none
Problem with GPO applying settings

    Question

  • I have created a new GPO for WSUS that include all the windows update setting. Previously these setting were being applied by the Default Domain Group Policy. 2 problem's 1st if the enforced is removed from the Default Domain Group Policy or the WSUS GPO that I created the Citrix server connection to our AIM database doesn't connect, Checked the logon policy which maps the network drives to the AIM database seem fine, when the enforced is applied then the connection is restored. The settings tab doesn't reveal the setting in the policy that is  causing the problem. Can't seem to figure out what is causing this problem.

    2nd the Default domain policy, computer section, administrative templates, Windows Components, Windows Update is overwriting the "Specifies an intranet server to host updates from Microsoft Update" and sets the option to "0" in the registry which I believe is disabled. I have set this to not configured and still will not apply the intranet server information in the registry on the client computers even thou this setting is enabled in the WSUS GPO that I created. Have move the WSUS to the top of the list which had no effect. Enforced the WSUS GPO did work but I would like not to use the force, is there another way to accomplish this would using forced?  I have run the gpresult /h and nothing jumped out at me as to the cause of the problems.

    Any help would be greatly appreciated.




    • Edited by jdope Friday, March 20, 2015 9:40 PM
    Friday, March 20, 2015 8:54 PM

Answers

  • Hi,

    Before going further, please make sure that Block Inheritance is not enabled on the OU where the computer accounts reside. Besides, please double confirm that this is not caused by another GPO in our domain. We can check this by running command gpresult/h report.html with administrative privileges without enforcing the GPO and to see which GPO is the winning one for the settings.

    Best regards,
    Frank Shen 


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 23, 2015 7:38 AM
    Moderator

All replies

  • Hi,

    Before going further, please make sure that Block Inheritance is not enabled on the OU where the computer accounts reside. Besides, please double confirm that this is not caused by another GPO in our domain. We can check this by running command gpresult/h report.html with administrative privileges without enforcing the GPO and to see which GPO is the winning one for the settings.

    Best regards,
    Frank Shen 


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 23, 2015 7:38 AM
    Moderator
  • I noticed that 2 OU's,

    1.  Citrix has Block Inheritance "Enabled" when looking at the settings Enforced is set to No, and Link Enabled set to Yes within the Citrix - Computer Policy with the Security Filtering set to "Authenticated Users" the same setting are set for Citrix - Users Policy.

    2.  XenDesktop had the Block Inheritance enabled. XenDesktop - Computer, XenDesktop - Users and XenDesktop Best Practices,  the 3 have the same setting's as the GPO listed above.

    Looking further at the 2 GPO's listed above, I don't believe that they are problem because these GPO's only target certain computer's. 1st GPO: Citrix: CITRIX-1, CITRIX-2, Computers....2nd GPO: XenDisktop: Win07-01 - Win07-04 and Gold-Image, Computers.

    The Security Filtering for both is set to Authenticated Users.

    I'm going to remove the Block Inheritance and run the command gpresult/h report.html

    Question: Is the above command run on the server that is enforcing group policies? A Domain Controller?





    • Edited by jdope Monday, March 23, 2015 5:38 PM
    Monday, March 23, 2015 3:18 PM
  • Gpresult /h is ran on the affected computer . You can do this from your DC to gather information on a remote computer but you need to use the gpresults wizard built into GPMC or on a computer running rsat tools.
    Monday, March 23, 2015 9:31 PM
  • Hi,

    >>Question: Is the above command run on the server that is enforcing group policies? A Domain Controller?

    On the server which is enforcing or applying the group policy settings.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 24, 2015 1:14 AM
    Moderator