none
group policy will not apply

    Question

  • Guys I am having a strange group policy problem. I am using group policy preferences to control local admin user groups. This policy is a computer based policy. The preference is configured with an action of update. I have several Windows 7 systems that will not apply the policy. All of these systems are in the same OU if I run group policy results on a problem ed system via GPMC. I can see clearly where the policy is being applied. However, if I check the local groups on the workstation nothing is updated. So I would like to ask has anyone seen this before?
    Wednesday, March 9, 2016 10:30 PM

Answers

  • > something related to Preferences, which was an "apply once, but allow
    > the user to override the setting" if they manually changed it.
     
    Yes - if you check "apply only once". And for IE settings e.g. you are
    right - if we set a proxy through GPP internet settings, the user can
    change it afterwards.
     
    But changing group memberships requires admin rights, and if the user is
    admin, we are lost anyway :)
     
    Friday, March 11, 2016 12:13 PM
  • Hi,

    Most client-side extensions process Group Policy in the background (while the computer starts or the user logs on). However, some client-side extensions require processing before the computer completely starts or before the user logs on (synchronous). These extensions request synchronous processing from the Group Policy service and apply their policy settings on the next restart. The Folder Redirection and Software installation client-side extensions are known for this behavior. Reboot the computer to force a synchronous refresh.

    You could refresh group policy on these specific computers by running Gpupdate /force.

    For more information, you could take a look:

    Event ID 1112 — Application of Group Policy

    https://technet.microsoft.com/en-us/library/cc727266%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 14, 2016 4:01 AM
    Moderator

All replies

  • Use the "Restricted Groups" GPO setting, rather than controlling local admin user group membership through Group Policy preferences.   Restricted Groups is a feature within all GPOs.

     

    Reference:  http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html


    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, March 10, 2016 12:41 AM
  • I will read up on the restricted groups. However, can you tell me why this can't be accomplished with preferences? It just seems like this should work.
    Thursday, March 10, 2016 1:47 AM
  • Hi,

    I have tested with add a domain user to local admin group and succeed by these actions below.

    1. Create a computer OU, and add specific computers to the OU
    2. Open GPMC, right-click the computer OU and select Create a GPO link this domain, and link it~~, then type the name of the GPO
    3. Right-click the GPO and click edit
    4. Right-click local users and groups under the path below

    Computer Configuration\preference\Control Panel settings

    1. Select new and click local group
    2. Action: update, group name: Administratros (built-in)
    3. Click Add, and type the user you want to add
    4. Then click Ok, and click Apply
    5. Run GPupdate /force On client, then check the member of Administrators group on Computer management

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 10, 2016 9:22 AM
    Moderator
  • I have already performed the above steps. The problem is the policy is not applying to certain workstations.  All workstations are in the same OU. A large majority of them have the correct policy however some are not pulling the policy. So I'm trying to troubleshoot why as stated if I pull rsop it shows that the policy was pushed to the workstation. However, checking local groups shows zero changes.  I wonder if I turn logging of preference on the client side if that will give me more info. I did pull the below info from a client machine log that's not updating. The below error my not even have anything to do with my problem.

    he Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
        <EventID>1112</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2016-03-10T03:16:49.566921200Z" />
        <EventRecordID>203080</EventRecordID>
        <Correlation ActivityID="{2AA037D2-2D67-45CF-A304-9A443C15EFF0}" />
        <Execution ProcessID="1180" ThreadID="3336" />
        <Channel>System</Channel>
        <Computer>test.company.com</Computer>
        <Security UserID="S-1-5-21-1063662291-1518012612-666385194-18848" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">4237</Data>
        <Data Name="ProcessingMode">2</Data>
        <Data Name="ProcessingTimeInMilliseconds">6459</Data>
        <Data Name="ErrorCode">1274</Data>
        <Data Name="ErrorDescription">The group policy framework should call the extension in the synchronous foreground policy refresh. </Data>
        <Data Name="DCName">\\testDC.company.com</Data>
        <Data Name="ExtensionName">Software Installation</Data>
        <Data Name="ExtensionId">{c6dc5466-785a-11d2-84d0-00c04fb169f7}</Data>
      </EventData>
    </Event>

    Thursday, March 10, 2016 10:36 AM
  • You should not be using Group Policy Preferences to control access to groups.  Group Policy Preferences are an "apply once, and then the local user control settings from there kind of thing", meaning you don't have good control over Preferences, that is reason enough why it shouldn't work as you're trying to do.  Microsoft has put forth several articles regarding controlling local group membership through the the "Restricted Groups" GPO setting, rather than controlling local admin user group membership through Group Policy preferences.   Restricted Groups is a feature within all GPOs.

     

    Reference:  http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html



    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Todd Heron Friday, March 11, 2016 1:46 AM
    Friday, March 11, 2016 1:46 AM
  • > You should not be using Group Policy Preferences to control access to
    > groups.  Group Policy Preferences are an "apply once, and then the local
    > user control settings from there kind of thing", meaning you don't have
    > good control over Preferences,
     
    Todd, I totally disagree with that.
     
    Group Policy Preferences as well as restricted groups are processed with
    each GPO processing cycle. This will put all together as it is supposed
    to be, regardless of which method you are using.
     
    Restricted groups is legacy, doesn't support variables, has its bits on
    "cumulative or not" and it is slow. So I would always recommend to use GPP.
     
    Friday, March 11, 2016 11:25 AM
  • Hmmm...at some point in the past I thought it was GP Preferences, or something related to Preferences, which was an "apply once, but allow the user to override the setting" if they manually changed it.

    Best Regards, Todd Heron | Active Directory Consultant

    Friday, March 11, 2016 11:48 AM
  • > something related to Preferences, which was an "apply once, but allow
    > the user to override the setting" if they manually changed it.
     
    Yes - if you check "apply only once". And for IE settings e.g. you are
    right - if we set a proxy through GPP internet settings, the user can
    change it afterwards.
     
    But changing group memberships requires admin rights, and if the user is
    admin, we are lost anyway :)
     
    Friday, March 11, 2016 12:13 PM
  • Hi,

    In the Client machine where Policy not reflected run GPUpdate /Force.

    http://biswajeetsccm.wordpress.com/

    Friday, March 11, 2016 12:21 PM
  • Very well, and succinctly explained Martin.  Thanks.

    Best Regards, Todd Heron | Active Directory Consultant

    Friday, March 11, 2016 12:48 PM
  • Hi,

    Most client-side extensions process Group Policy in the background (while the computer starts or the user logs on). However, some client-side extensions require processing before the computer completely starts or before the user logs on (synchronous). These extensions request synchronous processing from the Group Policy service and apply their policy settings on the next restart. The Folder Redirection and Software installation client-side extensions are known for this behavior. Reboot the computer to force a synchronous refresh.

    You could refresh group policy on these specific computers by running Gpupdate /force.

    For more information, you could take a look:

    Event ID 1112 — Application of Group Policy

    https://technet.microsoft.com/en-us/library/cc727266%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 14, 2016 4:01 AM
    Moderator