+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Windows Thread, [SOLVED] GPO does NOT apply but no evidence as to why in Technical; Alright guys, this ones....fun. I've got a GPO in the schools domain that I use to restrict the student interface. ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Thumbs up [SOLVED] GPO does NOT apply but no evidence as to why

    Alright guys, this ones....fun.

    I've got a GPO in the schools domain that I use to restrict the student interface. You know, the usual. Restrict taskbar movement, Control Panel applets that appear, what appears in the My Network Places and even removing My Network Places all together. The policy worked great before. It restricted users on every point it was supposed to. However, I then got the great idea to try editing the policy and adding Software Restriction. Long story short, users couldn't open any programs for 15 minutes lol. So I quickly withdrew that policy and pulled the Software Restriction. However, the entire policy didn't work now and didn't apply.

    So I thought to myself "uhhhhhhh I should have restricted software in a seperate policy". However I wasn't thinking on that level at first and thought I should just add it and see what happens. So anyways, that's all gone now and I ended up taking that policy, backing it up, and creating a brand new policy that restricts the user interface. All under the "User" part of the policy and applied to the Students OU that contains 4 OU's, 9, 10, 11, and 12 for each grade in the high school. Those OU's of course contain the students in those grades. So, that's all done. I reapplied the policy at the Students OU level, and tried again, remembering that I had the policy working for 4 or 5 months before I had tried the software restriction policy. But now, that software restriction policy is completely gone.

    So after the UI restrictions are in place I head off to a student machine and try logging in as a student. I logged into my test student account, and to my surprise, none of the policies for UI were layed down. I opened event viewer [since I could, no restrictions in place] and looked for any policy errors. There were none. I then opened Run>CMD [since I could, no restrictions in place], and ran gpresult. Nowhere in here could I see the new policy I created, I usually see one called "Set User Interface", the name of the policy. However, there was nothing. So I run gpupdate, and log out, and back in. Nothing. I run gpupdate /force, and log out, and back in. Nothing. I check gpresult again for filtering or "not applied because..." messages, nothing. I couldn't see the name of the policy anywhere in any of the commands, and the UI is completely accessable.

    So I go back to the server. I'm mind boggled. I go into Group Policy Management and I attempt to do the Group Policy Modelling Wizard to see what's applied for that OU. I right click on the Student OU and start the modelling wizard. I click the different grade OU's before and double check the inheritance and make sure that yes, the policy is being pushed down and inherited. It is. So I continue the policy modelling, and run it as if I was a student to see what's applied. Low and behold, it applies perfectly and lists as applied. However no client machines are picking up the policy.

    If that wasn't enough, I had one other policy that's Set Internet Explorer Settings for Students, and that used to work perfectly. I never edited that policy, but it randomly stopped applying as well. Yet, shows as applied in the modelling wizard with no issues. There's 6 policies in total for users, about 4 for computers that are applied when a student logs in. They work perfectly.

    The ONLY other change I've made is to the GPO's that apply the correct homepage based on computer location. I use the group policy loopback processing to apply the user setting to a computer setting and put the school home page GPO's in each computer OU that contains a student computer, and the library home page GPO in the library computers OU. It was never working, so I recently set the status to "Replace" instead of "Merge" in group policy loopback processing setting on those two home page GPO's. The home pages now work, but I also noticed now that the same policies, if I run gpresult on a student computer, are shown under both computer AND user settings. I'm wondering if this has anything to do with the replace setting, I thought loopback processing would apply to JUST that policy, but maybe to all?

    I mean, I made these changes two days apart from each other. The policy processing, and then 2 days later, adding the software restriction to the student OU. Maybe this isn't caused by software restriction at all? Maybe it's something to do with those loopback processing settings? Still, it doesn't explain why the Set User Interface and Set Internet Explorer Settings for Students policies just stop working and aren't applied where all server settings and tests show they are, and all client computers don't have a clue what the policy is anymore. It worked as of a week ago. But the software restriction issues are what triggered me to find this issue. Either way I need to get this policy back up as soon as I can as it's one of the more powerful student restriction plans I have in place. Such a simple policy yet so powerful, and it just won't apply anymore.

    Thank you all for reading this far. I really really appreciate your time taken to read this and look forward to a reply.
    Last edited by link470; 11th July 2008 at 02:42 AM.

  2. #2
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    Do you have two DC? could this have something to do with replication?

  3. #3
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by MrHappy View Post
    Do you have two DC? could this have something to do with replication?
    We do have two DC's. The policy lies in both DC's. If I'm in Group Policy Management and select at the top of the domain to switch domain controllers and go to my second one, the policies listed are identical.

  4. #4
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    sorry with out reading everything you just wrote again, did you edit the policy at the domain default policy or the user/computer OU?

  5. #5
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    also did you do a gpupdate /force?

  6. #6
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    also... is your DNS running on youd DC's?

  7. #7
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by MrHappy View Post
    sorry with out reading everything you just wrote again, did you edit the policy at the domain default policy or the user/computer OU?
    The policy is a seperate User policy under the Students OU called "Set User Interface". The Students OU contains 4 OU's, one for each grade, and each grade contains those students in that grade. Everything under the Students OU is a user.

    Quote Originally Posted by MrHappy View Post
    also did you do a gpupdate /force?
    Yes.

    Quote Originally Posted by MrHappy View Post
    also... is your DNS running on youd DC's?
    Yes.



    Thanks for your replies!

  8. #8

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    > I thought loopback processing would apply to JUST that policy, but maybe
    > to all?

    Loopback-replace means that user policy will only come from (the user sections) of any GPOs that apply to a given computer. It will stop all the GPOs you have applied to your Students OU from being used.

    It definitely sounds like the root cause...

  9. Thanks to PiqueABoo from:

    link470 (27th April 2008)

  10. #9
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    chached profiles cleared on xp machines.


    out of intrest can you apply that a gpo at the domain level and see what happens?

  11. #10
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by PiqueABoo View Post
    > I thought loopback processing would apply to JUST that policy, but maybe
    > to all?

    Loopback-replace means that user policy will only come from (the user sections) of any GPOs that apply to a given computer. It will stop all the GPOs you have applied to your Students OU from being used.

    It definitely sounds like the root cause...
    Thank you very much. I'll remove the loopback processing policy within the Set Homepage policy on Monday and see what happens.

    I'll report back as soon as I've tried.

  12. #11
    acrobson's Avatar
    Join Date
    May 2007
    Location
    Tyne & Wear
    Posts
    519
    Thank Post
    5
    Thanked 6 Times in 6 Posts
    Rep Power
    17
    It may be a long shot, but it may be worth removing a machine from the domain and then re-adding or even giving the DC a restart. Long shot......but cannot do much harm given the circumstances.

    Best of luck!

  13. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Have you tried running 'netdiag' on one of the affected clients? That usually highlights any obvious problems.

  14. #13
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by acrobson View Post
    It may be a long shot, but it may be worth removing a machine from the domain and then re-adding or even giving the DC a restart. Long shot......but cannot do much harm given the circumstances.

    Best of luck!
    I've restarted both my DC's and added a new machine to the domain and tested.

    Quote Originally Posted by Geoff View Post
    Have you tried running 'netdiag' on one of the affected clients? That usually highlights any obvious problems.
    I haven't, I'll have a look on Monday along with PiqueABoo's idea of that loopback policy being set at "replace".

    Thanks!

  15. #14
    acrobson's Avatar
    Join Date
    May 2007
    Location
    Tyne & Wear
    Posts
    519
    Thank Post
    5
    Thanked 6 Times in 6 Posts
    Rep Power
    17
    I expected you would have done, wasn't meaning to come across patronising or anything.

  16. #15
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Quote Originally Posted by acrobson View Post
    I expected you would have done, wasn't meaning to come across patronising or anything.
    Psht, no worries! I'm glad you replied, I'm willing to accept any and all ideas. Just replying to each one I get with what I've done to eliminate what it could be. I think we may be onto something with that loopback policy but ya that's exactly what I was wondering at first, that it may have been something to do with certain computers on the domain or the DC's being restarted so I'm glad I wasn't the only one who suggested that! Unfortunately didn't do anything but we'll see. I'm looking forward to testing that removal of the loopback policy processing tomorrow. I'll let you all know how it went.

    Once again thank you all for your replies I really appreciate this community. I still think back to the beginning of the school year when I first found this place after getting my job and was like "no freakin way....there's a forum for OUR JOB!!!". Totally diggin it. It's helped me many times.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. GPO does not apply on one model of computer
    By netadmin in forum Windows
    Replies: 14
    Last Post: 15th April 2010, 07:45 PM
  2. Cannot get group policy to apply
    By flexyjerkov in forum Windows
    Replies: 18
    Last Post: 8th March 2007, 03:42 PM
  3. Replies: 8
    Last Post: 9th October 2006, 10:11 PM
  4. Apply a filter
    By 20RickY06 in forum Web Development
    Replies: 0
    Last Post: 19th September 2006, 08:21 AM
  5. Replies: 3
    Last Post: 8th September 2006, 07:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •