GPO TroubleShooting

giobaxx 1 Reputation point
2020-11-03T17:17:54.41+00:00

I have no experience in evaluating group policy issues and I would need a hand to understand why a certain policy is applied or not.

I ran a gpresult on the affected computers but frankly I can't interpret all the data. What caught my eye is the fact in the initial summary gives me NO Error Detected but:

  1. I have many GPO Alerts with AD / SYSVOL Version Mismach. Could it be a problem?
  2. During the last IT policy request it gives me today's date but Last User Policy Update gives me a date more than a year ago (June 2019). By chance does it mean that on the user side this policy has not been updated since June 2019 or does it simply refer to the previous date, on which the user had logged in and whose policy was updated? ie if I login to that machine now, will I get today's date as Last User Policy refresh?

Can you also tell me if in the Group Policy Management Console the tree that start from Group Policy Object contain al the possible gpo? This is because when I go to do Group Policy Result on a specific machine / user it gives me some policies applied on a user side that I just can't find of Group Policy Management.

Apart gpupdate /force there is other way to reset completely the Domain Policy applied?

Thanks for the help

A.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,310 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-11-04T00:52:34.1+00:00

    Hi,
    1, What's the version for all your DCs in your environment? If for the 2012 server, i would recommend you check this link firstly.
    https://support.microsoft.com/en-us/help/2866345/ad-sysvol-version-mismatch-message-is-displayed-unexpectedly-in-the-gr

    2,If not the 2012 server, please check the following points for narrow down:

    1. Check if all DCs are healthy :command Dcdiag /v >c:\dcdiag1.log
    2. Check if the AD replication is OK .command :Repadmin /showrepl >C:\repl.txt
    3. Check if the SYSVOL replication is ok among DCs. If the content in the sysvol are the same.
    4. Check if all the GPO apply successfully.
      On one of the computers, run the CMD as administrator :
      Run gpupdate /force, if any errors occur .
      Run gpresult /h report.html and check if there are any errors or GPOs not applied.
    5. Check if we installed all the updates on all the DCs.

    Best Regards,


  2. giobaxx 1 Reputation point
    2020-11-10T12:30:19.793+00:00

    Sorry for the late, but for the moment i was unable to solve the use, and maybe i found also other strange things for me, but probably is for the lack of knowledge

    About the strange behavior, with the hidden GPO i found it only Running RSoP and only for my Domain Account that is an Account with some priviledge but not a full Domain Admin Account. If i use the regular account of the user, at least i don't see this "hidden" GPO, applied or denied.

    This hidden policy it does not exist anymore the Group Policy Object of the GPMC and It was also linked to an OU that it does not exist anymore also. I tried gpupdate /force but nothing changes

    There is an additional GPO that i don't know why is not applied. This gpo is appeared in the Group Policy Inheritance on the OU, and it should be applied for the Windows 10 Computer, but if i run the RSoP it seems it does not exist. it is not in the denied or approved policies.

    This policy has a Security Filtering with a list of computer name written like this:

    Computer_win10$(Domain\Computer_win10$)
    Computer_win7_1$(Domain\Computer_win7_1$)
    Computer_win7_2$(Domain\Computer_win7_2$)

    plus a WMI Filtering that should select only the Computer with Windows 10

    *select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"*

    So the GPO should be applied to the list of computer in the security Filtering, but the only one with Windows 10.

    Now this policy is NOT APPLIED in the Windows 7 Computer, appeared in the RSoP as Denied Policy, and it is correct for me

    I was expecting to be applied in the Windows 10 Computer? But other not to being applied, seems not to have been processed because it does not appear in the RSoP. either as an applied policy or as a denied policy.

    I also noticed that what I called hidden policy has the same GUID of the GPO i was mentioning now. It is normal? I mean different name but same GUID

    i also tried to access to this related folder in {xxxxx-xxx-xxxx-xxxx-xxxxxxxxxx} under /ServerDC/SYSVOL/DomainNAme/Policies but i dont have access. This is the normal behaviour? Because just trying i have access to most of the folder under SYSVOL/..../Policies

    I'm a bit confused :-|


  3. giobaxx 1 Reputation point
    2020-11-12T22:48:50.203+00:00

    Sorry for the late......but i was involved in other task :-)

    I don't have any error in the gpresult, and i don't have full domain admin privilege, but running dcdiag i've passed most of the test and the ones i failed are because did n't have access. As soon as possible i will contact my collegue with full privilege to check for a full test

    However i'm stuill facing this issue, but i've tried to investigate a bit further about what happened and i think that:

    There was a GPO1 that was applied to a OU1 in Active Directory, when AD was restructured it was deleted OU1 and created a OU2 and GPO2 with the same task.

    Unlike GPO1, GPO2 has a Security Filtering with a list of computer name written like this:

    > Computer_win10$(Domain\Computer_win10$)
    
    > Computer_win7_1$(Domain\Computer_win7_1$)
    
    > Computer_win7_2$(Domain\Computer_win7_2$)
    

    plus a WMI Filtering that should select only the Computer with Windows 10

        *select from Win32_OperatingSystem where Version like "10.%" and ProductType="1"**
    

    what is happening now:

    With Windows 7 Workstation:

    • If i run gpresult with my account i still found applied GPO1 that it does not exist anymore in Group Policy Object of the GPMC. i didn't logged in the system, i simply run a cmd prompt as different user with my account
    • if i run gpresult with a current account logged I have neither gpo1 nor gpo2 applied, and for me is correct because GPO1 does not exist and GPO2 has to be applied only to the Windows 10 Workstation. Infact the policy was denied - With Windows 10 Workstation if i run gpresult with the current logged account it seems that the policy GPO2 is not even processed because in the it does not appear as denied or applied in the report, but it should be because GPO2 should be applied to the Windows 10.

    Maybe the GPO2 is not applied in the user side?

    I've notice the two GPO has the same GUID and it is possible tha GPO1 was renamed and modifed adding the security and the wmi filtering and this could be generate some problems and inconsisteies?

    I dont have access to the corrispondent folder of this GPO in SYSVOL/..../Policies but i have access to most of them, it normal?

    Thanks in advance A


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.