GPO no se aplican. motivo de denegación:vacío
Pregunta
Respuestas
-
Hola Juaniki,
Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx
GPO Not Applied, Listed in Denied List in Group Policy Results Report
If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons. To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.
Security Filtering (GPO Denied)
The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.
Disabled Link (GPO Denied)
There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.
Inaccessible GPO (GPO Denied)
There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:
- The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
- The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
- Network connectivity problems might prevent access to the GPO.
- The client is unable to contact any domain controller.
Empty GPO (GPO Denied)
A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.
WMI Filter (GPO Denied)
A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.
Adicionalmente a esto, revisa:
1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.
2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.
Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
- Editado Mateo Agustín Di Loreto viernes, 3 de octubre de 2014 13:31
- Propuesto como respuesta Moderador M domingo, 5 de octubre de 2014 15:19
- Marcado como respuesta Moderador M martes, 7 de octubre de 2014 14:42
Todas las respuestas
-
Hola Juaniki,
Siguiendo con las notas oficiales de Troubleshooting de Group Policy de Microsoft te adjunto los puntos que debes verificar si una GPO aparece como Denied (denegada): http://technet.microsoft.com/en-us/library/cc779631(v=ws.10).aspx
GPO Not Applied, Listed in Denied List in Group Policy Results Report
If the GPO successfully reaches the client, it appears either in the list of Denied GPOs or in the list of Applied GPOs. A GPO can be explicitly denied for any number of reasons. To determine whether a GPO is denied, look on the Summary tab or the Group Policy Results report. Under Computer Configuration Summary and again under User Configuration Summary, click Show to expand Group Policy Objects, and then show Denied GPOs. The reason for the denial is provided for each denied GPO.
Security Filtering (GPO Denied)
The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering.
Disabled Link (GPO Denied)
There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.
Inaccessible GPO (GPO Denied)
There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:
- The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.
- The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).
- Network connectivity problems might prevent access to the GPO.
- The client is unable to contact any domain controller.
Empty GPO (GPO Denied)
A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.
WMI Filter (GPO Denied)
A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering.
Adicionalmente a esto, revisa:
1.El event viewer del equipo cliente y el domain controller en busca de errores relacionados.
2. Que la GPO que estas aplicando a los usuarios tengan settings de usuarios configurados. Si estas aplicando a una gpo con máquinas, revisa que la gpo tenga settings de máquina configurados.
Por favor revisá cada uno de estos puntos, en caso de no encontrar la solución, te pido que nos envies el resultado del gpresult en el equipo cliente.
Espero te sirva.
Saludos.
Mateo Agustín Di Loreto | This posting is provided AS IS with no warranties, and confers no rights. Is recommended to check in a test environment before implementing. <ahref="http://madsblog.com/">MadsBlog.com</a>
- Editado Mateo Agustín Di Loreto viernes, 3 de octubre de 2014 13:31
- Propuesto como respuesta Moderador M domingo, 5 de octubre de 2014 15:19
- Marcado como respuesta Moderador M martes, 7 de octubre de 2014 14:42
