none
GPOs not listed

    Question

  • Hi

    Our GPOs seem to be frozen in time.

    What I mean by that is, if I change an existing GPO the changes don't apply to the affected users/PCs, and if I create a new one it doesn't even show up in the results from GPRESULT.

    Yesterday I created a test GPO and applied it to a test OU which contains a test account as well as my own day-to-day account. When I run GPResult against either account the GPO doesn't show up at all. GPUpdate /force makes no difference.

    However, if I run GP Modeling the new GPO does show up (albeit as Empty, which I'd expect because, you know, it's empty!), but not when I run the GP Results wizard.

    We have no known replication issues (Spotlight on AD, and MS SCOM), It's like only a subset of GPOs are being 'delivered' to client accounts (User or Computer).

    There are no processing errors in the client PCs' event viewer.

    Can anyone advise what might be going on here?


    • Edited by JPJ-UK Wednesday, July 15, 2015 10:03 AM
    Wednesday, July 15, 2015 9:04 AM

Answers

All replies

  • Hi

     Could you please check vmi filtering.and is "block inheritance" enabled,needs to be disabled,

    ALso check this 10 common problems causing gpo to not apply;

    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

    Wednesday, July 15, 2015 10:22 AM
  • Hi,

    What about errors on DCs and is the Sysvol folder still accessible to all.

    \\DC1\ should list it. What is your Server version

    Troubleshooting Group Policy Problems:

    https://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx

    Your Guide to Group Policy Troubleshooting

    https://technet.microsoft.com/en-us/magazine/2007.02.troubleshooting.aspx


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, July 15, 2015 10:23 AM
  • Hi JPJ,

    Also check if you have added "authenticated users" or required users / groups or machine accounts in security filtering.

    - Umesh.S.K

    Wednesday, July 15, 2015 10:53 AM
  • Thanks for the response, Burak.

    We don't use WMI filtering at all.

    Very little Block Inheritance in use, and not at all in this part of the tree structure.

    Have seen that '10 common problems' already. It's good, but pretty sure doesn't apply.

    :-)

    Wednesday, July 15, 2015 11:51 AM
  • Thanks, Satyajit

    NETLOGON is available (which explains why many GPOs are working).

    Server 2008 Enterprise R2

    Wednesday, July 15, 2015 11:55 AM
  • Thank you, Umesh

    Yes, the security filtering looks fine (set to Authenticated Users on almost all GPOs). But even if the security filtering was the cause, the GPOs would still be listed but in the 'Not applied' section from the GPResult command's output...

    Wednesday, July 15, 2015 11:57 AM
  • hi JPJ,

    Do you see any error event log related to group policy on client machines?

    Wednesday, July 15, 2015 11:59 AM
  • None at all.

    Only a 6323 warning (Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work), and a 6314 warning (Group policy bandwidth estimation failed. Group policy processing will continue. Assuming fast link).

    And lots of Information events (mostly 4017/5017 pairs).

    Wednesday, July 15, 2015 12:34 PM
  • > Yesterday I created a test GPO and applied it to a test OU which
    > contains a test account as well as my own day-to-day account. When I run
    > GPResult against either account the GPO doesn't show up at all. GPUpdate
    > /force makes no difference.
     
    You verified for user accounts - did you verify for computer accounts, too?
     
    If things are as I believe, you have "loopback replace" enabled :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, July 15, 2015 12:35 PM
  • Hi

     also you can check this Article about Troubleshooting Group Policy Using Event Logs;

    https://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx

    Wednesday, July 15, 2015 12:40 PM
  • This is an opportunity to clarify a point I've always wondered about. When Loopback Processing is enabled, does it only apply to the GPO itself, or to all GPOs in the OU that the GPO is linked to? I've always assumed it's just the GPO itself (allowing for the effects it may have on others)

    We do have some GPOs with loopback processing, but they are linked to OUs containing computers (not to User OUs) in order to apply settings to users that happen to log on to those PCs.


    • Edited by JPJ-UK Wednesday, July 15, 2015 2:58 PM Clarification on my assumptions regarding loopback enabled GPOs
    Wednesday, July 15, 2015 2:50 PM
  • ...You verified for user accounts - did you verify for computer accounts, too?...

     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:

    As suggested, I created an empty GPO, and linked it to the OU for the PC that I'm running my tests on. The new test GPO appears in GPRESULTS for the computer...but also for the test user account running on said PC. So perhaps there is something going on with loopback processing in order for it to appear for the User Config part of the GPRESULT output...

    The first test GPO still doesn't appear however.

    Wednesday, July 15, 2015 3:03 PM
  • Well, I've checked both OUs, and none of the Link Enabled GPOs have loopback processing enabled.
    Wednesday, July 15, 2015 3:18 PM
  • > When Loopback Processing is enabled, does it only apply to the GPO
    > itself, or to all GPOs in the OU that the GPO is linked to? I've always
     
    It applies to the computer, not to GPOs. And it changes the evaluation
    of GPOs, sometimes in an unexpected but foreseeable way :)
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by JPJ-UK Wednesday, July 22, 2015 4:23 PM
    Thursday, July 16, 2015 1:17 PM
  • Well, much Kudos to Martin Binder. It was loopback processing causing great confusion. I had to create a new OU and put a PC and user account in it, then apply GPOs one-by-one until it 'broke' in the same way. Thankfully it didn't take long before I found the GPO causing the blockage, and that had Loopback Processing configured to Replace. I switched that to 'Merge' and now all is well and right in the world.

    Cheers to all who contributed.

    Wednesday, July 22, 2015 4:28 PM