Need help trouble shooting GPO.
-
The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.
Also is this GPO a USer or Computer policy?
-
Running
gpresulton one of the computers that should be affected by your GPO may help show if the GPO is even being applied. -
@dbeato said in Need help trouble shooting GPO.:
The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.
Also is this GPO a USer or Computer policy?
My money is with dbeato on it being created under a user policy.
Also note, to create desktop shortcuts for everyone on a computer you probably want to create it in the Public desktop
-
@flaxking said in Need help trouble shooting GPO.:
@dbeato said in Need help trouble shooting GPO.:
The GPO at the root of your domain will be applied to all your users and computers. However if you create one GPO and then link it only to the OU then only the members of that OU will get it to apply.
Also is this GPO a USer or Computer policy?
My money is with dbeato on it being created under a user policy.
Ditto - when you are inside your GPO, are you in the User section, or the Computer section? For your case, you want it in the Computer section.
-
Thanks everyone for the ideas. So here are some answers to your questions
- I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
- gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
4)This is a user GPO
5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.
Thoughts?
-
@srdennis said in Need help trouble shooting GPO.:
Thanks everyone for the ideas. So here are some answers to your questions
- I have run gpupdate /force many times to get this to work on WS27 and other machines while testing to see if the GPO is applies
- gpresult /r run from an elevated prompt shows the GPO that are applied to the computer and the user. The test GPO only is applied if it is linked at the domain level not if it is linked at the test OU level.
3)Note that it is applied if at the domain level and not applied if at the test OU level (or any other level or OU)
4)This is a user GPO
5)The fact that it works and is applied to all computers at the domain level (even to the WS27 computer that is within the test OU and part of the domain) tells me that the GPO is correctly configured. When it is linked to the test OU it is not applied to WS27 that is part of the Test OU.
Thoughts?
You answered your own question in there.
You said it's a user GPO, but you have it linked to an OU with the computer in it.... so the
userGPO is not going to apply to thecomputerin there, as it's a user GPO.This is why it works when it is applied at the domain level, because it's then able to properly target the user.
-
Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?
-
@srdennis said in Need help trouble shooting GPO.:
Thanks Obsolesce! So if I create a computer GPO and apply it to an OU with a machine in it it should work?
Or put the GPO in the domain level and use item-level targeting to only target that computer. There's a lot of ways to go about it. But perhaps you can most simply recreate the GPO as a computer policy as you said.
-
OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?
-
@srdennis said in Need help trouble shooting GPO.:
OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?
Yes, it will work since it is a GPO applied to users.
-
@srdennis said in Need help trouble shooting GPO.:
OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?
You can also setup loopback GPO processing, if you want that GPO to only apply to a User when logged into a computer in that OU.
-
@srdennis said in Need help trouble shooting GPO.:
OMG!!!!! It worked!!! Thank you so much Obsolesce. I cannot believe that I didn't understand that aspect of how this all works. So If I were to put a user into this test OU and apply the test GPO that has a user GPO in it then it will get applied?
AD/GP best practice is to separate out the OU paths. One for Computer objects and another for User objects.
Group Policy operates similar to Cascading Style Sheets that tailors the way a web site can look with the GPO closest to the object winning with few exceptions.
Never edit the Default Domain Policy or Default Domain Controllers Policy. Always create a new GPO and link it to the required OU.
GPOs for Computer objects should have the User section disabled and same for User objects having the Computer section disabled.
GPResult /H C:\Temp\GPResults.htmlThat's how to find out the what/where/when for GPOs applying. Computer GPOs will only show up if the command is run via an elevated shell (CMD). The Temp directory needs to exist.
-
-
Thanks. That looks to be a good reference and read
