10 Common Problems Causing Group Policy To Not Apply

10 Common Problems Causing Group Policy To Not Apply

Group Policy is a solid tool and is very stable. Microsoft has made constant improvements to it since Windows 2000. It allows for the configuration and deployment of pretty much anything in your Active Directory environment.  From deploying software to setting the default printer , it works. But when it doesn’t, Microsoft has provided great guidelines and tools in order to troubleshoot.  If Group Policy is not being applied, we can fix it. Let’s look at the top ten issues that can stop Group Policy from being applied.

Start with the Scope

1.

The most common issue seen with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user. Remember, GPOs cannot be linked to an OU that just contains security groups. You can use this PowerShell script to optimize your GPO links and ensure that they are properly linked. 

2.

Next, check the security filtering. Make sure that the computers or users needing the policy are in a group that is specified here. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes both users and computer. By default, a GPO will be scoped to Authenticated Users.

3.

Some GPOs make use of WMI filters. These filters can dynamically apply GPOs based on a host of factors. You want a GPO to apply if a device is attached, use WMI. However, that WMI filter has to evaluate to True for the object processing the GPO. This means that if you have a WMI checking a user only setting, you can’t scope your GPO only to computers. You can use the WMI validator to check the status of a WMI filter.

 

The screenshot above recaps the first three common issues. This GPO is linked to an OU named Domain Sites, applies to Authenticated Users, and doesn’t have a WMI Filter linked to it. This GPO, which contains several computer side settings, will apply to any computer in the Domain Sites OU.

Dive into Delegation

4.

In order for a GPO to apply, the object (a user or a computer) has to have two GPO permissions. It must have Read and Apply Group Policy. By default, an object added to the scope tab receives both of these permissions. Things can get tricky if you are using Deny Permissions to explicitly exclude certain object. Deny permission on the delegation tab would take precedence over any allow.

This GPO does not have any Deny permissions set (which show as Advanced settings). If we wanted to exclude a specific group, we could do that here.

Learn Your Links

5.

GPOs process in a very specific order. The acronym, LSDOU, shows that Local GPOs apply first. This is followed by Site,Domain, and finally OU GPOs. In a nutshell, the GPO closest to the object applies last. If you have a GPO linked at the domain that enables Offline Files and a Junior Admin disabled Offline files at the OU level, his GPO wins.

6.

When a GPO is created, it lives in the Group Policy Objects container. When you link a GPO to an OU, you are merely creating a shortcut. These links can be enabled or disabled very easily.  In the picture below, the Configuration GPO link is disabled. Notice how the link arrow is greyed instead of black (like the Default Domain Policy).

 

A GPO can be linked to many OUs. These links can be disabled for some OUs and enabled for others. Do not assume that a linked GPO is an enabled GPO.

7.

GPOs can also be set to Enforced. An Enforced GPO appears with a lock on the link icon. A GPO upstream (one linked to a higher OU or the domain) that is enforced can cause you problems.  If the Default Domain Policy was enforced, every setting in it would apply to every object in the domain. This is because it is linked at the Domain level (remember LSDOU?) It does not matter if another GPO is linked an OU and is enforced. With enforcement, the highest GPO wins.

 

8.

The final piece of trickery with Links is the Block Inheritance setting.  When an OU is set to Block Inheritance, all GPOs linked above that OU are ignored. In the example below, the Domain Sites OU will not process the Default Domain Policy.

 

The only exception to this are enforced GPOs. They bust through that Block Inheritance!

Loopback

9.

When a computer first starts up, it will process all computer side policies that are linked to the computer’s OU (and above). When a user logs on, any user side settings will process that are linked to the user’s OU (and above). When loopback is enabled, this process has one more additional step. After the user side items process, any user side settings linked to the computer’s OU (and above) are also applied.

Although this does slow down Group Policy Processing, I still love it and find it insanely helpful! With Loopback, I can take a User Side Setting (like setting the homepage in IE) and apply it to a group of computers (such as those in a lab)!  Bear in mind that loopback now requires both the User and Computer objects to be added to the scope tab on the GPO. Before Windows Vista, the computer did not need to read permission for the GPO.

If you still have questions about loopback (or want to learn how to use it), see these two guides:

• Loopback Policy: How a Computer Gets a Transgender Operation 
• Questions about Loopback Policy Processing 

Read Carefully

10.

Finally, make sure that the GPO is doing what you intend for it to do. When a setting says “Enable Turn Off Audio Mode”, it is very easy to get confused. Read carefully over any GPO descriptions when configuring your GPO. You can use Microsoft’s GPSearch utility for explanations on GP Settings. 

http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx