New machines will not pull gpo and old machines will not pull none cached gpo's


  • We are having issues with new machines going into a specific subnet not pulling or re-applying gpo's to workstations at the branch office only. 

    We have done wireshark testing, Validated DNS, WINS ran dcdiags, gpresults . We have relocated user and computers to different branch offices and they work fine. 

    From a delete profile or new profile the gpresults are blank or empty. Preset systems gpresults run fine. 

    We have tested networking for that branch office and trace routes and pings are successful to the dc's.



    Friday, July 15, 2016 2:15 PM


All replies

  • Hi,

    is there a DC in that site?

    If there isn't, is the subnet assigned to a valid AD site?

    Does nltest /dsgetsite yield the expected result?

    Evgenij Smirnov

    msg services ag, Berlin ->
    my personal blog (mostly German) ->
    Windows Server User Group, Berlin ->
    Mark Minasi Technical Forum, reloaded ->

    In theory, there is no difference between theory and practice. In practice, there is.

    Friday, July 15, 2016 7:15 PM
  • Yes, nltest /dsgetsite works fine. No DC at that location/subnet...
    Friday, July 15, 2016 7:24 PM
  • Might be GPO slow link detection setting, if client site without DC then GPO get applied from remote site as per the site-link configuration and if the site detect slow link then some policies won't apply


    Monday, July 18, 2016 4:52 AM
  • Hi Chris,
    Please check if you add the different subnets into the site settings in Active
    Directory Sites and Services. You could go down to subnets, add an entry for each subnet, and point them to the site associated with the DC that you want them to connect to, wait some time to make sure everything has replicated and then run gpupdate /force on the problem machines to see if it solves the problems
    In addition, please make sure that clients of that site are authenticating to correct DC, ping DC doesn’t mean that clients are using that DC for authentication. You could run echo %LOGONSERVER% to check it.
    And please check if you could find any related logs in the event viewer to help us troubleshoot.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Monday, July 18, 2016 5:34 AM
  • Believe slow link is on by default since they do not have a dc. This issue has started showing itself on other subnets to that originally didn't have issues.
    Tuesday, July 19, 2016 5:28 PM
  • Yes the subnets are were added. We also checked and they are hitting the correct DC. Will post logs up asap.


    Tuesday, July 19, 2016 5:30 PM
  • We found the issue. The permission were missing on all the policy folder. Sysvol and the domain your in. So we needed to go back through and added permission in each group policy.
    Wednesday, July 20, 2016 3:27 PM