[SOLVED] GPO does NOT apply but no evidence as to why
Alright guys, this ones....fun. :cool:
I've got a GPO in the schools domain that I use to restrict the student interface. You know, the usual. Restrict taskbar movement, Control Panel applets that appear, what appears in the My Network Places and even removing My Network Places all together. The policy worked great before. It restricted users on every point it was supposed to. However, I then got the great idea to try editing the policy and adding Software Restriction. Long story short, users couldn't open any programs for 15 minutes lol. So I quickly withdrew that policy and pulled the Software Restriction. However, the entire policy didn't work now and didn't apply.
So I thought to myself "uhhhhhhh I should have restricted software in a seperate policy". However I wasn't thinking on that level at first and thought I should just add it and see what happens. So anyways, that's all gone now and I ended up taking that policy, backing it up, and creating a brand new policy that restricts the user interface. All under the "User" part of the policy and applied to the Students OU that contains 4 OU's, 9, 10, 11, and 12 for each grade in the high school. Those OU's of course contain the students in those grades. So, that's all done. I reapplied the policy at the Students OU level, and tried again, remembering that I had the policy working for 4 or 5 months before I had tried the software restriction policy. But now, that software restriction policy is completely gone.
So after the UI restrictions are in place I head off to a student machine and try logging in as a student. I logged into my test student account, and to my surprise, none of the policies for UI were layed down. I opened event viewer [since I could, no restrictions in place] and looked for any policy errors. There were none. I then opened Run>CMD [since I could, no restrictions in place], and ran gpresult. Nowhere in here could I see the new policy I created, I usually see one called "Set User Interface", the name of the policy. However, there was nothing. So I run gpupdate, and log out, and back in. Nothing. I run gpupdate /force, and log out, and back in. Nothing. I check gpresult again for filtering or "not applied because..." messages, nothing. I couldn't see the name of the policy anywhere in any of the commands, and the UI is completely accessable.
So I go back to the server. I'm mind boggled. I go into Group Policy Management and I attempt to do the Group Policy Modelling Wizard to see what's applied for that OU. I right click on the Student OU and start the modelling wizard. I click the different grade OU's before and double check the inheritance and make sure that yes, the policy is being pushed down and inherited. It is. So I continue the policy modelling, and run it as if I was a student to see what's applied. Low and behold, it applies perfectly and lists as applied. However no client machines are picking up the policy.
If that wasn't enough, I had one other policy that's Set Internet Explorer Settings for Students, and that used to work perfectly. I never edited that policy, but it randomly stopped applying as well. Yet, shows as applied in the modelling wizard with no issues. There's 6 policies in total for users, about 4 for computers that are applied when a student logs in. They work perfectly.
The ONLY other change I've made is to the GPO's that apply the correct homepage based on computer location. I use the group policy loopback processing to apply the user setting to a computer setting and put the school home page GPO's in each computer OU that contains a student computer, and the library home page GPO in the library computers OU. It was never working, so I recently set the status to "Replace" instead of "Merge" in group policy loopback processing setting on those two home page GPO's. The home pages now work, but I also noticed now that the same policies, if I run gpresult on a student computer, are shown under both computer AND user settings. I'm wondering if this has anything to do with the replace setting, I thought loopback processing would apply to JUST that policy, but maybe to all?
I mean, I made these changes two days apart from each other. The policy processing, and then 2 days later, adding the software restriction to the student OU. Maybe this isn't caused by software restriction at all? Maybe it's something to do with those loopback processing settings? Still, it doesn't explain why the Set User Interface and Set Internet Explorer Settings for Students policies just stop working and aren't applied where all server settings and tests show they are, and all client computers don't have a clue what the policy is anymore. It worked as of a week ago. But the software restriction issues are what triggered me to find this issue. Either way I need to get this policy back up as soon as I can as it's one of the more powerful student restriction plans I have in place. Such a simple policy yet so powerful, and it just won't apply anymore.
Thank you all for reading this far. I really really appreciate your time taken to read this and look forward to a reply.