Common problems causing Group Policy to not Apply

Common problems causing Group Policy to not Apply

Group Policy is a solid tool and is very stable. Microsoft have made constant improvements to it since Windows 2000.  It allows for the configuration and deployment of pretty much anything in your Active Directory environment. From deploying software to setting the default printer, it works.  But when it doesn ' t, Microsoft had provided great guidelines and tools in order to troubleshoot. If Group Policy is not being applied, we can fix it. Let's look at the top ten issues this can stop Group Policy from being applied.

Start with the Scope

1.

The most common issue seen with Group Policy are a setting not being applied. The first place to check are the Scope Tab on the Group Policy Object (GPO). If you were configuring a computer side setting, make sure the GPO was linked to the Organization Unit (OU) that contains th E computer. If The GPO configures a user side setting, it needs to being linked to the OU containing the correct user. Remember, GPOs cannot is linked to a OU that just contains security groups. You can use the this PowerShell script to optimize your GPO links and ensure that they is properly linked.

2.

Next, check the security filtering. Make sure, the computers or users needing the policy is in a group, that's specified here. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes Bo th users and computer. By default, a GPO is scoped to authenticated Users.

3.

Some GPOs make use of WMI filters. These filters can dynamically apply GPOs based on a host of factors. You want a GPO to apply if a device was attached, use WMI. However, that WMI filter have to evaluate to True for the object processing the GPO. This means so if you had a WMI checking a user only setting and you can ' t scope your GPOs only to computers. You can use the WMI validator to check the status of a WMI filter.

The screenshot above recaps the first three common issues. This GPO was linked to an OU named Domain Sites, applies to authenticated Users, and doesn ' t had a WMI Filter linked to it . This GPO, which contains several computer side settings, would apply to any computer in the Domain Sites OU.

Dive into delegation

4.

In order for a GPO to apply, the object (a user or a computer) had to have a permissions of the GPO. It must have Read and Apply Group Policy. By default, a object added to the Scope tab receives both of these permissions. Things can get tricky if you are using the Deny Permissions to explicitly exclude certain object. Deny permission on the Delegation tab would take precedence over any to allow.

This GPO does not has any Deny permissions set (which show as advanced settings). If we wanted to exclude a specific group, we could do it here.

Learn Your Links

5.

GPOs process in a very specific order. The acronym, Lsdou, shows that Local GPOs apply first. This is a followed by Site,domain, and finally OU GPOs. In a nutshell, the GPO closest to the object applies last. If you had a GPO linked at the domain that enables Offline files and a Junior Admin disabled Offline Files at the OU leve L, the his GPO wins.

6.

When a GPO was created, it lives in the Group Policy Objects container. When you link a GPO to the OU, you are merely creating a shortcut.  These links can be enabled or disabled very easily. In the picture below, the Configuration GPO for link is disabled. Notice how the link arrow was greyed instead of black (like the Default Domain Policy).

A GPO can be linked to many OUs. These links can be disabled for some OUs and enabled for others. The Do not assume, a linked GPO is a enabled GPO.

7.

GPOs can also is set to Enforced. An Enforced GPO appears with a lock on the link icon.  A GPO upstream (one linked to a higher OU or the domain) that's enforced can cause you problems. If the Default Domain Policy is enforced, every setting in it would apply to every object in the domain. This is because it was linked at the Domain level (remember Lsdou?) It does not the matter if another GPO is linked a OU and is enforced. With enforcement, the highest GPO wins.

8.

The final piece of trickery with Links is the Block inheritance setting. When a OU is set to Block inheritance, the all GPOs linked above the OU is ignored. In the example below, the Domain Sites OU would not process the Default Domain Policy.

The only exception to this is enforced GPOs. They bust through that Block inheritance!

Loopback

9.

When a computer first starts up, it'll process all computer side policies that is linked to the computer ' s OU (and Abov e). When a user logs on, any user side settings would process that is linked to the user's OU (and above). When loopback was enabled, this process had one more additional step. After the user side items process, any user side settings linked to the computer's OU (and above) are also applied.

Although this does slow down Group Policy processing, I still love it and find it insanely helpful! With Loopback, I can take a User Side Setting (like Setting the homepage in IE) and apply it to a group of computers (such  As those in a lab)! Loopback now requires both the User and computer objects to being added to the Scope tab on the GPO. Before Windows Vista, the computer did not need to read permission for the GPO.

If you still has questions about loopback (or want to learn how to use it), see these both guides:

• Loopback policy:how A computer Gets a transgender operation
  
  
• Questions about Loopback Policy processing

Read carefully

10.

Finally, make sure and the GPO is doing what's intend for it. When a setting says "Enable Turn Off Audio Mode", it's very easy to get confused. Read carefully over any GPO descriptions when configuring your GPO. You can use the Microsoft ' s Gpsearch utility for explanations on GP Settings.

Http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

Common problems causing Group Policy to not Apply