GPO not applying<\/a><\/p>\nThe security filtering is just Authenticated Users, but the OU has computers, users, and security groups and not just security groups by themselves.<\/p>\n
I don’t have any WMI filters.<\/p>\n
Permissions are set to read.<\/p>","upvoteCount":4,"datePublished":"2023-12-22T14:51:09.000Z","url":"https://community.spiceworks.com/t/group-policies-wont-apply-to-an-ou/964343/1","author":{"@type":"Person","name":"spiceuser-z7g0m","url":"https://community.spiceworks.com/u/spiceuser-z7g0m"}},{"@type":"Answer","text":"
\" Permissions are set to read.\" exactly what permissions? Do you mean the delegation tab has read for Authenticated users?<\/p>\n
Is this one specific GPO or do you mean all GPOs are failing in that OU?<\/p>\n
Move one PC to a different OU, then restart it and test if GPOs apply - if so it is definitely the OU.
Have you run gpresult /h yet? I find those tend to be a bit clearer than /r for this kind of troubleshooting. Are all machines that are meant to be affected listed in both the Delegation and Security tabs for the second OU? Are all GPOs shown as linked to this OU?<\/p>","upvoteCount":1,"datePublished":"2023-12-26T20:18:17.000Z","url":"https://community.spiceworks.com/t/group-policies-wont-apply-to-an-ou/964343/3","author":{"@type":"Person","name":"randomdrake11","url":"https://community.spiceworks.com/u/randomdrake11"}},{"@type":"Answer","text":"
Go to a computer/user in that OU. Have them reboot their computer and re-login. Then open up Event Viewer and read the Group Policy logs (Application and Service Logs\\Microsoft\\Windows\\Group Policy). There is a ton of detail in there. Oftentimes you’ll get a great hint about what is going on.<\/p>","upvoteCount":2,"datePublished":"2023-12-27T12:38:15.000Z","url":"https://community.spiceworks.com/t/group-policies-wont-apply-to-an-ou/964343/4","author":{"@type":"Person","name":"roger-knowbe4","url":"https://community.spiceworks.com/u/roger-knowbe4"}},{"@type":"Answer","text":"\n\n
<\/div>\n
m@ttshaw:<\/div>\n
\n\" Permissions are set to read.\" exactly what permissions? Do you mean the delegation tab has read for Authenticated users?<\/p>\n
Is this one specific GPO or do you mean all GPOs are failing in that OU?<\/p>\n
Move one PC to a different OU, then restart it and test if GPOs apply - if so it is definitely the OU.
Yes, the delegation tab has at least read for the Authenticated users, domain users, etc.<\/p>\n
All GPOs in this OU are failing.<\/p>\n
I moved a computer to another GPO…and it grabbed the policies.<\/strong> Back to the original OU and it didn’t grab anything. Of note, I noticed a previous inheritance policy isn’t getting applied either, but Ill talk that later.<\/p>","upvoteCount":0,"datePublished":"2023-12-27T13:58:26.000Z","url":"https://community.spiceworks.com/t/group-policies-wont-apply-to-an-ou/964343/5","author":{"@type":"Person","name":"spiceuser-z7g0m","url":"https://community.spiceworks.com/u/spiceuser-z7g0m"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Roger (KnowBe4):<\/div>\n
\nGo to a computer/user in that OU. Have them reboot their computer and re-login. Then open up Event Viewer and read the Group Policy logs (Application and Service Logs\\Microsoft\\Windows\\Group Policy). There is a ton of detail in there. Oftentimes you’ll get a great hint about what is going on.<\/p>\n<\/blockquote>\n<\/aside>\n
Good tip.<\/p>\n
Get one message that 0 user policies were applied, and another message that 8 for the computer were applied. I have a loopback policy, so this seems about right.<\/p>\n
And of course, no policies being applied according to results.
If I remember correctly (it’s been 10 years), it will tell you what GPOs are in the domain, and what GPOs were applied, including permissions or reasons why a particular GPO was not applied. You might have to make a regedit to increase logging “sensitivity”, but the GPO logs are great for sussing out permission issues.<\/p>\n\n\n
<\/div>\n
spiceuser-z7g0m:<\/div>\n
\n\n\n
<\/div>\n
Roger (KnowBe4):<\/div>\n
\nGo to a computer/user in that OU. Have them reboot their computer and re-login. Then open up Event Viewer and read the Group Policy logs (Application and Service Logs\\Microsoft\\Windows\\Group Policy). There is a ton of detail in there. Oftentimes you’ll get a great hint about what is going on.<\/p>\n<\/blockquote>\n<\/aside>\n
Good tip.<\/p>\n
Get one message that 0 user policies were applied, and another message that 8 for the computer were applied. I have a loopback policy, so this seems about right.<\/p>\n
And of course, no policies being applied according to results.
I have two OUs both filled with computers & users. One OU won’t apply any of the GPO settings to the computers.
The modeling of one of the computers says all the GPOs were applied as I’d expect. It also mentions a fast link is detected, if that matters. The gpresult /r on the aforementioned computers says Applied is N/A, Filtering is “Local Group Policy Not applied (empty)”, then lists all the security groups which seem to show everything.
I read this thread–and the linked telnet thread–and I think I’ve gone through all of this GPO not applying
The security filtering is just Authenticated Users, but the OU has computers, users, and security groups and not just security groups by themselves.
I don’t have any WMI filters.
Permissions are set to read.
4 Spice ups
matt7863
December 22, 2023, 6:58pm
2
" Permissions are set to read." exactly what permissions? Do you mean the delegation tab has read for Authenticated users?
Is this one specific GPO or do you mean all GPOs are failing in that OU?
Move one PC to a different OU, then restart it and test if GPOs apply - if so it is definitely the OU.
1 Spice up
Have you run gpresult /h yet? I find those tend to be a bit clearer than /r for this kind of troubleshooting. Are all machines that are meant to be affected listed in both the Delegation and Security tabs for the second OU? Are all GPOs shown as linked to this OU?
1 Spice up
Go to a computer/user in that OU. Have them reboot their computer and re-login. Then open up Event Viewer and read the Group Policy logs (Application and Service Logs\Microsoft\Windows\Group Policy). There is a ton of detail in there. Oftentimes you’ll get a great hint about what is going on.
2 Spice ups
m@ttshaw:
" Permissions are set to read." exactly what permissions? Do you mean the delegation tab has read for Authenticated users?
Is this one specific GPO or do you mean all GPOs are failing in that OU?
Move one PC to a different OU, then restart it and test if GPOs apply - if so it is definitely the OU.
Yes, the delegation tab has at least read for the Authenticated users, domain users, etc.
All GPOs in this OU are failing.
I moved a computer to another GPO…and it grabbed the policies. Back to the original OU and it didn’t grab anything. Of note, I noticed a previous inheritance policy isn’t getting applied either, but Ill talk that later.
Good tip.
Get one message that 0 user policies were applied, and another message that 8 for the computer were applied. I have a loopback policy, so this seems about right.
And of course, no policies being applied according to results.
If I remember correctly (it’s been 10 years), it will tell you what GPOs are in the domain, and what GPOs were applied, including permissions or reasons why a particular GPO was not applied. You might have to make a regedit to increase logging “sensitivity”, but the GPO logs are great for sussing out permission issues.
spiceuser-z7g0m:
Good tip.
Get one message that 0 user policies were applied, and another message that 8 for the computer were applied. I have a loopback policy, so this seems about right.
And of course, no policies being applied according to results.
1 Spice up
Roger (KnowBe4):
If I remember correctly (it’s been 10 years), it will tell you what GPOs are in the domain, and what GPOs were applied, including permissions or reasons why a particular GPO was not applied. You might have to make a regedit to increase logging “sensitivity”, but the GPO logs are great for sussing out permission issues.
spiceuser-z7g0m:
Good tip.
Get one message that 0 user policies were applied, and another message that 8 for the computer were applied. I have a loopback policy, so this seems about right.
And of course, no policies being applied according to results.
So I figured it out, but not the direction I thought this was going.
I didn’t know I could drill down to specifically GPO stuff in the Event Viewer, so that was cool.
…But I couldnt view things because I didnt have administrative privileges, which was one of the GPO policies I was attempting to apply. Curiously, I claimed to never see any policies apply because they were all computer based, and gpresult /r were only showing User policies and I never noticed the computer policies weren’t listed at all. Only when I logged in as local admin and did a gpresult /r – because I was trying to see the Event Viewer as Admin (and running as admin wouldnt work)-- did I see the computer policies were infact applying.
Ultimately, my GPO that gave local administrator was not configured correctly. Once I made the change and rolled it out, the gpresult /r showed computer policies on the workstation accounts and everything is working as intended.
This only took about 3 months, yet Spiceworks helped me solve another.
