GPO's not applying to machines

marksime8900 · 2015-11-30T12:27:24.000Z

Hi - i had a hunch some GPO’s were not applying to machines in the domain.

I have confirmed this with running gpresult and some gpo’s do not get to the machine or even show as filtered out - no evidence at all.

When i run group policy modelling against a user (first time i have used this) all the policies that i want to see are there.

#confused

#PleaseAnyIdea’s

#ThanksInAdvance

Gary-D-Williams · 2015-11-30T12:32:59.000Z

If you have more than one DC then it can take ~2 hours for a GPO to replicate and be pushed down. If this is a new GPO then the client may need a reboot.

christophgrabmer · 2015-11-30T12:33:18.000Z

User or Computer policies? Try a new policy - a computer configuration policy with no filtering and with security “authenticated users”. Please post the result!

davidr4 · 2015-11-30T12:33:29.000Z

Do you have multiple DC’s? Is it possible the sysvol folder isn’t replicating between them?

marksime8900 · 2015-11-30T13:04:57.000Z

davidr4:

Do you have multiple DC’s? Is it possible the sysvol folder isn’t replicating between them?

Hi - yes 2 DC’s.

The policies in question are historic, but have been updated often. Im presuming then if replication is not working the policy wont run at all on the PC’s ?

rockn · 2015-11-30T13:37:54.000Z

It is easy enough to figure out if replication isn’t working. Is it only certain policies or any of them? Try setting something simple on an OU without any filtering and see if it gets applied.

mulielodan · 2015-11-30T13:49:15.000Z

Also check the connection speed between the DC’s and the client machines. Depending on how many policies there are, and what that speed is, Microsoft will flat out just skip over some policies to provide a faster boot time if the connection isn’t high speed.

davidr4 · 2015-11-30T13:52:10.000Z

Open up group policy and change domain controllers to check if policies are on both DC’s. It’s possible that they aren’t replicating the sysvol folder. If a user is authenticating to DC1, then they would be getting the polices from DC1…if they authenticate to DC2, then they would get the policies in DC2

rockn · 2015-11-30T13:56:04.000Z

Or just run some diags to see if replication is happening.

mg36572 · 2015-11-30T13:58:54.000Z

Are the clients in Nested OU’s? And what group is in the security filtering of the GPO?

marksime8900 · 2015-11-30T14:36:55.000Z

mgarner101:

Are the clients in Nested OU’s? And what group is in the security filtering of the GPO?

Yes, nested OU’s

The group is a manually created group with the appropriate users. But the gpo is also linked to an OU

hmmm i shall remove the group and replace this with ‘authenticated users’

marksime8900 · 2015-11-30T14:39:18.000Z

davidr4:

Open up group policy and change domain controllers to check if policies are on both DC’s. It’s possible that they aren’t replicating the sysvol folder. If a user is authenticating to DC1, then they would be getting the polices from DC1…if they authenticate to DC2, then they would get the policies in DC2

3 DC’s (my bad)

1 DC replication fails. Ive just learned this and manually copied the GPO to sysvol on the failing server. Will test in the morning

mg36572 · 2015-11-30T14:47:48.000Z

Let us know if that worked.

rockn · 2015-11-30T15:09:56.000Z

Manually copying GPOs will probably cause more issues than it will solve. Get the replication working or you are just band-aiding what needs to be fixed anyway.