Principales respuestas
GPO no se aplican. motivo de denegación:vacío

Pregunta
-
Buenas tardes
estoy montando un dominio en windows server 2008 r2. con sus usuarios, grupos, GPO....
En el campo de las GPO me sucede que cuando las creo y las aplico a alguna OU donde tengo usuarios , éstos deniengan la GPO dando el motivo de denagación vacío(viendo en gpresult /h).
Ni siquiera me aplica la "Default Policy"
los clientes son windows 7 prof.
Otras políticas si que las aplica...
Qué puede estar pasando? ¿Cómo puedo diagnosticar los errores?no veo error en el visor de eventos ni en ningún lado, simplemente no la aplica....
Gracias de antemano
Respuestas
-
Hola Juaniki,
Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx
GPO Not Applied, Listed in Denied List in Group Policy Results Report
If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons. To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.
Security Filtering (GPO Denied)
The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.
Disabled Link (GPO Denied)
There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.
Inaccessible GPO (GPO Denied)
There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:
- The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
- The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
- Network connectivity problems might prevent access to the GPO.
- The client is unable to contact any domain controller.
Empty GPO (GPO Denied)
A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.
WMI Filter (GPO Denied)
A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.
Adicionalmente a esto, revisa:
1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.
2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.
Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
- Editado Mateo Agustín Di Loreto viernes, 3 de octubre de 2014 13:31
- Propuesto como respuesta Moderador M domingo, 5 de octubre de 2014 15:19
- Marcado como respuesta Moderador M martes, 7 de octubre de 2014 14:42
Todas las respuestas
-
Hola Juaniki,
Te aconsejo que revises los puntos detallados en la siguiente nota y nos des tu feedback.
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
-
Hola Juaniki,
Te aconsejo que revises los puntos detallados en la siguiente nota y nos des tu feedback.
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
Gracias Mateo.
he revisado las GPO y no están vacías
siguiendo esta imagen, http://i.technet.microsoft.com/dynimg/IC196770.gif
- Does Group Policy Results list the GPO as applied? -> NO
- Is the setting listed in Group Policy Results Report? --> YES
- Is the GPO listed in the Denied List?---> YES
son gpos básicas:
desactivar firewall
texto de bienvenida
y la que más me preocupa es la default policy que no se aplica....... y ahí no he tocado en nada..
-
Hola Juaniki,
Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx
GPO Not Applied, Listed in Denied List in Group Policy Results Report
If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons. To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.
Security Filtering (GPO Denied)
The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.
Disabled Link (GPO Denied)
There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.
Inaccessible GPO (GPO Denied)
There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:
- The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
- The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
- Network connectivity problems might prevent access to the GPO.
- The client is unable to contact any domain controller.
Empty GPO (GPO Denied)
A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.
WMI Filter (GPO Denied)
A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.
Adicionalmente a esto, revisa:
1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.
2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.
Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
- Editado Mateo Agustín Di Loreto viernes, 3 de octubre de 2014 13:31
- Propuesto como respuesta Moderador M domingo, 5 de octubre de 2014 15:19
- Marcado como respuesta Moderador M martes, 7 de octubre de 2014 14:42
-
-