none
GPO no se aplican. motivo de denegación:vacío RRS feed

  • Pregunta

  • Buenas tardes

    estoy montando un dominio en windows server 2008 r2. con sus usuarios, grupos, GPO....

    En el campo de las GPO me sucede que cuando las creo y las aplico a alguna OU donde tengo usuarios , éstos deniengan la GPO dando el motivo de denagación vacío(viendo en gpresult /h).

    Ni siquiera me aplica la "Default Policy"

    los clientes son windows 7 prof.

    Otras políticas si que las aplica...

    Qué puede estar pasando? ¿Cómo puedo diagnosticar los errores?no veo error en el visor de eventos ni en ningún lado, simplemente no la aplica....

    Gracias de antemano

    jueves, 2 de octubre de 2014 13:49

Respuestas

  • Hola Juaniki,

    Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx

    GPO Not Applied, Listed in Denied List in Group Policy Results Report

    If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons.  To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.

    GPO Not Applied, Listed in Denied List

    Security Filtering (GPO Denied)

    The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.

    Disabled Link (GPO Denied)

    There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.

    Inaccessible GPO (GPO Denied)

    There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:

    • The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
    • The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
    • Network connectivity problems might prevent access to the GPO.
    • The client is unable to contact any domain controller.

    Empty GPO (GPO Denied)

    A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.

    WMI Filter (GPO Denied)

    A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.

    Adicionalmente a esto, revisa:

    1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.

    2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.

    Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.

    Espero te sirva.

    Saludos.


    Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>


    viernes, 3 de octubre de 2014 13:28

Todas las respuestas

  • Hola Juaniki,

    Te aconsejo que revises los puntos detallados en la siguiente nota y nos des tu feedback.

    http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx

    Espero te sirva.

    Saludos.


    Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>

    jueves, 2 de octubre de 2014 18:14
  • Hola Juaniki,

    Te aconsejo que revises los puntos detallados en la siguiente nota y nos des tu feedback.

    http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx

    Espero te sirva.

    Saludos.


    Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>

    Gracias Mateo. 

    he revisado las GPO y no están vacías 

    siguiendo esta imagen,    http://i.technet.microsoft.com/dynimg/IC196770.gif

    • Does Group Policy Results list the GPO as applied?    -> NO
    • Is the setting listed in Group Policy Results Report?   --> YES
    • Is the GPO listed in the Denied List?---> YES

    son gpos básicas:

    desactivar firewall

    texto de bienvenida

    y la que más me preocupa es la default policy que no se aplica....... y ahí no he tocado en nada..

    viernes, 3 de octubre de 2014 6:46
  • Hola Juaniki,

    Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx

    GPO Not Applied, Listed in Denied List in Group Policy Results Report

    If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons.  To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.

    GPO Not Applied, Listed in Denied List

    Security Filtering (GPO Denied)

    The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.

    Disabled Link (GPO Denied)

    There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.

    Inaccessible GPO (GPO Denied)

    There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:

    • The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
    • The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
    • Network connectivity problems might prevent access to the GPO.
    • The client is unable to contact any domain controller.

    Empty GPO (GPO Denied)

    A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.

    WMI Filter (GPO Denied)

    A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.

    Adicionalmente a esto, revisa:

    1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.

    2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.

    Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.

    Espero te sirva.

    Saludos.


    Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>


    viernes, 3 de octubre de 2014 13:28
  • gracias Mateo.

    voy  a mirar, de nuevo, las causas que expones. a ver si me he dejado algo.

    gracias ;)

    lunes, 6 de octubre de 2014 7:12
  • he visto que si configuro algunas de las gpo en las default, si se aplican,  en cambio si las deshabilito en la default y me creo una con dicha configuración, ésta se deniega...

    ¿qué podrías contarme al respecto??

    gracias

    lunes, 6 de octubre de 2014 13:57