none
Why some server Group Policy that should be applied is Denied with the reason Inaccessible ?

    Question

  • People,

    I have a problem with Windows GPO not being applied in some of my servers in the single AD domain. There are multiple different subnets for each different site offices spread out geographically, when I set the GPO through Headquarter DC/GC HQDC01, I have successfully configure the Windows Update policy for 80% of the servers in all of the AD sites, but somehow there are some server that is not getting the WSUS GPO applied ?

    For the Windows server that has been updated successfully: GPResult /R shows that the WSUS GPO comes from the domain controllers HQDC01 For the Windows server that has NOT been working: GPResult /R shows that there is no WSUS GPO applied and the domain controllers points to PRODDC03-VM and the GPO is listed under Denied GPOs with the reason Inaccessible.

    Head Office AD Site: HQDC01 - Windows Server 2012 R2 Domain Controllers FSMO role holder (PDC, RID & Infrastructure master)

    Data Center AD Site: PRODDC01-VM Windows Server 2008 R2 Domain Controllers (Schema master) PRODDC03-VM Windows Server 2008 R2 Domain Controllers (Domain naming master) Any help would be greatly appreciated to assist me in troubleshooting the GPO above.

    Thanks.


    /* Server Support Specialist */

    Friday, September 18, 2015 7:29 AM

Answers

  •      

    Hi,

    If possible, please share the screenshot of gpresult /h C:\result.html here for troubleshooting purpose.

    Additionally, please double-check the permissions in AD and SYSVOL (GPC and GPT) for that GPO and ensure that the computer account/user have at least read permission on the GPO.

     
    The permissions on the GPO or on folders in the path to the Group Policy template might be insufficient for it to be accessed and read.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 21, 2015 6:10 AM
    Moderator
  • Hi,

    Does your WSUS GPO has any security filtering? It usually happenes when the Server/User(Where the GPO will be applied) does not have read and apply GPO permission.          

    Every GPO has two components, GPC and GPT. GPT part stored in the file system under SYSVOL share. You can find them here:

    \\DomainNameHere\SYSVOL\Policies

    GPC part stored in the AD, so you can edit their permissions with ADUC. Enable Advanced Features in the View menu, and browse System\Policies.

    Please share the GPO sessing and GPresult /V >gp.txt output


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, September 21, 2015 7:09 AM

All replies

  • > there is no WSUS GPO applied and the domain controllers points to
    > *PRODDC03-VM *and the GPO is listed under *Denied GPOs* with the reason
    > */Inaccessible/*.
     
    Either AD or sysvol are suffering from replication issues. Check
    repadmin and Event Logs.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, September 18, 2015 10:08 AM
  •      

    Hi,

    If possible, please share the screenshot of gpresult /h C:\result.html here for troubleshooting purpose.

    Additionally, please double-check the permissions in AD and SYSVOL (GPC and GPT) for that GPO and ensure that the computer account/user have at least read permission on the GPO.

     
    The permissions on the GPO or on folders in the path to the Group Policy template might be insufficient for it to be accessed and read.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 21, 2015 6:10 AM
    Moderator
  • Hi,

    Does your WSUS GPO has any security filtering? It usually happenes when the Server/User(Where the GPO will be applied) does not have read and apply GPO permission.          

    Every GPO has two components, GPC and GPT. GPT part stored in the file system under SYSVOL share. You can find them here:

    \\DomainNameHere\SYSVOL\Policies

    GPC part stored in the AD, so you can edit their permissions with ADUC. Enable Advanced Features in the View menu, and browse System\Policies.

    Please share the GPO sessing and GPresult /V >gp.txt output


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, September 21, 2015 7:09 AM
  • Hi,
     
    I'm just writing to check how's everything going? If you have any questions or needed further help on this issue, please feel free to post back.
     
    Thanks,
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, September 24, 2015 3:18 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 28, 2015 7:02 AM
    Moderator