locked
how to troubleshoot why a particular GPO does not work RRS feed

  • Question

  • I created a gpo 'force domain logon' to make all administrators always log into our one and only domain...but this gpo does not apply, how do I troubleshoot this??

    Setting is
    Policy     Setting     Comment
    Assign a default domain for logon     Enabled    
    Default Logon domain:     FOOBAR

    I applied filtering to administrators, authenticated users, domain admins, enterprise admins but gpresult /r shows this policy does not apply to FOOBAR\administrator user, why, how do I fix?? I have this gpo linked to all our server OUs.

    Thank you, Tom

    Tuesday, August 23, 2011 3:27 PM

Answers

All replies

  • Hi,

     

    When you are trying to determine why policy is not being applied as expected, one of first things you should do is examine the Resultant Set of Policy (RSoP) for the user and computer experiencing problems with policy settings. Using the Gpresult command-line utility, you can view RSoP. 

     

    Gpresult provides details on the following:

    • Special settings applied for folder redirection, software installation, disk quota, IPSec, and scripts
    • The last time Group Policy was applied
    • The domain controller from which policy was applied and the security group memberships for the computer and user
    • The complete list of GPOs that were applied as well as the complete list of GPOs that were not applied because of filters

     

    Troubleshooting Group Policy Processing

    http://www.windowsnetworking.com/articles_tutorials/troubleshooting-group-policy-processing.html

     

    Troubleshoot Group Policy from the Command Line with GPRESULT

    http://technet.microsoft.com/en-us/magazine/ff812646.aspx

     

    Gpresult

    technet.microsoft.com/en-us/library/cc733160(v=ws.10).aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by bshwjt Wednesday, August 24, 2011 10:35 AM
    Tuesday, August 23, 2011 3:33 PM
  • I already DID gpresult, it shows this specific gpo 'force domain logon' is not applying to FOOBAR\administrator.

    That is why I asked how to fix/make it apply.

    Thank you, Tom

    Tuesday, August 23, 2011 3:35 PM
  • Hi,

    Whether you applied the GPO at the proper OU where the user accounts resides?


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 3:43 PM
  • Specific message is: The following GPOs were not applied because they were filtered out: Force Domain Login

    The OUs to wihich this gpo are several OUs containing servers. This is the domain admin account logging into the servers.

    Thank you, Tom

    Tuesday, August 23, 2011 3:46 PM
  • Have you did anything with security filtering? Make sure that the Authenticated users have read permissions on that GPO.
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 3:50 PM
  • Hi,

    Next to each policy that was filtered out it should provide a reason, please list that reason (or just post the gpresult output). 


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 3:55 PM
  • Hi,

    Next to each policy that was filtered out it should provide a reason, please list that reason (or just post the gpresult output). 


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    REASON: Filtering: Not Applied (empty) -- authenticated users DO have read permission -- Thank you, Tom
    Tuesday, August 23, 2011 4:16 PM
  • Filtered Out - Because its empty. - Its clear.

    Note: You cannot apply GPO's to default Comouters container.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 4:25 PM
  • It has settings, it is linked to OUs containing computers (servers), it has security groups in the filtering...where or why is it "empty"?? :) :)

    Loopback processing is on and set to merge for this GPO.

    Thank you, Tom

    Tuesday, August 23, 2011 4:39 PM
  • Where exactly you configured your settings? And what are you trying to achieve?

     


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 4:40 PM
  • Settings in computer configuration:

    Loopback processing enabled, set to merge

    policies / admin templates / system / logon

    I created a gpo 'force domain logon' to make all administrators always log into our one and only domain instead of having to always type foobar/administrator to prevent windows 2008 from using the local server/machine local administrator account....but this gpo does not apply,

    Setting is
    Policy     Setting     Comment
    Assign a default domain for logon     Enabled    
    Default Logon domain:     FOOBAR

    I applied security filtering to administrators, authenticated users, domain admins, enterprise admins but gpresult /r shows this policy does not apply to FOOBAR\administrator user. I have this gpo linked to all our server OUs which contain the server computers.

    Thank you, Tom


    Tuesday, August 23, 2011 4:57 PM
  • Hi Tom,

    This policy setting specifies a default logon domain which may be a different domain than the machine joined domain. Without this policy, at logon, if a user does not specify a domain for logon, the domain to which the machine belongs is assumed as the default domain.

    If you enable this policy setting, the a default logon domain will be set to the specified domain which may not be the machine joined domain.

    If you disable or do not configure this policy setting, the default logon domain will always be set to the machine joined domain.

    Have a look at the below link.

    http://www.grouppolicy.biz/2010/06/group-policy-setting-of-the-week-29-assign-a-default-domain-for-logon/


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 23, 2011 6:43 PM
  • The specified domain IS the machine joined domain. :)

    We have only one domain to which all computers and users belong.

    I guess I must remove this GPO and look at the above-mentioned registry entry in preferences or something like that.

    Thank you, Tom

    Tuesday, August 23, 2011 8:56 PM
  • Hi Tom,

    The registry Values are working perfectly. I tested in my lab.

    Once done let us know the result.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Wednesday, August 24, 2011 3:34 AM
  • Hi,

    Please check the event log for any error and enable userenv logging for understanding as to why the policy is not getting applied

    Wednesday, August 24, 2011 5:16 AM
  • All about GPO.

    http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=4950

    GPO only apply on Local Machine, site, Domain and OU(LSDOU).

     not users/computer container.

     

    See the below links for basic troubleshottings.

    http://technet.microsoft.com/en-us/library/cc758759(WS.10).aspx

    http://www.windowsecurity.com/articles/Quick-Guide-Troubleshooting-Group-Policy-Security-Settings.html


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, August 24, 2011 8:51 AM
  • Hi,

     

    I would like to confirm what related event error can you read?

     

    Please only allow Authenticated Users under Security Filtering and make sure that the linked OU includes the computer objects. What’s the result?

     

    If it still cannot work, please refer to the following Microsoft TechNet articles and blog for more troubleshooting information.

     

    Troubleshooting Group Policy Problems

    http://technet.microsoft.com/en-us/library/cc787386(v=WS.10).aspx

     

    Group Policies and Access Denied

    http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx

     

    Regards,

     

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 24, 2011 10:11 AM
  • Hi Tom,

    The registry Values are working perfectly. I tested in my lab.

    Once done let us know the result.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    The same registry value as in this link??

    http://www.grouppolicy.biz/2010/06/group-policy-setting-of-the-week-29-assign-a-default-domain-for-logon/

    The article discusses Windows XP and the servers involved are Windows Server 2008 R2 SP1.

    Nevertheless I will try it.

    Thank you, Tom

    Wednesday, August 24, 2011 12:33 PM
  • Him

    If you clients above vista you can use the GPO settings for Windows XP clients use the registry keys mentioned in the link.

    http://www.grouppolicy.biz/2010/06/group-policy-setting-of-the-week-29-assign-a-default-domain-for-logon/



    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Wednesday, August 24, 2011 12:36 PM
  • See this

    http://blogs.technet.com/b/grouppolicy/archive/2010/02/24/troubleshooting-group-policy.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    • Proposed as answer by bshwjt Wednesday, August 24, 2011 1:45 PM
    Wednesday, August 24, 2011 1:44 PM
  • I've tried looking into logs but I have not found anything pertaining to this GPO not applying.

    What is the specific log I should review to know about GPOs not applying??

    So far as I know I have correctly implemented and applied the GPO.

    Thank you, Tom

    Wednesday, August 24, 2011 3:37 PM
  • Hi,

     

    I would like to confirm what related event error can you read?

    To do that I must know where to look and I don't know where to look, nor which server to find it on.

    Any advice you can provide would be very helpful.

    Thank you, Tom

    Wednesday, August 24, 2011 8:25 PM
  • Hi,

    More info:

    Fixing Group Policy problems by using log files: Group Policy
    technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx


    Troubleshooting Group Policy Using Event Logs
    technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Thursday, August 25, 2011 6:04 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 1, 2011 9:51 AM