Version>0</Version><SOM>LDAP://OU=Windows,OU=MITS Servers,DC=ad</SOM><FSPath>\\ad\SysVol\ad\Policies\{46613A6C-F85F-4186-BA8C-CA1EE7EB52F0}\User</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO><GPO ID="{2EC690DE-9661-47A2-B7BF-69C37F309971}"><Name>FCS-CareConnect Citrix Servers-{ceeb0709-81d3-46d7-b3aa-fd243d77e7b9}-2</Name><Version>0</Version><SOM>LDAP://OU=Test,OU=EHRCTX,OU=CareConnect,OU=Windows,OU=MITS Servers,DC=ad</SOM><FSPath>\\ad\SysVol\ad\Policies\{2EC690DE-9661-47A2-B7BF-69C37F309971}\User</FSPath><Reason>NOTAPPLIED-EMPTY</Reason></GPO>

    The handle is invalid

    Any idea?

    Thanks,

    DOm


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Friday, February 15, 2013 6:55 PM
  • Hello,

    I think it is a setting under Administrative Templates Computer Configuration but I am not sure which one will prevent a GPO to be processed???

    I tried to enabled

    Computer Configuration* Administrative Templates* System * Group Policy * User Group Policy loopback processing mode on one computer to get my GPO applied but it is not applied..(http://seclists.org/basics/2007/Oct/40)

    Any idea?

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager





    • Edited by Felyjos Friday, February 15, 2013 10:09 PM
    Friday, February 15, 2013 8:03 PM
  • Hello,

    The higher top OU has "Block Inheritance" could it be the issue?

    The eployment for Groups works fine but it always fails for OUs with

    FCS-CareConnect Citrix Servers-{ceeb0709-81d3-46d7-b3aa-fd243d77e7b9}-2

    Not Applied (Empty)

    message

    Any idea?

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Saturday, February 16, 2013 3:31 PM
  •  

    The description for Event ID 5313 from source Microsoft-Windows-GroupPolicy cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

     


    Looks like the GPO is referring to something that isn't available on your client computer.
    Sunday, February 17, 2013 11:08 PM
  • Hi,

    If only the Forefront Client Security (FCS) Group Policy cannot work normally, please submit a new question to the following forums. In this way, your issue can be fixed effectively.

    Forefront Forums

    http://social.technet.microsoft.com/Forums/en-US/category/forefront

    Regards,


    Arthur Li

    TechNet Community Support

    Monday, February 18, 2013 5:16 AM
  • Hello,

    No several GOPs are not applied, it is not only Forefront Client Security.

    I tried the same policy on a different OU and it is still not applied...

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager



    • Edited by Felyjos Wednesday, February 20, 2013 12:11 AM
    Tuesday, February 19, 2013 4:36 PM
  • Am 16.02.2013 16:31, schrieb Felyjos:
    >
    > FCS-CareConnect Citrix Servers-{ceeb0709-81d3-46d7-b3aa-fd243d77e7b9}-2
    >
    > Not Applied (Empty)
    >
     
    So, if you look at that GPO in GPMC Settings tab - what settings are there?
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, February 20, 2013 8:09 PM
  • These are the settings expected...

    Thanks,
    DOm

    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager



    • Edited by Felyjos Thursday, February 21, 2013 10:10 PM
    Thursday, February 21, 2013 10:09 PM
  • Hello,

    Apparently there are several issues within the OU GPO lists:

    1. FCS Default Policy appears twice, one of them is enforced!!!

    2. Moving the OU up in the tree makes the policy applied.

    Some question:

    Does Forefront Client Security enforced the policy deployed? what is the setting?

    How could we get two policies with the same name, same guid-2 on the same OU?

    Thanks,

    DOm


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Friday, February 22, 2013 2:14 AM
  •  
    >
    > Does Forefront Client Security enforced the policy deployed? what is
    > the setting?
    >
     
    Does FCS deal with policies? I don't think so...
     
    > How could we get two policies with the same name, same guid-2 on the
    > same OU?
    >
     
    Check the "Details" tab in GPMC. There you see the GPO "Unique ID" - are
    these the same for both of them? (Names don't matter for GPOs, they are
    just display names and do not need to be unique...)
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, February 22, 2013 1:29 PM
  • "Does FCS deal with policies? I don't think "

    Yes as we deploy policies from the FCS central Servers to clients. They appears as GPO in Active Directory.

    The "Details" looks the same for both policies...

    Regards,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager


    • Edited by Felyjos Friday, February 22, 2013 6:25 PM
    Friday, February 22, 2013 6:23 PM

  • System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Friday, February 22, 2013 6:24 PM
  •  
    > The "Details" looks the same for both policies...
     
    Ah we are talking about a policy LINK only - a GPO can be linked
    multiple times to multiple OUs ;-) No problem in that.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, February 25, 2013 8:20 PM