In part 1, we covered scoping, filtering, and delegation. It is now time to cover more advanced problems with Group Policy.
Learn Your Group Policy Link Rules
5.
GPOs process in a very specific order. The acronym, LSDOU, shows that Local GPOs apply first. This is followed by Site, Domain, and finally OU GPOs. In a nutshell, the GPO closest to the object applies last. If you have a GPO linked at the domain that enables Offline Files and a Junior Admin disabled Offline files at the OU level, his GPO wins. Running a GPResult on the object will show you if another GPO is overwriting your settings.
6.
When a GPO is created, it lives in the Group Policy Objects container. When you link a GPO to an OU, you are merely creating a shortcut to that GPO. These links can be enabled or disabled very easily. In the picture below, the Configuration GPO link is disabled. Notice how the link arrow is greyed instead of black (like the Default Domain Policy).
You can quickly see if a GPO is linked or unlinked by using PowerShell.
7.
GPOs can also be set to Enforced. An Enforced GPO appears with a lock on the link icon. A GPO upstream (one linked to a higher OU or the domain) that is enforced can cause you problems. For example, if the Default Domain Policy was enforced, every setting in it would apply to every object in the domain. It does not matter if another GPO is linked an OU and is enforced. With enforcement, the highest GPO always wins.
If both GPOs in the picture above were set to enforced, the Default Domain Policy would win over the Configuration: UE-V policy.
8.
The final piece of trickery with Links is the Block Inheritance setting. When an OU is set to Block Inheritance, all GPOs (except those enforced) linked above that OU are ignored. In the example below, the Domain Sites OU will not process the Default Domain Policy.
If the Default Domain Policy was enforced, it would ignore the Block Inheritance setting and apply anyways. In an ideal environment, you would keep everything as simple as possible. That means using Block Inheritance and Enforcement sparingly.
Crazy Junk with Loopback
9.
When a computer first starts up, it will process all computer side policies that are linked to the computer’s OU (and above). When a user logs on, any user side settings will process that are linked to the user’s OU (and above). This is normal Group Policy behavior.
When loopback is enabled, this process has one more additional step. After the user side items process, any user side settings linked to the computer’s OU (and above) are also applied. Although this does slow down Group Policy Processing, I still love it and find it insanely helpful! With Loopback, I can take a User Side Setting (like setting the homepage in IE) and apply it to a group of computers (such as those in a lab)!
Bear in mind that loopback now requires both the User and Computer objects to be added to the scope tab on the GPO. Before Windows Vista, the computer did not need to read permission for the GPO. If you still have questions about loopback (or want to learn how to use it), see these two guides:
- Loopback Policy: How a Computer Gets a Transgender Operation
- Questions about Loopback Policy Processing
Read Carefully
10.
Finally, make sure that the GPO is doing what you intend for it to do. When a setting says “Enable Turn Off Audio Mode”, it is very easy to get confused. Ready carefully over any GPO descriptions when configuring your GPO. Microsoft is a huge fan of double negatives. You can use Microsoft’s GPSearch utility for explanations on GP Settings.
Be sure to read the other articles in this series for detailed troubleshooting steps.
Hi There,
As with Windows 10, certain logon scripts were not executed.
After assistance from Microsoft, here are some tips.
Put in the user configuration scope > Delegation > Advanced: \
Domain Computers > Read > Apply Group Policy
Authenticated Users > Read (Not Apply Group Policy)
This should solve your .bat .ps1 logon scripts.
Please note that logon scripts are not executing anymore with gpupdate /force
You really need to logout en log back in again.
This change has started from at least arround May 2016 and I am currently on build: 10586.545
Kind regards,
Martijn Kamminga
Additional info: Do put in your security groups / users in the scope.
Authenticated users > Read > not apply group policy is only when you need to specify certain groups, or users. If you want all to apply, do apply group policy for authenticated users.
My bad,
Kind regards,
Martijn Kamminga
Darn, silly me. I’ve made an error.
Let me correct this:
– Domain computers must have read (not apply policy) in Delegation > advanced settings of the GPO Setting.
– Put your users (or user groups) in the scope.
This setting is not alway’s in every environment required, but can be.
In some cases a .bat file will not execute on the client.
Make sure that if you have your .bat file not in your sysvol, but on a share that Domain Computers have Read Access to that Share. So Share permission and NTFS permission.
Sorry to have misled you and that I did not correct this sooner.
Kind regards,
Martijn Kamminga
I have four containers with View desktops (virtual machines) that I want to apply group policies to. When I try to link an existing group policy to one of the containers, it tells me that the Link information for this domain, site, or organization is out of date – refresh and try again. I have refreshed the container, it’s parent, the domain, etc and the container in AD. It still gives me the error when I try to link a GPO. Any thoughts or ideas what may be causing this?
Hi Joseph,
I’ve followed your 10 (goods !) adivces but no way, Computer configuration is not applied, whereas User configuration works well.
The 2 configurations are in the same GPO, and it’s the only (first, at all) GPO on this domain; gpresult is telling that no GPO are applied on computer.
Have you an idea ?
Mikhael
Hi joseph
I am having an issue with a GPO any chance I can email you the gpresults to have a look.
Sure! My email is in the top right of this page – just click the contact button.
Had an issue with the wallpaper BMP not loading.. If you have this issue, try making the image a lower resolution.
Thanks for that tip!
Hi Joseph,
I figured it out. It had to do with a McAfee internet security suite that comes with that xps 15.
As I was trying to connect to the machine, it did’nt work, because of the managed application settings that had taken over the function of the windows firewall. Which led me to believe that gpo was not applied.
However, the gpresults still does’nt show computer configuration being applied.
After checking each setting that should’ve been applied I could confirm it actually did apply and with the the firewall settings such as remote wmi, local admin accounts etc. etc. after removing the suite.
Thank you for responding and feel free to clean up these messages to keep your site clean.
Kind regards,
Martijn
No problem at all – if you run GPResult as an admin, you will see the computer side settings.
Hi there,
I have a 2008R2 Server and just bought 2 Dell XPS 15 with Windows 8.1.
The user side get’s processed, but not the computer side.
I’ve started with WMI filters, but upon not applying i’ve unlinked these filters.
Before that I did a check on Windows 7 and all that applied were applied and those not true (wmi filter) were denied.
I’ve downloaded the Administrative Templates, put them in the central store and on top copied over the Windows 8.1 computer PolicyDefinitions to the Central Store also. Tried both seperatly by the way.
I’ve tried loopback processing mode, but no luck.
Several reboots, gpudpates, check with rsop gpresult and putting the computer in security filtering. No luck.
I can confirm users and computer are in their correct OU the policy applies to.
Do you have any clue, why the Computer Configuration is not applied to Windows 8.x only?
I don’t. can you email me a copy of your GPResult that includes the computer and user config? Also email me a copy of your GPO. My contact email is in the top right of this page.