So before explaining my problem I describe to you my small Active Directory environment : two DCs, one Windows Server, and an OU named "X" that contains 6 users including the user "Y".
I tried to write a script that create a GPO that change the background wallpaper to a solid blue one, here is the script :
#Get-Command -Module GroupPolicy
New-GPO -Name "ChangeWallpaperInBlue" -comment "Change the wallpaper to a solid blue color"
New-GPLink -Name "ChangeWallpaperInBlue" -Target "OU=X,DC=mydomain,DC=local"
Set-GPPrefRegistryValue -Name "ChangeWallpaperInBlue" -Context User -Action Replace -Key "HKEY_CURRENT_USER\Control Panel\Colors" -ValueName Background -Type String -Value "0 0 255"
Set-GPPrefRegistryValue -Name "ChangeWallpaperInBlue" -Context User -Action Replace -Key "HKEY_CURRENT_USER\Control Panel\Desktop" -ValueName Wallpaper -Type String -Value ""
I started it one the primary DC, everything worked.
I checked in the Group Policy Mgmt, the link between the GPO and the OU "X" is ok, in the Security Filtering list Authenticated Users are there and in the Delegation tab the Authenticated Users have Read and Apply the policy rights.
I log into my server with the "Y" username but the wallpaper didn't change.
So to check if my user has a GPO applied, I tried differents commands :
gpresult /user mydomain\X \v and I get :
INFO: The user "sevenkingdoms.local\robb.stark" does not have RSoP data.
gpupdate and I get :
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
I opened the GPReport.html but I can find the erroe description of the error precisely, it seems like the GPO are empty in "Denied GPO"...
What did I do wrong?