Need help trouble shooting GPO.

srdennis

Thanks everyone for the ideas. So here are some answers to your questions

1. I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
2. gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
   3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
   4)This is a user GPO
   5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.

Thoughts?

Obsolesce

@srdennis said in Need help trouble shooting GPO.:

Thanks everyone for the ideas. So here are some answers to your questions

1. I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
2. gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
   3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
   4)This is a user GPO
   5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.

Thoughts?

You answered your own question in there.

You said it's a user GPO, but you have it linked to an OU with the computer in it.... so the user GPO is not going to apply to the computer in there, as it's a user GPO.

This is why it works when it is applied at the domain level, because it's then able to properly target the user.

srdennis

Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?

Obsolesce

@srdennis said in Need help trouble shooting GPO.:

Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?

Or put the GPO in the domain level and use item-level targeting to only target that computer. There's a lot of ways to go about it. But perhaps you can most simply recreate the GPO as a computer policy as you said.

srdennis

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

dbeato

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

Yes, it will work since it is a GPO applied to users.

thecreaitvone91

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

You can also setup loopback GPO processing, if you want that GPO to only apply to a User when logged into a computer in that OU.

PhlipElder

@srdennis said in Need help trouble shooting GPO.:

OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?

AD/GP best practice is to separate out the OU paths. One for Computer objects and another for User objects.

Group Policy operates similar to Cascading Style Sheets that tailors the way a web site can look with the GPO closest to the object winning with few exceptions.

Never edit the Default Domain Policy or Default Domain Controllers Policy. Always create a new GPO and link it to the required OU.

GPOs for Computer objects should have the User section disabled and same for User objects having the Computer section disabled.

GPResult /H C:\Temp\GPResults.html

That's how to find out the what/where/when for GPOs applying. Computer GPOs will only show up if the command is run via an elevated shell (CMD). The Temp directory needs to exist.

Obsolesce

https://social.technet.microsoft.com/wiki/contents/articles/52587.active-directory-design-considerations-and-best-practices.aspx

srdennis

@Obsolesce

Thanks. That looks to be a good reference and read