none
OU-Linked Group Policies not applying in one site of 3

    Question

  • I've run up against something that I've never heard of before: I have 3 GPOs (all with only user settings) linked to an OU containing user objects and the GPO applies fine in site "Main" and site "Secondary" (both in the USA) but not site "Tertiary" in the UK.

    If I log onto a domain controller located in site "Tertiary" the GPOs apply, but if I log onto any member servers (Win 2008 R2) or workstations (Win7), the GPOs don't apply.

    GPO debug logging was enabled and I combed the logs on a test PC and it looks like the following is happening:

    Win 7 Computer in Site "Secondary" GP service wants to target the user SID and looks for DC and where to start. It seems to do this successfully as the first thing it hits is the OU that the user account is located in as below:

    GPSVC(1f8.7f8) 11:14:05:059 GetDomainControllerConnectionInfo: Getting Ldap Handles.
    GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Getting ldap handle for host: GCM-DC-S2.mydomain.com in domain: mydomain.com.
    GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Server connection established.
    GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Bound successfully.
    GPSVC(1f8.7f8) 11:14:05:059 ProcessGPOs: Computer's domain is same as user's domain so using user's domain DC
    GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Getting ldap handle for host: GCM-DC-S2.mydomain.com in domain: <Unspecified>.
    GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Server connection established.
    GPSVC(1f8.7f8) 11:14:05:074 GetLdapHandle:  Bound successfully.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\dskquota.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\srchadmin.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\cscobj.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(1f8.7f8) 11:14:05:074 GetGPOInfo:  ********************************
    GPSVC(1f8.7f8) 11:14:05:074 GetGPOInfo:  Entering...
    GPSVC(1f8.7f8) 11:14:05:074 SearchDSObject:  Searching <OU=Users,OU=Technology,OU=Primary,DC=mydomain,DC=com>

    The problem PC located in the tertiary site looks a bit different. It gets a DC right away and doesn't say anything about the user's DC being same as machine's DC. Then it starts searching in the OU of the PC and works back up the LDAP org to the root domain/forest, meaning it never tries to locate the OU where the user object is, so it never discovers the GPOs linked to that OU:

    GPSVC(268.1114) 17:40:51:457 GetDomainControllerConnectionInfo: Getting Ldap Handles.
    GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Getting ldap handle for host: GCM-DC-L1.mydomain.com in domain: mydomain.com.
    GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Server connection established.
    GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Bound successfully.
    GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\dskquota.dll.
    GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll.
    GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\srchadmin.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\cscobj.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
    GPSVC(268.1114) 17:40:51:475 ProcessGPOs: Using computer name CN=SPARE3,OU=Workstations,OU=Tertiary,DC=mydomain,DC=com for query.
    GPSVC(268.1114) 17:40:51:475 GetGPOInfo:  ********************************
    GPSVC(268.1114) 17:40:51:475 GetGPOInfo:  Entering...
    GPSVC(268.1114) 17:40:51:475 SearchDSObject:  Searching <OU=Workstations,OU=Tertiary,DC=mydomain,DC=com>

    Any ideas why this tertiary site is behaving differently than the secondary site would be greatly appreciated.

    It seems user GPOs apply to the problem PC but only if they are linked to the OU the workstation is in or its parents, including site and domain root. So I could conceivably work around the issue by linking the problem GPOs to the root or site OU, but I'd really like to know why it's not finding the user OU and checking it for GPOs.

    Thanks

    Pete

    Edit: I should note that I looked pretty closely at permissions, presence of the GPO files in the sysvol folder etc. All of that looks good and is replicating fine across all sites.

    • Edited by Peteski Monday, March 16, 2015 7:14 PM
    Monday, March 16, 2015 7:12 PM

Answers

  • Hi,

    >>It seems user GPOs apply to the problem PC but only if they are linked to the OU the workstation is in or its parents, including site and domain root

    Based on the description, did we enable Loopback processing with Replace mode for these computers? Here, on one of these computers, we can run command gpresult/h report.html with administrative privileges to collect group policy result report to check this.

    Regarding user group policy loopback processing mode, the following article can be referred to for more information.

    User Group Policy loopback processing mode

    https://technet.microsoft.com/en-us/library/cc978513.aspx 

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Peteski Tuesday, March 17, 2015 8:27 PM
    Tuesday, March 17, 2015 3:00 AM
    Moderator

All replies

  • Hi,

    >>It seems user GPOs apply to the problem PC but only if they are linked to the OU the workstation is in or its parents, including site and domain root

    Based on the description, did we enable Loopback processing with Replace mode for these computers? Here, on one of these computers, we can run command gpresult/h report.html with administrative privileges to collect group policy result report to check this.

    Regarding user group policy loopback processing mode, the following article can be referred to for more information.

    User Group Policy loopback processing mode

    https://technet.microsoft.com/en-us/library/cc978513.aspx 

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Peteski Tuesday, March 17, 2015 8:27 PM
    Tuesday, March 17, 2015 3:00 AM
    Moderator
  • Thanks a bunch Mark. I think this is the answer though I will have to test.

    But I believe I understand where the problem lies and why you reference the loopback policy processing mode: My previous understanding was that the way loopback is scoped is at the GPO level and replace was referring to whether or not this single GPO's user policy settings would only impact settings from any other GPO that is in conflict with the same exact user setting of another GPO.

    The article you linked appears to state that the "Replace" setting completely blocks all other GPOs that are linked to OUs with users in them (my problem). However, GPOs linked to objects such as computers and site/domain still apply.

    I'll update one I go through all of my GPOs and check for enabled user loopback + replace on all of them and then test again on the PC.

    Thanks again

    Pete

    Tuesday, March 17, 2015 9:40 PM