Duplicate Group Policies reporting on a multitude of machines

OctoBen 101 Reputation points
2021-08-18T10:48:11.703+00:00

Hi,

We've run into a problem where a number of Group Policies are applying more than once when running gpresult on a multitude of machines.
Group policies that shouldn't be applying (due to blocked inheritance) are also applying to an account in a test OU.

We were basically trying to test a copy of the Default Domain Policy with a different settings applied to a test account in a test OU, however noticed that the original Default Domain policy, and other GPOs, are still applying to the account even though they're not enforced. I've checked and loopback processing is not enabled.

This isn't the case for all machines, some are reporting applied GPOs correctly, but some have this issue.

I've attempted to clear GPO cache off the machine, tried reprofiling the user and even re-joined the machine to the domain, but the issue still persists.
We've checked for sysvol replication errors, but everything looks good.

Does anyone have any ideas what I could do to troubleshoot this further?

124268-2021-07-23-10-43-34-sample1.png124294-2021-07-23-12-00-22-test-account-in-ou-with-blocke.png

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,822 questions
0 comments No comments
{count} votes

Accepted answer
  1. OctoBen 101 Reputation points
    2021-08-23T09:45:36.877+00:00

    The issue was resolved with Microsoft support.

    Loopback processing on Domain Computers was the culprit - apparently, if even one GPO in a particular OU has loopback processing enabled, all other GPOs in the OU will be affected as well. This also affects inherited group policies.

    We solved this by getting rid of loopback processing as it's made our domain level GPOs such as Default Domain Policy duplicate and apply to users on OUs that shouldn't.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful