Hello,
According to your description, we have applied a Group policy to the OU which contains computers. Later we applied a restricted group policy within this GPO. But it seems that the GPO has not applied to all the computers. Here we would like to check with you about the following points.
To better understand our question, would you please tell us the following information:
- According to “In my domain we have a group policy deployed for the 'Computers' OU as a workstation policy to configure some things.”, do we mean we have an OU called “Computers”?
If so, by default, I know we all have a built-in container called “Computers”, so if I create a new OU called “Computers”, but I cannot create the OU with “Computers” name, and I receive the following error message.
- According to“Recently we've added an item within this GPO to remove local admin access for domain users by configuring a restricted group for builtin/administrators.”, have we configured to add domain users or groups to local Administrators on the clients via GPO restricted group policy settings before? If so, we can try to edit the corresponding GPO and removed the settings to remove local admin access for domain users on the clients.
- According to “I was under the impression that when the users come back on site and login, group policy would update and remove local admin access...”
Because Restricted group is computer configuration, as for the computer policy, it will be applied once it starts up. Besides, only the admins could see the computer policy.
4, According to our question “ I know I can run gpresult, etc on individual computers, but is there a way or a tool where I can see which computers within this OU haven't updated GP and received the restricted group item so I can address? “, we could logon each computer to have a check by running “gpresult /h” if possible.
For the computer policy, if the computers are running and are connected to the domain and the users are logged on, the GPO settings will be refreshed by any one of the following three methods:
Method 1. All the computer group policy settings will be applied when we restart the machines,
Method 2. We can run gpupdate /force command to refresh GPO settings manually.
Method 3. If we do not do anything, the GPO settings will be refreshed after 90-120 minutes.
For the computer policy, if the computers are powered off, they cannot apply the GPO settings.
Hope the information is helpful. If you still have problems, please contact with us.