Group Policy is a solid tool and is very stable. Microsoft has made constant improvements to it since Windows 2000. It allows for the configuration and deployment of pretty much anything in your Active Directory environment. From deploying software to setting the default printer, it works. But when Group Policy is not being applied, we can fix it!
Microsoft has provided great guidelines and tools in order to troubleshoot. Let’s look at the top ten issues that can stop Group Policy from being applied. Be sure to check out the other articles in this series for more in-depth Group Policy troubleshooting.
Group Policy Not Being Applied? Start with the Scope
1.
The most common issue with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user.
There are certain cases where you can do some crazy linking. We will cover that in a bit. Remember, GPOs cannot be linked to an OU that just contains security groups. You can use this PowerShell script to optimize your GPO links and ensure that they are properly linked.
2.
Next, check the security filtering. By default, a GPO is filtered to authenticated users. Make sure that the computers or users needing the policy are in a group that is specified here. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes all users and computers.
In the picture below, you can see a GPO that is scoped to authenticated users. Beginning in July of 2016, Microsoft fixed a security issue related to Group Policy processing. If you are applying a GPO to a user/security group of users, ensure that domain computers or authenticated users have the ability to read the GPO. See this guide for more information.
3.
Some GPOs make use of WMI filters. These filters can dynamically apply GPOs based on a host of factors. You want a GPO to apply if a device is attached, use WMI. However, that WMI filter has to evaluate to True for the object processing the GPO. This means that if you have a WMI checking a user only setting, you can’t scope your GPO only to computers.
This GPO is linked to an OU named Domain Sites, applies to Authenticated Users, and doesn’t have a WMI Filter linked to it.
You can use the WMI validator to check the status of a WMI filter. If you are unsure if a WMI filter is causing an issue, check out our guide to WMI filters and Group Policy.
Time to Dive into Delegation
4.
In order for a GPO to apply, the object (a user or a computer) will need two GPO permissions. It must have Read and Apply Group Policy. By default, an object added to the scope tab receives both of these permissions. That is why every object can apply a GPO is authenticated users is under security filtering.
However, you can configure advance deny permission on the delegation tab. These deny permissions would take precedence over any allow permissions. This feature is very useful when you want to exclude a GPO from a handful of objects but can get confusing if employed often.
Head on over to page 2 to troubleshoot link issues, enforcement, and loopback!
Hi, When trying to GPUdate /force, I’m receiving following error:
Computer Policies couldn’t be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows couldn’t authenticate to the Active Directory service on the Domain Controller. (LDAP Bind call function failed.) Look into the detailed tab for error code and description.
Thanks for covering important and useful points. This worked for me fine, I was missing on blocking inheritance on computer OU. Now I am able to manage computer policies on individual servers.
Joseph, So maybe you can help with this. Created GPO to enable screensaver, force screensaver used, force password & timeout of 15 min. Applied to an OU. Go to a pc run GPRESULT /H to a file. See all policies applied all is working EXCEPT password. Instead of being prompted with their password to reopen to the desktop users just hit the spacebar and they are back in business. Windows 7\XP Pro pcs.
Can you email me a copy of your GPO? My contact email is in the top right of this page.
Ahhh thanks a lot, Now my GPO’s work perfectly, I had them inside of an OU without any users inside it, there might be a way to make it work like that but I just wanted it to work “out of the box”
No problem! GPOs can never apply to an empty OU or an OU without computers/users.
Yes this occurs when I create a new OU as well. I create a test OU and it happened there too. soooooo….
I just want to advertise the following changes that were hillbilly rigged to get the group policy working in my messed up OU. When users would GPupdate the group policy would look for the following syvol location but the sysvol location did not exist below.
\\domain. com\sysvol\domain.com\Policies\{5D27F523-2847-490E-8964-8E0AE7FA21B3}}
The actual policy was in this folder
\\domain. com\sysvol\domain.com\Policies\{DD096B8C-494D-4CF9-B5EA-A5DD2295F9B5}
So for several weeks I tried to force the server to look at the policy starting in DD096. I scoured the internet in search of ways to do so with no help. So what I did I’m not proud of but it was the only fix I could find, and this fix is what others were doing with their same issues.
I manually created {5D27F523-2847-490E-8964-8E0AE7FA21B3} in the sysvol folder and magically all the group policies started working.
I hope this fix is temporary cause if I need to adjust this policy in the future its not going to pull the right folder to edit.
That is odd that it fixed it – almost like the GPO existed on one DC and not the other. Have you seen any other replication issues like that?
I have not seen any other issues like that. I have created 3 domain controllers with new OU’s with them prior to this one spanning several months in between. this is the first one to do this.
Joseph,
I have an OU that I have applied a security policy called “Testing Policy”. This policy works on every other OU that I apply it to other than the one it’s meant to be linked to. For some reason when I run a gpresult /v on one of the authenticated users that’s under this OU it reports back that it cannot find the referenced sysvol containter {DD3424=***** etc}
What is happening?
Hi Blake – It sounds like permissions on the OU have been changed. Do you know if they have been? If not, you can restore them by going to Advanced Security settings for that OU (right click – properties – security – advanced). Select Restore Defaults.
Joe – Thanks for that advanced settings idea. It led me to a ton of permission entries and I found 2 with the [type] denied for [name]everyone. My newly created OU is the only OU in my domain that had them so I removed them. It still didn’t fix my issue. I have been GPupdating all day hoping that was the issue. I would Select Restore defaults but theres 61 Permission entries before I press “restore defaults” after I press there are 10…. All of my OU’s have 61 permission entries
Any other places to check that you can think of?
Do you have this same issue if you link it under another newly created OU?
For the loopback/permissions thing, I have a question:
Case 1
(the computer has read/apply permissions to the GPO)
(the user does not have any permissions to access the GPO)
(loopback processing is turned on)
I think that the computer settings are applied
What happens to the user settings in this loopback situation?
Case 2:
(the computer has read, but not apply permissions to the GPO)
(the user has read/apply permissions to access the GPO)
(loopback processing is turned on)
Are the computer settings are applied?
What happens to the user settings in this loopback situation?
TIA
It depends on the OS. I am going to assume we are dealing with Vista+ though.
Case 1: The user settings are ignored. The user must have read/apply group policy for loopback to work.
Case 2: For a setting to loopback, it has to be a user side setting that is linked to a computer. In your second case, there would be no computer side settings to worry about. User settings would be ignored though. The computer needs read and Apply Group Policy.
Does that help?
I have a situation where when I run gpresult, it shows policy settings as being applied, but they aren’t actually applied. One example is screensaver timeout and proxy settings. Any guidance on how to troubleshoot this?
What kind of clients are these? Are you setting these settings with administrative templates or preferences?
Hello.
Finally the business is answering the call (now a shriek) to migrate from XP to W7!
Hurrah I said and then got landed with the Project.
I am deploying test W7 via WDS but have noticed some GPO’s are not applying (eg: printer scripts / IE URL faves and many others which work fine with XP clients)
Gpresult/r shows me only default domain policy applies under user settings and not a bunch of others that do display on xp machines when logged in with same a/c.
I can’t see any warning/errors in group policy event log.
I cant run gp results on DC as I get a RPC error (which references WMI service not being started on client- but it is, I have checked numerous times).
I only get this error when querying the 2 test W7 machines, it will run a report on existing XP machines.
When logged in as dom admin – gpresult/r shows the complete list of applied objects that I would expect to see, but the actual favourite URL’s and printer mappings have not completed.
Any suggestions would be greatly appreciated – cheers!
Carl.
Something is very wrong with my W7 migration 🙁
Printer scripts and some drive mapping scripts can have some serious issues in windows 7. My guess is you are having these issues. UAC is the problem. Instead of using scripts, use Group Policy preferences!
https://deployhappiness.com/deploying-printers-with-group-policy-preferences/
Are your Windows 7 machines running IE10? If so, IE Maintenance is now longer supported. Read this:
https://deployhappiness.com/internet-explorer-maintenance-replacements/
Windows Server 2008 and Windows 7 pro computers
I am trying to add a shortcut on desktops in a specific lab. I have the computer container linked under the scope of the GPO. Under the Security Filtering, I added the group that contains all the computer objects, which is also in the computer container.
If I run the Group Policy Modeling Wizard on the server, it shows the policy and shortcut applying correctly. However, on the computer, when I run gpresults /z the computer policy is not being applied?
Any suggestions??
Thanks
Hi Aaron,
I just sent you an email – when you can, email me a report of the GPO and a gpresult of the computer.
Sorry for the delay, just sent it to you.
Thanks
For any comment readers, Aaron was using GPP Shortcuts to create a URL shortcut. When he switched to a GPP file that copied a pre-existing shortcut, he solved his issue.
I have only one user (out of many) who is not receiving the Software Installation policy. When I run gpresult /z under Software Installations it says N/A. Any idea why???
Thank you!
Hi Christine,
Do you have any deny settings on your GPO? If this user in a unique OU (one that might have blocked inheritance enabled)? Are you using loopback to deploy this app?
Good Article Joseph , In my case I had to add step 11 in case you still can’t find the reason why a GPO is failing: Run the Group Policy Results from your Group Policy Management Console, it’s similar to running a gpresult /Z but it gives you a bit more info on the GPO’s not applied. In my case GPO Denied , Reason : inaccessible . The GPO had security filtering in place for groups of users but started working after I added Authenticated Users with Read permissions to the Delegation Tab and it worked.
Great tip Andre! If you have any others, be sure to share!
Hello Andre, Is it policy that GPO is OS sensitive…I mean If i apply GPO to win7 machines, will it not apply to win8 … if NO. Please also explain why machines that were receiving GPO suddenly stopped receiving. How do i add authenticated users with read permissions to the delegation tab?