none
RE: Group policy failing to take effect for specific OU

    Question

  • hello guys. i have a problem relating to gpo's that do not get applied to a user object within only one specific ou. when i say does not get applied its not that it reads all the others and filters this one out, but rather a lack of reading any policies linked to the user when its in that ou. to investigate i did some gpo simulations with the same user and computer object but by selecting one of three dc's. when the user object is in any other ou the simulations pass on all three dc's. when its in this specific ou the simulations fail for the user object but only from two of the dc's. the dc with all the fsmo roles does the simulation successfully. at this stage i dont care about the actual policies anymore, since clearly something is very wrong with how the other two dc's process the gpo's linked to this ou. i attached a screenshot of the output from the simulation. 

    i do not see any errors relating to group policies or active directory replication in the logs on the servers.

    any ideas?

    Monday, August 31, 2015 9:26 AM

All replies

  • i did further testing. created a new ou and linked two policies from the ou which does not seem to work. logged on and this worked. however, as soon as i create a policy which makes use of group policy preferences the server 2012 r2 dc can't find the policy as outlined in the error above. the other two dc's still work when i simulate. is there something about gpp i should know?
    Monday, August 31, 2015 10:35 AM
  • more testing revealed that if i unlink the gpp policy and wait for replication to take effect the simulation passes on all the servers.
    Monday, August 31, 2015 10:56 AM
  • Not sure if I hve understood your structure correctly, but from the screenshot, seems the GPO failed to be replicated to all the dcs. Maybe SYSVOL replication is broken and the GPO's contents in SYSVOL are not replicated to every DC

    Try to delete the GPO and create it again, then wait for replication. After that try again.

    This thread might be helpful: https://community.spiceworks.com/topic/443511-unable-to-read-the-gpt-ini-from-a-domain-controller

    Wednesday, September 02, 2015 9:36 AM
  • Try replicate the GPO again and see if it can work by login with another user. Also try to see the RoSP and see if the policy can replicated.
    • Edited by Jacky Yau Friday, September 04, 2015 6:36 AM
    Wednesday, September 02, 2015 9:42 AM