none
Group policy doesn't apply to all users in same security groups

    Question

  • Using Windows Server 2008 R1.  I have a single domain with two DCs (both Server 2008 R1).  Both DCs seem to be communicating without issues, as changes on one DC are replicating normally to the other for all services.

    I have a group policy set up to set drive mapping for my users.  However when I run the GP modeling wizard only a few of the users receive the proper mappings.  In this specific instance I have two users, Elaine and Angie.  

    1.  Both are members of the Domain Users security group and another security group I created called Staff

    2.  Neither user is a member of any other security groups.

    3.  My group policy Security Filtering setting is set to apply the policy ONLY to the Staff security group

    4.  When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied (Security Filtering)" under the Denied GPOs list.  

    Why are two users with identical security and group settings returning different results?  



    Wednesday, July 08, 2015 7:52 PM

Answers

  • > can confirm that group policy is now processing correctly, even though
    > the users (and their security group) are in the default User container.
     
    If the default "User" container still is a container and not an OU, you
    _cannot_ link GPOs to it. A container has no gPLink attribute, so even
    if you dig deep into AD, you still cannot link a GPO :)
     
    Where ever else your GPO may be linked - for sure it is, otherwise it
    would not apply.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 14, 2015 7:47 AM

All replies

  • Are both users in the same OU in active directory. Is this GPO apply to the OU where both users are?
    Wednesday, July 08, 2015 7:54 PM
  • This is a small office, so both user accounts and the Staff security group are all in the default Users OU.
    Wednesday, July 08, 2015 7:57 PM
  • 4.  When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied (Security Filtering)" under the Denied GPOs list.  

    Why are two users with identical security and group settings returning different results?  

    Has Angie rebooted?

    When a member is added to a group, but was already logged-in, the member token has already been created during the earlier login and will not reflect the changed memberships. A logoff/logon, or a reboot, will cause a new token to be created, which will reflect the updated memberships.

    It's also my understanding that the default/builtin "Users" container, is not an OU, and as such cannot have GPO linked to it.

    Have you linked the GPO to that container? Or is your "Users" object actually an OU? Or did you link the GPO to the domain root?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, July 08, 2015 10:25 PM
  • > 4.  When running the GP Results Wizard, Elaine's computer successfully
    > processes the policy, but Angie's does not, and returns "Access Denied
    > (Security Filtering)" under the Denied GPOs list.
     
    The report also contains a "group membership" section - is the required
    group listed for Angie?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 09, 2015 10:58 AM
  • Yes, the old drive mapping (Q:) still stuck around even after a reboot and then even after a gpupdate /force and reboot.  This was happening on several workstations.  I found a solution, which was to manually go around and delete the old drive mapping, which was the same letter and was created by this same policy's old mapping setting.  After deleting the old mapping manually and rebooting, the workstations can successfully process the new GP settings.  

    These user are all part of the default Users container, it is not a user-created OU.  I have always linked policies here because it's a small office of >30 employees and large scale OU organization isn't necessary.  Policies are currently working for printers, drive mappings and a few security settings.  

    Thanks to everyone for suggestions and help.  

    Friday, July 10, 2015 1:40 PM
  • You can only link a GPO to a site, domain, or to an organizational unit - but not to containers.

    So all your working stuff may be a result of some earlier experiments or manual interaction rather than from applied Group Policies.

    Should not be a too big hassle, to create a new OU named users (or whatever you like), assign the policies and drag and drop all the to be affected users to the new OU.

    Best greetings from Germany
    Olaf



    Friday, July 10, 2015 1:46 PM
  • I appreciate the response.  I've heard this from two people now, but I can confirm that group policy is now processing correctly, even though the users (and their security group) are in the default User container.  When I run the GP modeling wizard, it shows that each user processes the policy successfully under "Applied Group Policies".  I don't know why, but it works.  

    Monday, July 13, 2015 7:13 PM
  • > can confirm that group policy is now processing correctly, even though
    > the users (and their security group) are in the default User container.
     
    If the default "User" container still is a container and not an OU, you
    _cannot_ link GPOs to it. A container has no gPLink attribute, so even
    if you dig deep into AD, you still cannot link a GPO :)
     
    Where ever else your GPO may be linked - for sure it is, otherwise it
    would not apply.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 14, 2015 7:47 AM