none
GPO Inacessable on Terminal Servers showing as SID

    Question

  • Hi Guys,

    I have inherited a Network with a few issues, my current big issue is that GPO's are not applying to users when they login to Terminal Servers. I checked on all of the Domain Controllers that the SYSVOL is up-to-date and that there are no Sync Errors showing in the event log on Domain Controllers. 

    I have then looked at the Event Log on the Terminal Servers and again there is nothing relating to GPO failures. I have run GPResault on one of the user accounts being affected and I get back the SID of the GPO and Inaccessible. It's been a while since I've had issues like this with Group Policy and can't think what it is that is causing the issue. Does anyone have any suggestions?

    GPO

    I have tried to re-join the Terminal Server to the Domain to see what happens and at the moment that hasn't fixed the issue.

    I am able to browse the SysVOL on the Domain Controllers so access to the files structure is fine. 


    TPark IT Technician

    Thursday, July 07, 2016 9:26 AM

Answers

  • Hi,

    It seems your account does not have access to read the GPO's, as you have inherited the env the GPO's might have been locked down with access to particular admin's and users.

    There are way to restore the permissions but it will require modifying in ADSIedit.

    Did you can changed the Security filtering on the GPO to see if you can see that GPO applies?

    https://msdn.microsoft.com/en-us/library/aa373513%28v=vs.85%29.aspx


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 10:50 AM
  • Hi,

    Usually that happens if you do not have Read permissions on the GPO. Double-check the permissions in AD and SYSVOL for that GPO and ensure that the computer account, and for that matter your own user account have at least read permissions on the GPO.

    You should check two parts:

    GPT part stored in the file system under SYSVOL share. You can find them here:
    \\DomainNameHere\SYSVOL\Policies
    GPC part stored in the AD, so you can edit their permissions with ADUC. Enable Advanced Features in the View menu, and browse System\Policies.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 8:05 AM
    Moderator

All replies

  • Hi,

    It seems your account does not have access to read the GPO's, as you have inherited the env the GPO's might have been locked down with access to particular admin's and users.

    There are way to restore the permissions but it will require modifying in ADSIedit.

    Did you can changed the Security filtering on the GPO to see if you can see that GPO applies?

    https://msdn.microsoft.com/en-us/library/aa373513%28v=vs.85%29.aspx


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 10:50 AM
  • Hi,

    Usually that happens if you do not have Read permissions on the GPO. Double-check the permissions in AD and SYSVOL for that GPO and ensure that the computer account, and for that matter your own user account have at least read permissions on the GPO.

    You should check two parts:

    GPT part stored in the file system under SYSVOL share. You can find them here:
    \\DomainNameHere\SYSVOL\Policies
    GPC part stored in the AD, so you can edit their permissions with ADUC. Enable Advanced Features in the View menu, and browse System\Policies.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 8:05 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 15, 2016 3:19 AM
    Moderator