none
GPO applying/not applying on different computers

    Question

  • I know the title is very vague but here's what's happening....

    I have a new GPO that I created several days ago.  It's a user based policy and I have it linked to a specific AD group and to an OU that contains EVERY user in our AD.  There are no filters on the GPO.

    In my test environment, I have 2 Win10 computers.  When I log into one of them, the policy applies with no problems.  The other computer doesn't even show the GPO in the list of applied GPOs when I run gpresult /r.  I've gotten reports randomly from test users and they're having this same issue (some of the users are running Win7, some Win10).

    I've tried recreating the GPO, deleting the GroupPolicy and GroupPolicyUsers folder in C:\windows\system32, completely removing my profile from the computer that doesn't see the policy and gpupdate /force.  There are no errors logged in the event logs (System and Group Policy).

    I'm at a loss.  This just doesn't make sense to me.  I'm really hoping I'm missing something that'll make me feel like an idiot. :D

    Anybody got any ideas?

    Wednesday, July 27, 2016 5:13 PM

Answers

  • Hi Scott,

    Regarding the question of accessing the GPOs folder on the sysvol, I just want to ensure, that theres no issue regarding the DACL on the GPO. Of course you already mentioned, that this should not be the problem.

    Regarding the RSOP - on the second machine, which should apply the policy, it highly doubt it does, as the policy is listed in the "Filtered out" Section of the users RSOP.

        The following GPOs were not applied because they were filtered out
         -------------------------------------------------------------------
             Local Group Policy
                 Filtering:  Not Applied (Empty)
    
            Local Group Policy
                 Filtering:  Not Applied (Empty)
    
            Kiewit Special Server Policy
                 Filtering:  Denied (WMI Filter)
                 WMI Filter: Servers Only
    
            Kiewit Special Server Policy
                 Filtering:  Denied (WMI Filter)
                 WMI Filter: Servers Only
    
            KieDrive Mapper - Testing
                 Filtering:  Not Applied (Unknown Reason)
    

    First of I would propose tho delete the Policy Object from the GPMC and recreate it.

    One other thing: did you check the following Issue? KB3136322

    As this is a GPP, can you explain how this Policy Item has been configured? Update, Replace, Create etc. and the conditions (if any)?


    best regards

    Switch
    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS"with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, July 29, 2016 1:30 PM
    • Marked as answer by sdk367 Friday, July 29, 2016 2:03 PM
    Friday, July 29, 2016 1:29 PM

All replies

  • Hi,

    Some questions:

    1. What do you mean by "linked to AD Group"? - you can link GPOs on OUs. In conjunction you are able to do security filtering. But you can't link GPOs to Groups.

    2. Why are you deleting  the GPO Folder in C:\Windows\System32 ? GPOs are on the Sysvol of the DC and are represented by settings in the registry. - Do you deal with local group policies?

    Are the missing policies computer or user configuration settings and do both client computers reside in the same OU?


    best regards
    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Wednesday, July 27, 2016 5:28 PM
    Wednesday, July 27, 2016 5:27 PM
  • Sorry. I used some incorrect terminology. The GPO is security filtered to an AD group.

    The computers both reside in the same OU.  However, that shouldn't matter since the GPO is applied to users, not computers.  But, the GPO is linked at an OU that is the parent of both computers and users.  The GPO essentially has just a logon script defined in the user configuration.  Computer configuration is disabled.

    I deleted the GPO folder because I wanted to rule out everything including local policies having something to do with this issue.

    Wednesday, July 27, 2016 6:01 PM
  • In my test environment, I have 2 Win10 computers.  When I log into one of them, the policy applies with no problems.  The other computer doesn't even show the GPO in the list of applied GPOs when I run gpresult /r. 

    Hi,
    Please check if the GPO is listed in Denied GPOs when you run gpresult /r command and see if there is more information about reason behind it.
    You could also check the following article and try it one by one:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, July 28, 2016 8:40 AM
    Moderator
  • I found that article a couple days ago during my troubleshooting. No help there. And I verified that this GPO is not listed in the denied GPOs list.

    Logging into both computers with the same ID, I've verified that the applied GPOs match exactly with the exception of this one GPO.  I've also verified (just for grins) that the subnets for both computers are in Sites and Services.  I'm really reaching at this point.

    The only difference I've found so far is that they're talking to different DCs.  I'm looking into those now to verify that they're both processing the same set of GPO objects.

    Thursday, July 28, 2016 12:29 PM
  • Hi sdk367,

    I can't Imagine what could be the Problem.

    Can you access the GPOs Folder on the Sysvol from the computer which is not aplying the gpo?

    Can you please provide a "GPResult.exe /r /scope:computer" output from both machines?


    best regards
    Switch

    MCITP Enterprise Administrator
    MCSA Windows Server
    2012 MCTS Windows
    7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, July 29, 2016 9:15 AM
    Friday, July 29, 2016 7:58 AM
  • Hi sdk367,

    I can't Imagine what could be the Problem.

    Can you access the GPOs Folder on the Sysvol from the computer which is not aplying the gpo?

    Can you please provide a "GPResult.exe /r /scope:computer" output from both machines?


    best regards
    Switch


    Again, this is a USER policy, not computer so the scope needs to include user.

    I can access the GPOs folder from both computers.  Below, I've highlighted and underlined the GPO in question - KieDrive Mapper - Testing

    Here's an abbreviated gpresult /r from a machine that's not getting the policy:

    COMPUTER SETTINGS
    ------------------
        CN=KHO-SDKLAPTOP
        Last time Group Policy was applied: 7/29/2016 at 7:18:53 AM
        Group Policy was applied from:     
        Group Policy slow link threshold:   1024 kbps
        Domain Name:                       
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Kiewit Default Bentley Policy
            Kiewit Default Workstation Policy
            Kiewit Hard Dollar Word Fix
            Kiewit SCCM Client Policy
            Kiewit Default IE Settings Policy
            Kiewit Wireless Config
            Azure MBAM
            Kiewit 15min Screensaver
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            _Testing - Koskey
            Kiewit SW Restriction Policy
            Kiewit Default EFS Policy
            SapGui V1 Config
            Kiewit Enterprise Policy
            Kiewit LDAP Logging
            Local Group Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
        CN=Scott.Koskey
        Last time Group Policy was applied: 7/29/2016 at 6:04:04 AM
        Group Policy was applied from:     
        Group Policy slow link threshold:   1024 kbps
        Domain Name:                       
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Kiewit Default IE Settings Policy
            Kiewit 15min Screensaver
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            Kiewit Default Web Browser Restriction Policy
            Kiewit Enterprise Policy
            Default Domain Policy
            Kiewit Default User Policy
            Kiewit Default Office Settings
            Kiewit Home Page Policy
            Kiewit Yammer Restriction Policy
            Kiewit Default IE Settings Policy
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            Kiewit Default Web Browser Restriction Policy
            Kiewit Enterprise Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users

    And here's the same from a computer that IS getting the GPO:


    COMPUTER SETTINGS
    ------------------
        CN=KNETSTIWS003
        Last time Group Policy was applied: 7/29/2016 at 7:34:37 AM
        Group Policy was applied from:     
        Group Policy slow link threshold:   1024 kbps
        Domain Name:                       
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Kiewit Default Bentley Policy
            Kiewit Default Workstation Policy
            Kiewit Hard Dollar Word Fix
            Kiewit SCCM Client Policy
            Kiewit Default IE Settings Policy
            Kiewit Wireless Config
            Azure MBAM
            Kiewit 15min Screensaver
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            _Testing - Koskey
            Kiewit SW Restriction Policy
            Kiewit Default EFS Policy
            SapGui V1 Config
            Kiewit Enterprise Policy
            Kiewit LDAP Logging
            Local Group Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users


    USER SETTINGS
    --------------
        CN=Scott.Koskey
        Last time Group Policy was applied: 7/29/2016 at 7:30:03 AM
        Group Policy was applied from:     
        Group Policy slow link threshold:   1024 kbps
        Domain Name:                       
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Kiewit Default IE Settings Policy
            Kiewit 15min Screensaver
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            Kiewit Default Web Browser Restriction Policy
            Kiewit Enterprise Policy
            Default Domain Policy
            Kiewit Default User Policy
            Kiewit Default Office Settings
            Kiewit Home Page Policy
            Kiewit Yammer Restriction Policy
            Kiewit Default IE Settings Policy
            Citrix Receiver Configuration
            OneDrive User-Computer Configuration
            Win10 Computer-User Configuration
            KieDrive Mapper - Testing
            Kiewit Default Web Browser Restriction Policy
            Kiewit Enterprise Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

            Kiewit Special Server Policy
                Filtering:  Denied (WMI Filter)
                WMI Filter: Servers Only

            KieDrive Mapper - Testing
                Filtering:  Not Applied (Unknown Reason)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            Performance Log Users
            BUILTIN\Users
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users

    I do appreciate the responses.

    Scott


    • Edited by sdk367 Friday, July 29, 2016 12:42 PM
    Friday, July 29, 2016 12:41 PM
  • Hi Scott,

    Regarding the question of accessing the GPOs folder on the sysvol, I just want to ensure, that theres no issue regarding the DACL on the GPO. Of course you already mentioned, that this should not be the problem.

    Regarding the RSOP - on the second machine, which should apply the policy, it highly doubt it does, as the policy is listed in the "Filtered out" Section of the users RSOP.

        The following GPOs were not applied because they were filtered out
         -------------------------------------------------------------------
             Local Group Policy
                 Filtering:  Not Applied (Empty)
    
            Local Group Policy
                 Filtering:  Not Applied (Empty)
    
            Kiewit Special Server Policy
                 Filtering:  Denied (WMI Filter)
                 WMI Filter: Servers Only
    
            Kiewit Special Server Policy
                 Filtering:  Denied (WMI Filter)
                 WMI Filter: Servers Only
    
            KieDrive Mapper - Testing
                 Filtering:  Not Applied (Unknown Reason)
    

    First of I would propose tho delete the Policy Object from the GPMC and recreate it.

    One other thing: did you check the following Issue? KB3136322

    As this is a GPP, can you explain how this Policy Item has been configured? Update, Replace, Create etc. and the conditions (if any)?


    best regards

    Switch
    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS"with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, July 29, 2016 1:30 PM
    • Marked as answer by sdk367 Friday, July 29, 2016 2:03 PM
    Friday, July 29, 2016 1:29 PM
  • Well, you found it!  In the article you referenced above, the following line was my issue:

    "This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group"

    When I originally created the GPO, I changed the security filtering by removing authenticated users altogether and replaced it with the AD group that I wanted to target for the GPO.  As soon as I added Authenticated Users back with read-only access (unchecked "Apply group policy" in the permissions), it started working.

    It still doesn't make sense why it would work on some computers but as long as I know this, I won't make this mistake in the future.

    THANK YOU!


    • Edited by sdk367 Friday, July 29, 2016 2:04 PM
    Friday, July 29, 2016 2:03 PM
  • Hi Scott,

    Great to hear, that I was able to help you out!

    Have a good day.


    best regards

    Switch
    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.


    • Edited by Switch1210 Friday, July 29, 2016 2:12 PM
    Friday, July 29, 2016 2:12 PM
  • > It still doesn't make sense why it would work on some computers but as
    > long as I know this, I won't make this mistake in the future.
     
    If it worked on some computers, these were missing MS16-072 apparently.
    Or they applied the GPO in the past...
     
    Monday, August 01, 2016 2:19 PM