Announcement

Collapse
No announcement yet.

OU GPO Not Being Applied

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OU GPO Not Being Applied

    Hey all -

    I'm new to the forums, so hopefully you can guide me in the right direction. I haven't been working with AD very long, but there certainly are advantages with AD that our organization is not benefiting from.

    Here's the setup. We have 2 Servers replicating one another. One is Win2k3, the other is windows 2000. We use win2k3 as our terminal server, so I've been making the updates there.

    I have created a number of OUs with the following framework in mind:
    • Domain
      • Orlando
        • IT
          • IT Group
        • Accounting
        • Marketing
        • Education

    Within the domain, the default policy is applied appropriately to all security groups within all OUs. I created a new GPO, "Test GPO" which I've only changed the title bar in Internet Explorer.

    When running gpupdate, then gpresult. The Test GPO policy is not listed in either the applied or not applied GPOs.

    I have placed the machine I'm testing from in a group called IT Group (as illustrated above). I can confirm that if this GPO is linked at the domain level it is applied correctly. However, when applied within an OU, it is not applied or denied according to gpresult. I also have confirmed that the GPO is enabled. The GPO has Authorized Users in the Security Filter and in the Delegation with "Read" permissions.

    Any suggestions would be greatly appreciated. I'm new to this process, so I assume it'll be something relatively routine that I haven't done yet.

    Thanks.

    Shaun

  • #2
    Re: OU GPO Not Being Applied

    Hi,

    You probably have the Default domain policy or another Group policy applied at the domain level with the Loopback processing of Group policy enabled.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: OU GPO Not Being Applied

      L4ndy -

      Thanks for the quick reply. I checked the Computer Settings->System->Group Policy->User Group Policy loopback processing mode and the setting was set to Not Configured. I changed it to Disabled to test. I ran gpupdate and also tried restarting the desktop twice. It still doesn't seem to be applying the group policy.

      Here is the response that I'm receiving from gpresult.

      COMPUTER SETTINGS
      ------------------
      CN=LASER-E40EDB7A7,CN=Computers,DC=xxx,DC=companyname,DC=co m Last time Group Policy was applied: 6/2/2009 at 8:04:56 AM
      Group Policy was applied from: SERVER2.xxx.companyname.com
      Group Policy slow link threshold: 500 kbps

      Applied Group Policy Objects
      -----------------------------
      Default Domain Policy

      The following GPOs were not applied because they were filtered out
      -------------------------------------------------------------------
      Local Group Policy
      Filtering: Not Applied (Empty)

      The computer is a part of the following security groups:
      --------------------------------------------------------
      BUILTIN\Administrators
      Everyone

      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      LASER-E40EDB7A7$
      Domain Computers
      Shipping Group
      IT Group
      Orlando


      USER SETTINGS
      --------------
      CN=Shaun Oleson,CN=Users,DC=xxx,DC=companyname,DC=com
      Last time Group Policy was applied: 6/2/2009 at 8:04:56 AM
      Group Policy was applied from: SERVER2.xxx.companyname.com
      Group Policy slow link threshold: 500 kbps

      Applied Group Policy Objects
      -----------------------------
      Default Domain Policy

      The following GPOs were not applied because they were filtered out
      -------------------------------------------------------------------
      Local Group Policy
      Filtering: Not Applied (Empty)

      The user is a part of the following security groups:
      ----------------------------------------------------
      Domain Admins
      Everyone
      Debugger Users
      BUILTIN\Administrators
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      LOCAL
      remoteUsers
      Domain Users
      IT Group
      Orlando
      Enterprise Admins
      Any other ideas you have would be helpful. Thanks again.

      Shaun

      Comment


      • #4
        Re: OU GPO Not Being Applied

        When applying the GPO to an OU, you need to make sure that the Computer object or User object is in that OU, depending on whether it is applying User or Computer setings. The Security Group used to assign the GPO does not need to be in the OU but is good practice, if objects in that OU all belong to that security group.

        As the GPO works at domain level, it suggests to me that the issue is with the user or computer object not being in the OU. AFAIK, the setting you are using is for a User object.
        Last edited by Virtual; 3rd June 2009, 14:14.

        Comment


        • #5
          Re: OU GPO Not Being Applied

          Thats a good point. With my experience, it's very possible that I could have overlooked an OU/Security Group Assignment. I've attached the structure, of course removing references to our servers.

          I believe I have it set up correctly, although I would still be grateful for the feedback.
          Attached Files

          Comment


          • #6
            Re: OU GPO Not Being Applied

            I'm wondering if I'm out of options here. It's tough since I don't have the experience troubleshooting AD/OU/GPO faults before. I'm certain there was an error at some point on my part as I'm the only one with these issues. I've tried troubleshooting via RSoP, gpresult and the Event Viewer. All without success. I'm accustomed to linux with the verbose logs to identify issues. Is there something similar for Active Directory?

            Thanks again.

            Comment


            • #7
              Re: OU GPO Not Being Applied

              The GPO works at Domain level. Are the user accounts in one of the child OUs of the Orlando OU?

              Comment


              • #8
                Re: OU GPO Not Being Applied

                You can use a gpresult /v at a Client machine. You will need to be loged in as the User that the GPO is supposed to be applying to or create a test user.

                Comment


                • #9
                  Re: OU GPO Not Being Applied

                  Originally posted by Virtual View Post
                  The GPO works at Domain level. Are the user accounts in one of the child OUs of the Orlando OU?
                  The computers are in a security group that belongs to a child OU of the Orlando OU.

                  Comment


                  • #10
                    Re: OU GPO Not Being Applied

                    Originally posted by Virtual View Post
                    You can use a gpresult /v at a Client machine. You will need to be loged in as the User that the GPO is supposed to be applying to or create a test user.
                    I have the test machine in my office to remedy the issue, so that's not a problem. I ran gpresult /v and it does output all of the policies that are applied, but doesn't show anything on why the Test GPO is not applied. It's not denied, it's not applied... however, when I look at the IT OU i've created (that the computer in question is assigned to... via a security group), the group policy inheritance tab shows Test Object (listed with a precedence of 1), then Default Domain Policy(listed with a precedence of 2).

                    This would indicate to me that the GPO should be correctly assigned to the OU. That leads me to believe it has something to do with the computer not falling under that OU. I have confirmed numerous times on my end that the computer belongs to the "IT Group" Security Group and that the "IT Group" is within the IT OU (Screenshot provided in previous post).

                    Comment


                    • #11
                      Re: OU GPO Not Being Applied

                      Group Policy doesn't apply to objects like groups. It applies to computers or users. You use groups as a way of filtering GP, but not for setting GP. The computer account has to be "in the path" of the GPO. If the computer account is not in the IT OU then those GPO settings are never going to be applied to the computer, regardless of the group membership of the computer.

                      Comment


                      • #12
                        Re: OU GPO Not Being Applied

                        Originally posted by joeqwerty View Post
                        Group Policy doesn't apply to objects like groups. It applies to computers or users. You use groups as a way of filtering GP, but not for setting GP. The computer account has to be "in the path" of the GPO. If the computer account is not in the IT OU then those GPO settings are never going to be applied to the computer, regardless of the group membership of the computer.
                        Perfect. Thats exactly what I didn't understand (not sure if that makes sense, haha). So With that in mind, if a user or computer needs the additional GPO, it should be linked to their primary OU with Security filtering limiting a specific security group(s)?

                        Here's an example. I'm setting DNS servers by OU. Marketing employees would need one DNS server (DNS1) while I may have Executive Directors resolve off another (DNS2). There are times when a Marketing Manager would need to resolve off the "DNS2" server. Since they already fall under the Marketing OU and other policies apply to that OU, how do you provision special permissions without removing them from the OU. (Do you need to create a child OU within the Marketing OU)?

                        I was placing users in a security group so multiple GPOs could apply by placing the users in varying OUs.

                        I apologize ahead of time if this is confusing. But your previous statement is quite a revelation. Thanks again for the help.
                        Last edited by shaunole; 3rd June 2009, 15:57.

                        Comment


                        • #13
                          Re: OU GPO Not Being Applied

                          Originally posted by Virtual View Post
                          When applying the GPO to an OU, you need to make sure that the Computer object or User object is in that OU, depending on whether it is applying User or Computer setings. The Security Group used to assign the GPO does not need to be in the OU but is good practice, if objects in that OU all belong to that security group.

                          As the GPO works at domain level, it suggests to me that the issue is with the user or computer object not being in the OU. AFAIK, the setting you are using is for a User object.
                          This will also help as quoted by me earlier.

                          Comment


                          • #14
                            Re: OU GPO Not Being Applied

                            I am a little confused, but...

                            In what cases would they need to use a different DNS server? When they log on to another computer?

                            If that's the case you could use Group Policy Loopback Processing which tells the GP client side extensions to process the GPO settings under user configuration from the GPO linked to the computer object OU instead of the GPO linked to the user object OU. You can configure loopback processing to replace the user settings or to merge the user settings. Replace mode replaces all the user settings from the user OU GPO with the ones in the computer OU GPO. Merge mode merges the two "sets" of GPO settings.

                            Comment

                            Working...
                            X