none
Inconsistent application of group policies

    Question

  • Hello everyone,

    I've got a bit of an issue with what appears to be a problem with the application of apparently random group policies.  A little background:  my user account is a member of domain users and domain admins.  We have 3 AD sites defined by subnets. The subnets accurately reflect our physical topology.

    When I run 'gpresult /z' from my workstation, logged in as myself (not using an elevated command prompt) I see all of the GPOs, including the GPOs that were not applied, due to security filtering, WMI, etc.

    When I run 'gpresult /z' from another workstation, logged in as myself (not using an elevated command prompt) I only see a fraction of the GPOs in the applied/not applied sections of Gpresult's output.  Of the GPOs that are not being displayed:  some GPOs are computer-scoped, others, user-scoped.  We have no site-scoped GPOs either.   I can provide more information if needed. 

    feedback welcomed.


    • Edited by GP-Admin Tuesday, December 13, 2016 4:42 PM
    Tuesday, December 13, 2016 4:39 PM

Answers

  • Thanks Wendy.   I found the solution, after examining gpresult (with the /H switch) I found the problematic GPOs displayed as "inaccessible" under the Reason Denied column.    After some research I came across this technet forum link

    https://social.technet.microsoft.com/Forums/office/en-US/b47217c4-411d-4127-b280-63a9fb149e49/gpo-denied-inaccessible?forum=winserverGP

    the solution is to add 'authenticated users' to the problematic GPOs under the delegation tab, and give them read access.  

    • Marked as answer by GP-Admin Thursday, December 15, 2016 12:06 AM
    Thursday, December 15, 2016 12:06 AM

All replies

  • > When I run 'gpresult /z' from another workstation, logged in as myself (not using an elevated command prompt) I only see a fraction of the GPOs in the applied/not applied sections of Gpresult's output.  Of the GPOs that are not being displayed:  some GPOs are computer-scoped, others, user-scoped.
     
    So on one client, the list of all GPOs (applied AND denied) differs from the list on another client? Both clients in the same OU? (If I have to guess: No) Loopback enabled? (If I have to guess: Yes)
     
    Tuesday, December 13, 2016 5:06 PM
  • yes,  and both workstations are in the same OU, the default computers OU (container?).   Predictably,  running gpupdate /force from both results in a differing number of applied GPOs, as well.  I've confirmed with gpresult that loopback processing is not enabled.


    my workstation's event logs:  

    The Group Policy settings for the user were processed successfully. New settings from 9 Group Policy objects were detected and applied.


    the other workstation's event logs:

    The Group Policy settings for the user were processed successfully. New settings from 3 Group Policy objects were detected and applied.

    they both appear to be contacting the same domain controller to retrieve the settings.


    • Edited by GP-Admin Tuesday, December 13, 2016 6:10 PM
    Tuesday, December 13, 2016 6:02 PM
  • Hi,
    Also, please check if security filtering, WMI filtering or the permission of this another workstation is set up in the GPO.
    Regarding the GPO not applying, please check the following article for common reasons to try troubleshooting:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 14, 2016 3:37 AM
    Moderator
  • Thanks Wendy.   I found the solution, after examining gpresult (with the /H switch) I found the problematic GPOs displayed as "inaccessible" under the Reason Denied column.    After some research I came across this technet forum link

    https://social.technet.microsoft.com/Forums/office/en-US/b47217c4-411d-4127-b280-63a9fb149e49/gpo-denied-inaccessible?forum=winserverGP

    the solution is to add 'authenticated users' to the problematic GPOs under the delegation tab, and give them read access.  

    • Marked as answer by GP-Admin Thursday, December 15, 2016 12:06 AM
    Thursday, December 15, 2016 12:06 AM
  • Hi,
    Appreciate for your update and share, it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 15, 2016 5:33 AM
    Moderator