GPO Not Applying

kencaplan2714 · 2022-02-15T20:04:13.000Z

I created new GPO’s under the Group Policy Objects.

It is filtered for specific security groups - there are about 40 of them for different regions. just mapping some drives and deploying the correct printer.

All have Authenticated Users set to READ

the specific security group set to READ (from Security Filtering)

On user computer - tested with GPUPDATE /Force - when running GPRESULT /r - it only shows the first Domain Policy applied, and then the first 3 GPO’s Denied (Security) as it should - the ones further down the list are not being denied or applied.

Verified Delegation settings that all are the same.

Help!

kevinweller · 2022-02-15T20:23:17.000Z

A lot of the time when you run gpresult it will tell you where to look in the event log to see what is going wrong. I always use the HTML version of gpresult though. Is there any chance it is pointing you to some logs? That is where I would start. Feel free to post your logs, and/or screenshots of your config.

cerbere · 2022-02-15T20:50:52.000Z

For what it’s worth, I have one GPO called DriveMappings that is applied to all regular users (non-admin, non-service). Then I use Group Policy Preferences Item-Level Targeting to map the drives (82 of them) to various security groups. Much easier to keep track of.

kencaplan2714 · 2022-02-15T20:52:09.000Z

@kevinweller

Here is the gpresult /r

C:\WINDOWS\system32>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© Microsoft Corporation. All rights reserved.

Created on ‎2/‎15/‎2022 at 12:00:21 PM

RSOP data for WGI\jkb on JKB : Logging Mode

OS Configuration: Member Workstation
OS Version: 10.0.19043
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\jkb
Connected over a slow link?: No

USER SETTINGS

CN=,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=wgi,DC=local
Last time Group Policy was applied: 2/15/2022 at 11:59:30 AM
Group Policy was applied from: WESCO.wgi.local
Group Policy slow link threshold: 500 kbps
Domain Name: WGI
Domain Type: Windows 2008 or later

Applied Group Policy Objects

Default Domain Policy

The following GPOs were not applied because they were filtered out

002 Lake City
Filtering: Denied (Security)

001 Lynnwood
Filtering: Denied (Security)

000 All Stores
Filtering: Denied (Security)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups

Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Folder Redirection
Authentication authority asserted identity
Medium Mandatory Level

As you can see - the Default Domain policy applies - and then next 3, 000 - All Stores, 001 Lynnwood, 002 Lake City are all denied as they should be because they do not apply to that user.

At the bottom of the GPO’s - the Folder Redirection applies to this user - and doesn’t appear to be processed. The individual stores such as the 000, 001, 002 works for those specific users, but when a user that should have 003 applied - only the first 3 show denied, the remainder do not process. As I originally stated all have the same security settings with Authorized User marked as read - and the specific security group set to Read (from Security Filtering)

Below is a picture of GPO’s under the Group Policy Object bucket - and the a shot of 001 - which is processing, and then two other’s that are not - yet with exact same permissions save for the specific security group.

For the example user - JKB - you can see they are a part of the security group Folder Redirection - which the authorized security group listed in the GPO Folder Redirection - yet it doesn’t process per gpresult as shown above.

Its only processing the first few in order of alphabet from the Group Policy Objects - and I can’t figure out why. (apologies if my explanation seems scattered)

Below is screen shots of the GPO

b1a68b20-17bb-47dc-98bf-9cc81bb173c3-Screen_Shot_2022-02-15_at_1.36.27_PM.png296×1172 41.7 KB

fab2b59f-b77e-4694-908f-3bda03d0f3d4-Screen_Shot_2022-02-15_at_1.35.56_PM.png800×276 49.4 KB

c7aa7807-e24c-4d17-809f-1fc656c48110-Screen_Shot_2022-02-15_at_1.44.42_PM.png800×260 45.8 KB

2352bf76-be7c-421b-a8cd-ad43b940a299-Screen_Shot_2022-02-15_at_1.45.08_PM.png800×255 43.4 KB

kevinweller · 2022-02-15T20:59:51.000Z

In my experience, issues with folder re-direction and drive maps is usually a permission issue. You might wanna make sure you can access those folders manually as the user. If you can’t do that the GPO won’t map.

kencaplan2714 · 2022-02-15T21:03:24.000Z

@cerbere

I have each location mapping to different folder dependent upon their specific location (End of day paperwork, Invoices, etc) - it has to do with their internal person that processes.

kencaplan2714 · 2022-02-15T21:09:00.000Z

@kevinweller

That would be an idea - but that doesn’t explain with gpresults shows denied on the first few which do not apply to the specific user - and why the folder redirection which is at the bottom of the GPO list is not being processed when it applies specially to that user.

if it was a permissions issue - then I assume the 000, 001 and 002 would not show up on the gpresult inquiry

kevinweller · 2022-02-15T21:13:05.000Z

I see what you are saying. However, from my experience the GPO will show up in GPRESULT even if the user does not have permission to the folder.

kevinweller · 2022-02-15T21:15:15.000Z

Also under scope is authenticated users set to read?

kencaplan2714 · 2022-02-15T21:15:48.000Z

@kevinweller

Exactly - so I should see it processing in gpresult - that’s different than it processing and not working - so what would prevent it from processing is the million dollar question?

Bueller? Bueller? Bueller?

kencaplan2714 · 2022-02-15T21:22:12.000Z

@kevinweller

Yes, Authenticated Users are set to Read (you can see that in the pictures)

kevinweller · 2022-02-15T21:24:53.000Z

Under Delegation but you havent shown the scope tab. I have seen issues when authenticated users were not under the scope tab as far as GPO’s applying.

kencaplan2714 · 2022-02-15T21:40:06.000Z

Good Catch - the ones that are working seem to have the whole domain OU listed in the Links - whereas the ones that are not reading do not have that - any idea the logic behind that?

44e3541e-90f3-43d1-b969-de04d53d37f9-Screen_Shot_2022-02-15_at_2.38.10_PM.png800×227 33.3 KB

1eb5fd76-0c71-412c-9e2f-13e2380cb2c6-Screen_Shot_2022-02-15_at_2.38.18_PM.png800×254 22.4 KB

kencaplan2714 · 2022-02-15T22:40:31.000Z

@kevinweller

Right clicking on the Domain, linking to an existing GPO was the trick! Thanks Kevin - good find! Tell me where to send the Starbucks card!

kevinweller · 2022-02-16T11:33:10.000Z

No if you ever find out I would like to know!

Internet_Schneider · 2022-02-16T13:39:02.000Z

You have to add authenticated users (and/or domain computers) read permission to the DELEGATION tab. Take this as consideration please:

GPO Security Filtering not working when assigned to AD groups Windows

For years I have had a few GPO's setup with Security Filtering assigned to specific AD Groups, which only apply when a user or computer is a member of the security group specified in the GPO's Security Filtering option. All of a sudden last month after installing the latest Windows's security updates and restarting our DCs, all of the GPO's which are assigned to specific security groups (other than the default "Authenticated Users") will no longer apply. When I run GPResult it shows the reas…