none
GPO applied but not taking effect

    Question

  • I am testing Terminal server HOST (RDS 2012).
    Particularly, LOCKDOWN settings for Remote Users.
    Found nice article with the list of settings to apply and clear description.
    So first thing: Loopback is enabled. Then configured the stuff like no access to CP, hide C: drive and etc...

    GPO is properly applied - checked when user is logged in to the RDSH. From user session gpresult -r, User config part shows LOCKDOWN_policyname. For me it means Loopback applied user settings of User part of GPO applied on OU where TS server resides.

    Then checked Resultant in GPMC. No errors, everything looks nice but no effect on logged in user. When logged in, user can access CP and see restricted drives.

    What to check?...

    Thanks.

    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Tuesday, October 06, 2015 4:37 PM

Answers

  • the problem found....

    There is one GPO that appears corrupted. This GPO has tons of settings and generally does the job (it is critical for organization).

    It's not me who is responsible for it. So I didn't want to touch it at all.

    And I clearly saw that my GPO is applied....

    Brief, I found that one corrupted GPO can prevent others to take effect...

    Here is the error by GPO SID I know now what is this. I temporary disabled it ... and bingo...

    **************************************************

    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>gpupdate /force
    Updating policy...

    Computer Policy update has completed successfully.
    User Policy could not be updated successfully. The following errors were encount
    ered:

    The processing of Group Policy failed. Windows could not apply the registry-base
    d policy settings for the Group Policy object LDAP://CN=User,cn={DD0BC53F-5DEC-4
    247-B308-56445BF44BAB},cn=policies,cn=system,DC=xxxxxxx,DC=xxxxx,DC
    =xx,DC=xx. Group Policy settings will not be resolved until this event is resolv
    ed. View the event details for more information on the file name and path that c
    aused the failure.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    C:\Windows\system32>^A


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Thursday, October 08, 2015 12:42 PM

All replies

  • Hi pob579,

    Thanks for your post.

    You may also follow the artcile to

    check the Scope Tab on the Group Policy Object

    check the security filtering

    if use of WMI filter

    check related GPO permissions.

    Here is the link for more details.

    10 Common Problems Causing Group Policy To Not Apply

    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 07, 2015 5:39 AM
    Moderator
  • Mary, thanks for the link...

    Sure, I went through all 10 points. Really good summarization of possible GPO execution issues.

    Unfortunately, after confirming that I don't have any described problems my GPO doesn't work.

    I am saying again that LOOPBACK is enabled for this GPO object. So it could bring additional problem...

    1. Is my conclusion below  correct for saying that the Loopback policy applied correctly:

    When a user establishes a remote session, gpresult -r shows the name of the GPO object that should be applied in the list of Applied Group Policy Objects in the User Settings part (Computer is not listed and it is normal).

    The GPO is applied to Terminal Server HOST (RDS2012 R2) OU. It includes User Settings that should be applied to Users by LOOPBACK setting.

    For me the fact that I can see the GPO in the Applied list of User Settings means that it is applied.

    Is it right?

    Why they not take effect is the other question...

    2. What it could be?


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Wednesday, October 07, 2015 2:14 PM
  • GPRESULT -R

    on left: domain user on local computer

    on right: the same user connected to RDSH server.

    Loopback is in Replace mode.

    RDS Server LockDOWN GPO applied to RDSH server appears in User Settings part.

    Local OS is Windows 7 (French). Remote Session to Server 2012 R2 En.

    What to do?

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis



    • Edited by pob579 Wednesday, October 07, 2015 4:28 PM
    Wednesday, October 07, 2015 4:08 PM
  • the problem found....

    There is one GPO that appears corrupted. This GPO has tons of settings and generally does the job (it is critical for organization).

    It's not me who is responsible for it. So I didn't want to touch it at all.

    And I clearly saw that my GPO is applied....

    Brief, I found that one corrupted GPO can prevent others to take effect...

    Here is the error by GPO SID I know now what is this. I temporary disabled it ... and bingo...

    **************************************************

    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>gpupdate /force
    Updating policy...

    Computer Policy update has completed successfully.
    User Policy could not be updated successfully. The following errors were encount
    ered:

    The processing of Group Policy failed. Windows could not apply the registry-base
    d policy settings for the Group Policy object LDAP://CN=User,cn={DD0BC53F-5DEC-4
    247-B308-56445BF44BAB},cn=policies,cn=system,DC=xxxxxxx,DC=xxxxx,DC
    =xx,DC=xx. Group Policy settings will not be resolved until this event is resolv
    ed. View the event details for more information on the file name and path that c
    aused the failure.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    C:\Windows\system32>^A


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Thursday, October 08, 2015 12:42 PM