none
GPO issue (Modeling wizard shows applied GPO but gpresults do not)

    Question

  • Hi guys. I have come across a ad user that is not running the applied GPO correctly. There is a group of users that is setup to exclude certain folder for roaming profiles (Google drive, dropbox,downloads) when syncing with the server upon login/logout. The GPO is working for all the users in that group except this one. On that users computer I ran a gpresult -h and looked at the html file to see if it shows up but it does not.

    I then ran the GPO modeling wizard to see if it is supposed to be applied,and it indeed shows up there. I have updated the gpo for the user, but still not luck. I know it works because other users in the group are running just fine. Any advice on how to proceed with this would be helpful. Thanks

    Friday, January 06, 2017 9:44 PM

All replies

  • I could think 3 possible reasons for this;

    1. Does this problematic user belong to some other group which excludes something etc? Double check your GPO delegations.

    2. Is this GPO applied to Authenticated Users or some AD group? Check delegations, Authenticated Users MUST still have Read rights to the GPO, if you´re using AD group.

    3. The logon process of that problematic user fails somehow. GPO apply problems are usually seeing in Event Viewer during logon, investigate that.

    Saturday, January 07, 2017 1:55 PM
  • is this particular user, a member of hundreds of AD groups? (could be a tokensize problem...)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, January 08, 2017 1:57 AM
  • Thanks for you response but I looked into your 3 possible reasons and found no fixes. 

    The user is part of authenticated users and read permissions were enabled. This user is a part of groups that do not exclude the applied GPO. Alas, the event viewer just tells me the winlogon was taking too long. Afterwards it says winlogon was successfully validated, but no other error.  

    *Note- I believe it thinks winlogon is taking too long but in reality it is just syncing enormous amounts of data from the client to the server
    • Edited by Bpiccolo88 Monday, January 09, 2017 5:55 PM
    Monday, January 09, 2017 5:54 PM
  • No, this user is only part of 3 groups.
    Monday, January 09, 2017 5:58 PM
  • Thanks for you response but I looked into your 3 possible reasons and found no fixes. 

    The user is part of authenticated users and read permissions were enabled. This user is a part of groups that do not exclude the applied GPO. Alas, the event viewer just tells me the winlogon was taking too long. Afterwards it says winlogon was successfully validated, but no other error.  

    *Note- I believe it thinks winlogon is taking too long but in reality it is just syncing enormous amounts of data from the client to the server

    In Computer Configuration\Admin Templates\System\Group Policies there is lot of GPO options about GPO proccesing themselves. I remember there was somekind of setting which enables you to wait during logon until all GPOs are finished, maybe you should try somethink like that.

    Also, GPMC has its own diagnostics, anything there when you you run RSOP?

    Monday, January 09, 2017 7:04 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 13, 2017 9:12 AM
    Moderator