none
GPO fails, GPresult reports reason for failure as Not Applied (Unknown Reason)

    Question

  • Windows Server 2012 R2, I have a GPO for configuring RDP on all clients (Windows 7 Pro). I used the info in this article to configure RDP. This GPO is only for RDP, no other settings are configured, so it only applies to computer objects.

    I have an OU called Laptops in the GPMC. I have a test laptop that is a domain member in this container and have linked the RDP GPO to it, however the policy never applies.

    When I run Group Policy modeling from the server the RDP GPO is denied under Computer Configuration with "Empty" given as the reason. Running gpresult /r on the laptop client shows that the RDP GPO was not applied with the reason "Not Applied (Unknown Reason)".

    Under the scope tab for this GPO I have verified that there is nothing listed in the Security Filtering section, and that the GPO is showing that it is linked to the Laptop OU.

    The delegation tab of the RDP GPO reads as follows:

    Domain Admins - Edit Settings, delete, modify security

    Enterprise Admins - Edit Settings, delete, modify security

    Enterprise Domain Controllers - Read

    SYSTEM - Edit Settings, delete, modify security

    If I try to add Domain Computers with Read and Apply Group Policy settings, it puts an entry for Domain Computers in the Security Filtering section of the GPO, and then GPresult reports that the GPO is not applied due to security filtering. Any ideas?


    Friday, October 21, 2016 6:12 PM

Answers

  • Hi,
    Please have a try to add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO) and then run gpupdate /force and gpresult /r to view if the GPO is applied successfully.
    Normally, when we create a GPO, by default, the following groups with the permissions would be listed in the delegation tab as below if we don’t configure other permission settings in the GPO.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 3:28 AM
    Moderator

All replies

  • Hi,
    Please have a try to add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO) and then run gpupdate /force and gpresult /r to view if the GPO is applied successfully.
    Normally, when we create a GPO, by default, the following groups with the permissions would be listed in the delegation tab as below if we don’t configure other permission settings in the GPO.

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 3:28 AM
    Moderator
  • Thanks!  That did the trick. 
    Monday, October 24, 2016 1:51 PM
  • Hi,
    You are welcome, and if you have any questions, please feel free to contact us.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 25, 2016 1:52 AM
    Moderator