1

I’m relatively new to an organization.

I’ve been going nuts try to figure out why GPOs linked to user OUs are not applied.

There were several already linked and it was found that none of them apply.

Basically the structure is like the following where departmentX contains user accounts.

We have a seperate OU for computers which has sub-OUs for each site.

GPOs that contain computer policies linked to the computer account OUs apply fine.

GPOs that contain user policies linked to the user account OUs do not get applied.

I’ve checked:

  1. There are no GPOs linked to the root of the domain that have loopback enabled.

  2. There are no computer GPOs that have loopback enabled which contain the settings that are being applied in the GPOs for the user OUs.

Example structure in AD:

domain.internal

---- department1

----department2

----departmentx

—workstations

–siteA

–siteB

–siteX

Any ideas?

thanks!

9 Spice ups
2

I would say start by checking your delegation. Make sure the GPO has proper permissions to get applied.

2 Spice ups
3

If you do a gpresult /H GPResult.html and look at the file it will probably give you some initial clues about why the policy is not applying. Have you verified that the user that you’re testing against is in the OU that you have your User Configuration GP linked to?

2 Spice ups
4

What do your security filtering settings say for those policies under the ‘Scope’ tab?

If you go to the ‘Details’ tab of one of your user policies, what does the ‘GPO Status’ say?

1 Spice up
5

Use RSOP to examine a user that is supposed to get the policy but isnt. What does it say?

from a machine, you can also use gpresult /h test.html

Are the GPOs ‘disabled’ in any way? User policies disabled, or completely disabled? (right click on them)

2 Spice ups
6

Have you tried a gpresult /R ? That will at least give you a starting point for why GPO’s are being filtered out. Could be that your users are in a group that’s excluded from the OU policy for machines.

Could also try logging in as a local user to see if the GPO’s are applied to the machines then.

7

security filtering was set to authenticated users.

for testing i tried adding myself, my user account is in the OU where the policy is linked.

Security on the GPO is the default, authenticated users have read access.

the gpo doesn’t even show up in the report when running gpresult /H

in fact none of the GPOs that are linked to user OUs show up when running gpresult /H or when using group policy results wizard on a server.

What’s interesting is i was trying to add a new GPO for user OUs that contain user settings and it was found that existing GPOs linked to the users OU haven’t been applied, i have no idea when that started.

the user GPOs have computer settings disabled, there are no computer settings.

on the details tab the status says computer configuration settings disabled.

8

There’s no ‘block inheritance’ set on any of the sub-OU’s, are there?

9

no, block inheritance is not set.

truly a mind boggler, from what i can tell these should be applied.

10

I would do as Overdrive asked , and run RSoP against one of those computers with the user in question.

Very strange.

In addition, you might want to start looking at the Windows Event Log (look at Event Viewer> Applications and Services Logs> Microsoft> Windows> GroupPolicy) and see if anything looks out of order.

This is going to sound stupid, but I assume these users are logging in as domain users to the proper domain? (Sorry, had to ask!)

Also, stupid question #2, the GPO links are enabled, correct?

2 Spice ups
11

The policy doesn’t show up when running RSoP or GPRESULT /H, or in C:\windows\debug\usermode\gpsvc.log with debug logging enabled on a workstation.

nothing in the event viewer either.

if i link it to the root of the domain it shows up properly in the gpsvc.log and in GPRESULT /H or RSoP, and gets applied properly. if it gets linked to a user OU rather than the root it doesn’t show up in any logs or get applied.

i checked NTFS security in sysvol, delegation, etc. and all looks good.

yes we are logging on as domain users to the proper domain, links are enabled.

i tried setting to enforced also and that didn’t work either.

12

What happens if you create a new user OU, bring a user to that, apply the GPO, then log in as that user?

13

None of your loopback policies have ‘replace’ mode enabled, do they?

1 Spice up
14

In reference to #2 in your original post, enabling loopback does not just affect the user settings in the GPO in which loopback is enabled, it affects all user settings in all GPOs that are applied to a particular computer. So, the fact that the settings in question are not in a GPO that enables loopback is irrelevant. Loopback policy processing is not a per-GPO setting, it is either on or off for that computer. You need to verify that no GPOs (save the default domain policy) applied to computers have any user settings.

Or, as Rob suggested, ensure tha “Replace” mode is not enabled in the GPO in which loopback is configured. (Although, there may be a valid reason for that, so dont just go changing it.)

1 Spice up
15

Still going through an issue identical to this. Corrupted GPO wouldn’t allow processing of other GPOs in that OU as per described by Technet. Tried to find the article but alas, it is gone. Basically removed from GPC but GPT still had an entry, revisions were the same. Yahdah-Yahdah.

On another note, here’s a good check list you can go through for GPOs not being applied. Some of it was already described by Rob.

16

Thank you.

I will check for corrupt GPOs as we still have yet to figure this out.

17

This was traced down to there was one loopback policy with replace enabled that had a lot of “not configured” settings which was causing the issue.

thanks!

2 Spice ups
18

Thanks for getting back to us!