none
Group Policy not applying randomly

    Question

  • Hi.

    We have 2  Windows Server 2012R2 Domain controllers(+DNS server+wins). We installed those new servers on 2015 February. Problems started December 2015.

    180 client desktop computers with Windows 7 Pro 32bit.

    Problem:  about 10% of user computers not applying their GPOs. Some users suffer the problem more than others.

    The troubleshooting is: run “gpupdate/force” on the problematic desktop.

    Things we have tested: brand new user & computer GPOs (no success)

    There is one curious thing: first time we apply the new GPOs the problem disappears, but comes back again next day.

    Here is a sample gpsvc.log file from one of the failing desktops.

    https://dl.dropboxusercontent.com/u/4639713/gpsvc%20-%20copia20160223.log

     

    Any advice?

     

    Thanks in advance.

    Tuesday, February 23, 2016 12:22 PM

All replies

  • Hi,

    I cannot open the file you provided, would you mind running GPresult /h <file path> and post it?

    Thank you,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 24, 2016 9:31 AM
    Moderator
  • Hi.
    Here is a zip file with netlogon.log , gpsvc.log and gpreport.html files.

    https://dl.dropboxusercontent.com/u/4639713/gpo-error.zip

    By the way, log file previously shared using dropbox public links has problems when opening with firefox. You can open/download it using Internet Explorer or Google Chrome.

    Regards.
               Juanjo
    Thursday, February 25, 2016 7:07 AM
  • Hi Juanjo,

    I noticed that these GPO are denied by security filtering.

    Have you configured any security filtering?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, February 25, 2016 10:20 AM
    Moderator
  • GPOs are aplied using OUs.

    We have not configured any security filtering

    Our user (in this case) is in OU: 

    euskolege.pv/USUARIOS-win7/Bilkurak

    And the computer is in OU:

    euskolege.pv/Equipos/win7-mahai

    Thursday, February 25, 2016 1:42 PM
  • Hi Juanjo,

    A security group, user or computer must have both Read and Apply Group Policy permissions for a policy to be applied. By default, all users and computers have these permissions for all new Group Policy Objects. These permissions are inherited from their membership in the implicit group Authenticated Users. An authenticated user is any user (or computer) that has logged on to the domain and been authenticated.

    So I suggest you check security filtering on the GPO and the delegating.

    Here are two article may be helpful to you.

    Policy settings incorrectly applied or denied due to security filtering

    https://technet.microsoft.com/en-us/library/cc759506(v=ws.10).aspx

    Security filtering using GPMC

    https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 26, 2016 2:25 AM
    Moderator
  • Those are the security filters applied(for all the GPOs). Default security filtering and delegating.

    Friday, February 26, 2016 8:04 AM
  • Hi Juanjo,

    To make sure, have you configured User Configuration in GPO which linked to computer OU.

    If yes, the problem may be caused by this.

    You could only configure Computer Configuration in GPO which linked to computer OU.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 01, 2016 3:15 AM
    Moderator
  • Created a very simple computer GPO in a new OU and moved some computers there.

    First time the  new GPO was used correctly. Next and following days some gpos failed to apply.

    Thursday, March 03, 2016 4:47 PM
  • > First time the  new GPO was used correctly. Next and following days some
    > gpos failed to apply.
     
    Click on the Details tab - what does it say about AD and sysvol version
    numbers? Possibly sysvol replication is broken...
     
    Thursday, March 03, 2016 5:03 PM
  • Tuesday, March 08, 2016 7:37 AM
  • Previous scrreshoot is from srv2012-dc1 domain controller. (We have 2 domain controllers)

    And srv2012-dc2 shows following:

    Tuesday, March 08, 2016 7:41 AM
  • There was an MMC GPO Management console refresh problem.<o:p></o:p>

    After closing and opening (mmc) 3 times both controllers showed same policy name and version.<o:p></o:p>

    Tuesday, March 08, 2016 9:12 AM
  • > There was an MMC GPO Management console refresh problem.<o:p></o:p>
     
    I assume this was rather a replication delay with your DCs - anyway :)
     
    Wednesday, March 09, 2016 11:50 AM
  • We have monitored replication several days and shows no errors

    We use:  repadmin /showrepl *

    We have been checking gpsvc.log log file differences on failing computers and we see that some messages are missing on those computers.

    This message pattern:

    PSVC(45c.5c4) 07:57:36:342 GetWbemServices: CoCreateInstance succeeded
    GPSVC(45c.5c4) 07:57:36:352 ConnectToNameSpace: ConnectServer returned 0x0
    GPSVC(45c.5c4) 07:57:36:362 CSessionLogger::Log: restoring old security grps
    GPSVC(45c.5c4) 07:57:36:412 LogRsopData: Successfully logged Rsop data
    GPSVC(45c.5c4) 07:57:36:412 ProcessGPOs: Logged Rsop Data successfully.

    Or this one:

    GPSVC(47c.d20) 07:55:25:081 GetWbemServices: CoCreateInstance succeeded
    GPSVC(47c.ed4) 07:55:25:081 GetWbemServices: CoCreateInstance succeeded
    GPSVC(47c.d20) 07:55:25:081 ConnectToNameSpace: ConnectServer returned 0x0
    GPSVC(47c.ed4) 07:55:25:081 ConnectToNameSpace: ConnectServer returned 0x0
    GPSVC(47c.d20) 07:55:25:097 LogExtSessionStatus: Successfully logged Extension Session data
    GPSVC(47c.d20) 07:55:25:097 CSessionLogger::Log: restoring old security grps
    GPSVC(47c.ed4) 07:55:25:097 LogExtSessionStatus: Successfully logged Extension Session data
    GPSVC(47c.ed4) 07:55:25:097 CSessionLogger::Log: restoring old security grps
    GPSVC(47c.d20) 07:55:25:128 LogRsopData: Successfully logged Rsop data
    GPSVC(47c.d20) 07:55:25:128 ProcessGPOs: Logged Rsop Data successfully.
    GPSVC(47c.ed4) 07:55:25:159 LogRsopData: Successfully logged Rsop data
    GPSVC(47c.ed4) 07:55:25:159 ProcessGPOs: Logged Rsop Data successfully.

    Is missing on computers with failing GPOs.

    Anybody Knows what it means?

    Tuesday, March 15, 2016 7:15 AM
  • > We use:  repadmin /showrepl *
     
    This does NOT help - repadmin only deals with AD replication, not with
    SYSVOL replication. On all your DCs check FRS and DFSR eventlogs.
     
     
    Tuesday, March 15, 2016 8:47 AM
  • FRS eventlog  showing only informational events.

    We are not using DFS for sysvol replication.

    Tuesday, March 15, 2016 10:46 AM