Need help trouble shooting GPO.

srdennis

Hello everyone. I am a veterinarian posing as an IT professional and I have come up against a wall that I cannot seem to overcome. I am running windows 2019 Server have a VM running my DC. I have my Active Directory set up and 2 GPO. Both are at the level of the Domain called CAH.local. If I create other GPO's and link them here, they work, but they get applied to all my computers. I created a TEST OU so that I could put one computer in it, WS27, and then apply GPO rules and link them here. I tried a simpe one of creating a folder on the desk top and when it was linked at the domain level it worked (and created it on all of my computers) but when I try to link it lower or to another OU containing just one computer, I expected that it would work and only be applied to that one computer, but it was not applied. Not sure what I am doing wrong as I can get it to work at when I link it at the domain level, but just not at OU's under the domain. Thanks for any help you can provide.

thecreaitvone91

Does it give an error when you link the GPO to that test ou? Or the computer just won't apply it? Have you tried running gpupdate manually? Also try gpresult and rsop to see what is applying.

dbeato

The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.

Also is this GPO a USer or Computer policy?

EddieJennings

Running gpresult on one of the computers that should be affected by your GPO may help show if the GPO is even being applied.

flaxking

@dbeato said in Need help trouble shooting GPO.:

The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.

Also is this GPO a USer or Computer policy?

My money is with dbeato on it being created under a user policy.

Also note, to create desktop shortcuts for everyone on a computer you probably want to create it in the Public desktop

Dashrender

@flaxking said in Need help trouble shooting GPO.:

@dbeato said in Need help trouble shooting GPO.:

The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.

Also is this GPO a USer or Computer policy?

My money is with dbeato on it being created under a user policy.

Ditto - when you are inside your GPO, are you in the User section, or the Computer section? For your case, you want it in the Computer section.

srdennis

Thanks everyone for the ideas. So here are some answers to your questions

1. I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
2. gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
   3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
   4)This is a user GPO
   5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.

Thoughts?

Obsolesce

@srdennis said in Need help trouble shooting GPO.:

Thanks everyone for the ideas. So here are some answers to your questions

1. I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
2. gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
   3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
   4)This is a user GPO
   5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.

Thoughts?

You answered your own question in there.

You said it's a user GPO, but you have it linked to an OU with the computer in it.... so the user GPO is not going to apply to the computer in there, as it's a user GPO.

This is why it works when it is applied at the domain level, because it's then able to properly target the user.

srdennis

Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?

Obsolesce

@srdennis said in Need help trouble shooting GPO.:

Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?

Or put the GPO in the domain level and use item-level targeting to only target that computer. There's a lot of ways to go about it. But perhaps you can most simply recreate the GPO as a computer policy as you said.

srdennis

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

dbeato

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

Yes, it will work since it is a GPO applied to users.

thecreaitvone91

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

You can also setup loopback GPO processing, if you want that GPO to only apply to a User when logged into a computer in that OU.

PhlipElder

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

AD/GP best practice is to separate out the OU paths. One for Computer objects and another for User objects.

Group Policy operates similar to Cascading Style Sheets that tailors the way a web site can look with the GPO closest to the object winning with few exceptions.

Never edit the Default Domain Policy or Default Domain Controllers Policy. Always create a new GPO and link it to the required OU.

GPOs for Computer objects should have the User section disabled and same for User objects having the Computer section disabled.

GPResult /H C:\Temp\GPResults.html

That's how to find out the what/where/when for GPOs applying. Computer GPOs will only show up if the command is run via an elevated shell (CMD). The Temp directory needs to exist.

Obsolesce

https://social.technet.microsoft.com/wiki/contents/articles/52587.active-directory-design-considerations-and-best-practices.aspx

srdennis

@Obsolesce

Thanks. That looks to be a good reference and read