none
Group policies are set correctly on server, but failing to arrive at some servers in the OU, when others do.

    Question

  • I have a Windows 2008 R2 single domain forest.  I have a problem deploying settings to devices in the forest, where only 29 devices of 500 are picking up new WSUS settings.  We frequently have problems getting new settings to certain devices. 

    For example, I have four Exchange servers in an OU with identical GPO settings configured through GPMC and two of them receive their new GPO settings and two don't.  The servers are in two different datacentres, but the two that report are in different ones and the ones that don't report are right next to them in the same VLAN.  Running GPUPDATE /FORCE doesn't have any effect. Sometimes rebooting the server will effect the change but it then reverts to the old settings within a few hours.

    Similarly we have PC VLANs that aren't picking any settings either, despite being rebooted regularly.

    Any ideas would be very helpful?

    Thursday, February 05, 2015 11:24 AM

Answers

  • Hi Brian,

    Based on your description, please run command gpresult/h report.html on the troubled machines to collect group policy to check this. Note, to collect computer part settings, we need to run the command with admin privileges.

    Alternative, we can use Group Policy Result Wizard in GPMC on domain controllers to remotely collect group policy result report:

    1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console.

    2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

    3. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.

    If necessary, when you get the report, you may upload it to the Skydrive and provide the download link for us to troubleshoot the issue.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 06, 2015 6:34 AM
    Moderator

All replies

  • Hi Brian,

    Based on your description, please run command gpresult/h report.html on the troubled machines to collect group policy to check this. Note, to collect computer part settings, we need to run the command with admin privileges.

    Alternative, we can use Group Policy Result Wizard in GPMC on domain controllers to remotely collect group policy result report:

    1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console.

    2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

    3. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.

    If necessary, when you get the report, you may upload it to the Skydrive and provide the download link for us to troubleshoot the issue.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 06, 2015 6:34 AM
    Moderator
  • Hi Brian,

    How is it going? Is there any progress with the situation? If you need further help regarding the situation, please don't hesitate to let us know.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 11, 2015 2:20 AM
    Moderator
  • Sorry for the late reply. We traced the problem to a replication issue between different domain controllers. The DC healthcheck tool was giving us a false positive so we had dismissed this as an issue.  We eventually traced the exact problem to a corrupt GPO which was preventing replication.  We deleted it and recreated it and everything started working again.
    Tuesday, April 28, 2015 9:02 AM