[SOLVED] GPO does NOT apply but no evidence as to why

[link470]

Alright guys, this ones....fun.

I've got a GPO in the schools domain that I use to restrict the student interface. You know, the usual. Restrict taskbar movement, Control Panel applets that appear, what appears in the My Network Places and even removing My Network Places all together. The policy worked great before. It restricted users on every point it was supposed to. However, I then got the great idea to try editing the policy and adding Software Restriction. Long story short, users couldn't open any programs for 15 minutes lol. So I quickly withdrew that policy and pulled the Software Restriction. However, the entire policy didn't work now and didn't apply.

So I thought to myself "uhhhhhhh I should have restricted software in a seperate policy". However I wasn't thinking on that level at first and thought I should just add it and see what happens. So anyways, that's all gone now and I ended up taking that policy, backing it up, and creating a brand new policy that restricts the user interface. All under the "User" part of the policy and applied to the Students OU that contains 4 OU's, 9, 10, 11, and 12 for each grade in the high school. Those OU's of course contain the students in those grades. So, that's all done. I reapplied the policy at the Students OU level, and tried again, remembering that I had the policy working for 4 or 5 months before I had tried the software restriction policy. But now, that software restriction policy is completely gone.

So after the UI restrictions are in place I head off to a student machine and try logging in as a student. I logged into my test student account, and to my surprise, none of the policies for UI were layed down. I opened event viewer [since I could, no restrictions in place] and looked for any policy errors. There were none. I then opened Run>CMD [since I could, no restrictions in place], and ran gpresult. Nowhere in here could I see the new policy I created, I usually see one called "Set User Interface", the name of the policy. However, there was nothing. So I run gpupdate, and log out, and back in. Nothing. I run gpupdate /force, and log out, and back in. Nothing. I check gpresult again for filtering or "not applied because..." messages, nothing. I couldn't see the name of the policy anywhere in any of the commands, and the UI is completely accessable.

So I go back to the server. I'm mind boggled. I go into Group Policy Management and I attempt to do the Group Policy Modelling Wizard to see what's applied for that OU. I right click on the Student OU and start the modelling wizard. I click the different grade OU's before and double check the inheritance and make sure that yes, the policy is being pushed down and inherited. It is. So I continue the policy modelling, and run it as if I was a student to see what's applied. Low and behold, it applies perfectly and lists as applied. However no client machines are picking up the policy.

If that wasn't enough, I had one other policy that's Set Internet Explorer Settings for Students, and that used to work perfectly. I never edited that policy, but it randomly stopped applying as well. Yet, shows as applied in the modelling wizard with no issues. There's 6 policies in total for users, about 4 for computers that are applied when a student logs in. They work perfectly.

The ONLY other change I've made is to the GPO's that apply the correct homepage based on computer location. I use the group policy loopback processing to apply the user setting to a computer setting and put the school home page GPO's in each computer OU that contains a student computer, and the library home page GPO in the library computers OU. It was never working, so I recently set the status to "Replace" instead of "Merge" in group policy loopback processing setting on those two home page GPO's. The home pages now work, but I also noticed now that the same policies, if I run gpresult on a student computer, are shown under both computer AND user settings. I'm wondering if this has anything to do with the replace setting, I thought loopback processing would apply to JUST that policy, but maybe to all?

I mean, I made these changes two days apart from each other. The policy processing, and then 2 days later, adding the software restriction to the student OU. Maybe this isn't caused by software restriction at all? Maybe it's something to do with those loopback processing settings? Still, it doesn't explain why the Set User Interface and Set Internet Explorer Settings for Students policies just stop working and aren't applied where all server settings and tests show they are, and all client computers don't have a clue what the policy is anymore. It worked as of a week ago. But the software restriction issues are what triggered me to find this issue. Either way I need to get this policy back up as soon as I can as it's one of the more powerful student restriction plans I have in place. Such a simple policy yet so powerful, and it just won't apply anymore.

Thank you all for reading this far. I really really appreciate your time taken to read this and look forward to a reply.

[PEO]

Do you have two DC? could this have something to do with replication?

[link470]

Do you have two DC? could this have something to do with replication?

We do have two DC's. The policy lies in both DC's. If I'm in Group Policy Management and select at the top of the domain to switch domain controllers and go to my second one, the policies listed are identical.

[PEO]

sorry with out reading everything you just wrote again, did you edit the policy at the domain default policy or the user/computer OU?

[PEO]

also did you do a gpupdate /force?

[PEO]

also... is your DNS running on youd DC's?

[link470]

sorry with out reading everything you just wrote again, did you edit the policy at the domain default policy or the user/computer OU?

The policy is a seperate User policy under the Students OU called "Set User Interface". The Students OU contains 4 OU's, one for each grade, and each grade contains those students in that grade. Everything under the Students OU is a user.

also did you do a gpupdate /force?

Yes.

also... is your DNS running on youd DC's?

Yes.



Thanks for your replies!

[PiqueABoo]

> I thought loopback processing would apply to JUST that policy, but maybe
> to all?

Loopback-replace means that user policy will only come from (the user sections) of any GPOs that apply to a given computer. It will stop all the GPOs you have applied to your Students OU from being used.

It definitely sounds like the root cause...

[PEO]

chached profiles cleared on xp machines.


out of intrest can you apply that a gpo at the domain level and see what happens?

[link470]

> I thought loopback processing would apply to JUST that policy, but maybe
> to all?

Loopback-replace means that user policy will only come from (the user sections) of any GPOs that apply to a given computer. It will stop all the GPOs you have applied to your Students OU from being used.

It definitely sounds like the root cause...

Thank you very much. I'll remove the loopback processing policy within the Set Homepage policy on Monday and see what happens.

I'll report back as soon as I've tried.

[acrobson]

It may be a long shot, but it may be worth removing a machine from the domain and then re-adding or even giving the DC a restart. Long shot......but cannot do much harm given the circumstances.

Best of luck!

[Geoff]

Have you tried running 'netdiag' on one of the affected clients? That usually highlights any obvious problems.

[link470]

It may be a long shot, but it may be worth removing a machine from the domain and then re-adding or even giving the DC a restart. Long shot......but cannot do much harm given the circumstances.

Best of luck!

I've restarted both my DC's and added a new machine to the domain and tested.

Have you tried running 'netdiag' on one of the affected clients? That usually highlights any obvious problems.

I haven't, I'll have a look on Monday along with PiqueABoo's idea of that loopback policy being set at "replace".

Thanks!

[acrobson]

I expected you would have done, wasn't meaning to come across patronising or anything.

[link470]

I expected you would have done, wasn't meaning to come across patronising or anything.

Psht, no worries! I'm glad you replied, I'm willing to accept any and all ideas. Just replying to each one I get with what I've done to eliminate what it could be. I think we may be onto something with that loopback policy but ya that's exactly what I was wondering at first, that it may have been something to do with certain computers on the domain or the DC's being restarted so I'm glad I wasn't the only one who suggested that! Unfortunately didn't do anything but we'll see. I'm looking forward to testing that removal of the loopback policy processing tomorrow. I'll let you all know how it went.

Once again thank you all for your replies I really appreciate this community. I still think back to the beginning of the school year when I first found this place after getting my job and was like "no freakin way....there's a forum for OUR JOB!!!". Totally diggin it. It's helped me many times.