User GPO not applying

Similar Messages

• Cross Forest User GPOs not applying

  I know I've read a ton of forums concerning this issue and most were resolved but nothing read so far has helped and I'm really hoping there are a few ideas out there that I have missed.
  We have two forests: a new 2012 forest and an 2008 at an 2003 forest level with two way forest trust.
  We are able to login to computers in the 2012 forest regardless of domain with any user in the 2008 forest.  However we are setting up our workstation environment in the 2012 forest which requires us applying user policies.  All users are in the
  2008 forest.  We have enabled the allow cross forest policy and the loopback processing applied to the OU where the client machines are located in Active Directory.  We have verified the trust on both sides and tested DNS using nslookup on both sides.
   The DCs for both forest are located in the same physical building but two different subnets.  The WAN guy has assured us that there are no ACLs involved.  The firewall has been shut off on all DCs and all workstations.  I see no LSA errors
  on the DCs.  Each forest has a stub DNS zone to the other forest zones.  I've been able to successfully setup computer gpos to map drives to the users when they login to 2012 clients.
  I'm completely lost for what else we need to be looking at to solve this problem.   Any suggestion would be most welcome.  

  Hi,
  Before going further, what settings have we configured? Which Loopback mode have we chosen, Merger or Replace? What are operating systems of our clients?
  For further troubleshooting, we can follow the following article to collect Gpsvc.log file.
  How to enable GPO logging on windows 7 /2008 r2 ?
  http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx
  After getting the log, you may upload it to OneDrive and provide us the download link.
  Besides, we can try using netmon.exe to further trace network to see if this is caused by network traffic.
  Microsoft Network Monitor 3.4
  http://www.microsoft.com/en-in/download/details.aspx?id=4865
  How to use Network Monitor to capture network traffic
  http://support.microsoft.com/kb/812953/en-us
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Loopback GPO on Replace prevents other user GPOs from applying

  I had the need to create a GPO and use a loopback.  Simple little GPO, just to add some stuff to trusted sites on a specific Citrix server.  I created it as a user GPO then did a loopback so I could apply it to only the application hosting XenApp
  server I wanted.
  I set the loopback to replace, just because it was default and the trusted site settings were not applied anywhere else; I didn't really care.
  Long story short, when I linked that GPO, it, for some reason, prevented all other user GPOs from applying.  Not denied, they just didn't even show up.  
  I figured it out shortly after, and when I changed it to merge, the other user GPOs applied again.  This is not the way I believe Loopback is supposed to work, in either replace or merge.  
  Any insight on why that might have happened?

  > Long story short, when I linked that GPO, it, for some reason, prevented
  > all other user GPOs from applying.  Not denied, they just didn't even
  > show up.
  > I figured it out shortly after, and when I changed it to merge, the
  > other user GPOs applied again.  This is not the way I believe Loopback
  > is supposed to work, in either replace or merge.
   This actually IS the way it is supposed to work:
  http://evilgpo.blogspot.com/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))
  That makes a lot more sense.
  What it says on the GPO itself is:
  "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.  
  I was interpreting that as GPOs it would replace were only the settings in the loopback.

• GPO Not Applying

  HI All,
    I have a OU for Computers and OU for USers.
   Create the FolderRedirect GPO for User configuration ( Folder Redirection) for One Security Group (OLGroup) of people only.
   I have applied to users but this policy not applying?  Do i need Computers and Users in same OU?
  AS

  GPO delegation to Sub OU is the same as the domain OU?
  any conflicting GPOs that you think that might cause the problem?
  or check the GPO inheritance and precedence:
  Group Policy settings are processed in the following order:
  Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 
  Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
  site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
  processed last, and therefore has the highest precedence.
  Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are
  linked to the organizational unit that contains the user or computer are processed. 
  At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked
  Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user
  is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
  from this link: http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

• GPO not applied at all with build 9926

  Hello,
  I have a Samba 4 Active Directory Domain controler. My LAN is composed of XP and 7 computers ; everything works well.
  I also have tested previous builds of Windows 10, and had no particular problem with Group Policies.
  With build 9926, my GPOs are not applied at all. It seems there is a big change making Group Policies not applied / not reloaded when users log in. Here are step by steps what I have noticed :
  0) At the very first log in, when I do a gpresult /V, i have a message saying something like "no rsop data for this user"
  1) I performed a gpupdate /force
  2) I performed another gpresult /V and then I got information about my GPO
  3) I logged out and logged in with same user --> my GPO is applied
  4) I modified my GPO to set new policy
  5) I loggged out and in again --> old policies are applied but new policy is not applied
  6) I performed gpresult /V --> new policy is not displayed
  7) I performed a gpupdate /force and then a gpresult /V --> new policy appears
  8) I loggged out and in again --> All policies, including the new one are applied
  So it seems the GPOs are not automatically updated and applied when logging in, and I have to force them manually.
  The good question is : WHY ? :)
  Thanks
  Will

  Hi Will799114,
  I tested this in my environment, it seems a restart would apply group policy successfully, but a sign out and sign in would not trigger this procedure.
  Here I would suggest you post your feedback directly to our Feedback channel:
  http://windows.microsoft.com/en-in/windows/preview-how-to#how-to=tab7
  Alex Zhao
  TechNet Community Support

• WSUS GPO not applying on server restart

  At first I thought this was limited to a single SBS 2008 server but I have now seen this behavior on another SBS2008 and SBS2011 server.  Basically what happens is I patch the server, I restart the server but... somehow the GPO for WSUS does not apply
  and leaves the server Windows update settings set on Download automatically and install at 3am when it should be the Standard "Download and Notify for install"
  I can open a command prompt and perform a gpupdate /force and the the correct policy immediately applies.
  Has anyone seen this behavior?  Is it possible a windows patch that has caused this issue.  It must be something common amongst all three different instances of SBS.  I do not see any errors in event logs regarding group policy.
  Please Help

  Hi skahlam,
  Does this issue always occur when you reboot the server?
  If yes, to verify if this issue is related to the updates, please try to remove the updates installed recently.
  If issue persists after removing the updates, please try to run the gpresult /h C:\report.html
  to check the detailed information about the GPO.
  Note: This procedure needs the privilege of the Administrator.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• User policies not applied hence dlu not working

  We have 6 pc's that for some reason don't get user policies. Here's the
  line from zmd-message.log of the workstation agent:
  [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
  [ApplyPolicies: Either user session is null or Device-only mode is
  enabled or Zen logon module is not present; not applying user policies.]
  The zone is 10.3.3, we use a user source connected to edir and the user
  is getting user policies on other computers. What's this Device-only mode?
  regards,
  Limor

  Found the problem. Our people disabled Zenworks User Authentication in
  the registry.
  On 13/09/2011 09:13, Limor wrote:
  > We have 6 pc's that for some reason don't get user policies. Here's the
  > line from zmd-message.log of the workstation agent:
  > [1296] [ZenworksWindowsService] [56] [] [PolicyManager] []
  > [ApplyPolicies: Either user session is null or Device-only mode is
  > enabled or Zen logon module is not present; not applying user policies.]
  >
  > The zone is 10.3.3, we use a user source connected to edir and the user
  > is getting user policies on other computers. What's this Device-only mode?
  >
  > regards,
  > Limor

• GPO not applying to all users in the same security groups

  If Elaine logs in on Angie's PC does it work?

  Using Windows Server 2008 R1. I have a single domain with two DCs (both Server 2008 R1). Both DCs seem to be communicating without issues, as changes on one DC are replicating normally to the other for all services.I have a group policy set up to set drive mapping for my users. However when I run the GP modeling wizard only a few of the users receive the proper mappings. In this specific instance I have two users, Elaine and Angie. 1. Both are members of the Domain Users security group and another security group I created called Staff2. Neither user is a member of any other security groups.3. My group policy Security Filtering setting is set to apply the policy ONLY to the Staff security group4. When running the GP Results Wizard, Elaine's computer successfully processes the policy, but Angie's does not, and returns "Access Denied...
  This topic first appeared in the Spiceworks Community

• PIN sign-in GPO not applying to workstations

  I am currently testing Windows server 2012 R2 with Windows 8.1 tablets and cannot get PIN sign-in to work on the client machines, I have disabled local policy processing and all of the management is coming from GP, however when I manually apply the policy
  setting using gpedit.msc it works, does anyone of a way to have it read from GPO in domain?

  Hi,
  Before going further, the setting Turn on PIN sign-in allows users to set up and sign in with PIN. As Don suggested we could check the registry key to confirm if the policy
  setting was enabled successfully. If yes, to use PIN sign-in option, 
  users need to create a PIN for themselves. After a PIN is created, users should be able to choose to sign in with PIN sign-in option when they log on. After we enabled the turn on PIN sign-in setting, user also need to set the password for sign-in account.
  After reset the account, user can use sign-in when user re-logon.
  We can follow the steps below to set account password: to create a PIN, the following steps can be referred to as reference:
  Step 1: Swipe in from the right edge of the screen, and then tap Settings.
  (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Settings.) 
  Step 2: Tap or click Change PC settings, and then tap or click Accounts. 
  Step 3: Tap or click Sign-in options, and under PIN, tap or click Add.
  If you don't have a password on your account, you'll need to create a password before you can create a PIN. 
  Step 4: Confirm your current password and then you can create a PIN.
  If there is any question, don’t hesitate to let us know.
  Best Regards,
  Erin

• Import - user preset not applied 'fully'

  This is update of problem reported in previous entry 'duplicate imports'.  Have now tracked the cause of this observation.
  The problem dates back to at least Lightroom 3.
  I use different import presets for my set of cameras so that the file name reflects the camera.
  I also have pairs of presets where the only difference is that a duplicate backup is created or not.
  On my PC the default path for backup files has the drive letter of my card reader.
  What I notice is that if I select the 'backup' preset then change my mind and select the 'non-backup' preset the flag enabling the creation of a backup copy remains selected.  On then proceeding with the import a backup copy is made on the card using the default path.
  This is not normally a problem as I then re-format the card in the camera, but it could be a problem if the card is nearly full as the backup copy process will fail due to lack of space on the card.
  This became apparent because I initially imported files into my LR3 catalogue and thus unknowingly created duplicates on the card.
  Then on importing into my LR4_beta catalogue two copies of each file appeared, the original in the location set by the camera and the duplicate/backup created by LR3.  The import dialog does not show paths on cards so it is not apparent that the duplicate files are in different folders.
  This looks like a bug in the handling of presets, that some settings, in this case the flag to enable backup file creation, are not updated on selecting the preset.
  The pairs of preset names are similar eg c41_backup and c41_nobackup.
  For the softies benefit I also note that if I select the 'non backup' preset for a different camera the flag does get cleared, suggesting the bug is something to do with recognising a change of pre-set.
  I have not checked but this may be the cause of other mysterious import issues.
  Message was edited by: gp7024

  Do you have "Apply Auto Tone adjustments" checked in the Preferences>Presets tab? If yes, uncheck it. If not:
  Take one image into the Develop module, press and hold the Shift key and the "Reset" button bottom-right will change to "Reset (Adobe)", then click on that button. Does the image reset to the way you expected it? If so, you've (inadvertently) changed the default develop settings, to reset them go to Develop menu>Set Default Settings>click on "Restore Adobe Default Settings".

• Webfeed gpo is applied (in resultant Policy) but RADC is not configured

  After tests for placing Remote app shortcut in Start menu of Windows 7 client and getting positive result I want to automate the process.
  So I created computer GPO for SSO and linked it to OU where test computer resides.
  I created User GPO for WebFeed and linked it to Test Users OU (User1, User2)
  Resultant Policy shows that User GPO is applied to each user. But I cannot get webfeed URL in RADC when logged in with test User2.  To be sure that final solution works I entered manually webfeed url in RADC when logged in as USER1
  1 Remote App works fine from shortcut in start Menu and Desktop when
  USER1 is logged in.
  WebFeed link is entered manually in RADC applet in Control Panel for user USER1
  2. The last desired point is to make work WebFeed GPO.
  If I login as USER2 no icon in start menu. RADC is empty.
  As mentioned Resultant GPO shows that webfeed GPO is applied to USER1 and USER2
  How to troubleshoot this thing?
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  what is the registry ? if I want to insert it in the image.
  Can you provide a script plz.
  In GPO itself it says Windows 8 or RT minimum. But I think I saw somewere that I can use it on Windows 7 with RDP 8.
  Thanks.
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

• Hide Display Settings not applied in User GPO

  Hello,
  I am trying to hide the display settings via a GPO so folks can't change the resolution. I set the "Disable the Display Control Panel" setting to enable, but users can still go to the Control Panel and change the display settings. Other parts of
  the GPO are applying, like the Ctrl+Alt+Del settings. The GPO has the loopback function set to replace. From my understanding, that should force all user settings in that GPO on everyone who logs into the computer, whether they are in that OU or not.
  Some settings apply, just not the Display settings. Is there something else I have to enable to get that working?
  Thanks
  Jason Watkins MCSE, MCSA, MCDBA, CCNA

  Hi Jason,
  It's been a while. How is it going? If it still doesn't work out, we can run command
  gpresult/h report.html to collect group policy result to check this. Note: to collect computer part group policy settings, we need to run the command with administrative privileges.
  In addition, regarding troubleshooting group policy issues, the following thread can be referred to as reference.
  [Forum FAQ] Common steps to start troubleshooting Group Policy application issues
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/382c97e8-93c8-4022-b8fe-22401037d14c/forum-faq-common-steps-to-start-troubleshooting-group-policy-application-issues?forum=winserverGP
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppres

  I am looking at an issue with users not getting specific group policies. 
  After searching a number of client computers I found that the following error
  The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppressed.
  I can find the folder in the Sysvol folder on all of the domain controllers. 
  The issue with end users seems to be that the proxy settings for internet explorer is not being applied. 
  Potential problems?
  one folder in sysvol entry is empty 
  \\<server>\SYSVOL\<domain.name>\Policies\{E03166E7-A848-48B5-AA93-97B848AA9C13}\User\microsoft\IEAK\LOCK
  or is this our issue
  The old method of configuring proxy settings  to Internet Explorer 9 has changed?
  https://support2.microsoft.com/kb/2530309?wa=wsignin1.0 
  http://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/

  Hi all 
  In administering this policy I am a little confused. 
  We have a policy that distributes proxy settings in the internet explorer maintenance settings section - however when opening this policy up in GPO editor the internet explorer maintenance section is not present.
  I plan to apply the settings via User/preferences/control panel settings/ internet settings (or registry settings from article) however I am unable to edit the settings for internet explorer maintenance and these will persist. Ideas????

• GPP for Folder Options Not Applying to Windows 7 Current Users

  I have a Windows 7 client that I am trying to push a GPP for a folder option. The setting is "Show pop-up description for folder and desktop items".
  If a user has already logged into the machine before the policy applied, it will not change the setting.
  If a brand new user logs into the machine, the policy is applied.
  On users that have logged in previosu to the policy, I can go to the Group Policy folder, check the history folder and I am showing that it is applied in the XML file.
  Things I have verified:
  Setting is for Windows Vista and Later
  Same results on different Windows 7 PCs
  Set to run in logged on user context
  Apply once and not reapply is NOT checked.
  Can anyone help shed some light on this?
  Thanks!

  Hi JiuJitsuJeff,
  Sorry for misunderstanding this issue. This GPP for folder option could apply to new users sucessfully, however, could not apply to old users sucessfully. Right?
  Firstly, please check if the GPO has applied to old users. You can also run  the following command on the problematic workstation when an old user logs on:
  Gpresult /h > C:\temp\gpresult.html  (“C:\temp\” is the path of the gpresult.html, you can set it yourself). This gpresult.html file is used for checking the result of Group Policy information. 
  If the GPO setting has been applied according to the result of Gpresult, please check if the value of corresponding registry key has been modified. The corresnponding registry key is shown as following:
  HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced: ShowInfoTip
  If the value is 1, this means the value has been modified. Vice versa.
  Regards,
  Lany Zhang

• GPO Run these programs at user logon not taking effect when configured in Computer Configuration section

  [EDIT 20140207]:
  I found that the default domain policy sets "run these programs at user logon" and (other than I expected) not BOTH GPO settings become active, but the setting from the default domain policy overrides the setting from my new GPO. So I think I have
  found the answer myself.
  When on our W2k8-R2 DC I create a new GPO and configure
  "Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe" (just for testing) it won't take effect on Win 7 SP1, no matter what the Security
  Filtering options are.
  It seems other settings (in the very same GPO) become active but "run these programs at user login" from the computer policies section doesn't. I configure the very same setting in the section "user policies" instead and add "Authenticated
  Users" to Security Filtering, the program will be started. But that's not what I need.
  I can reproduce the issue, here are the exact steps:
  create a new group "group-a" for later security filtering
  create a new GPO
  in the new GPO set "Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe"
  for setting the scope remove "authenticated users" from Security Filtering and add "group-a" instead
  link the GPO to the domain root
  make "test computer" a member of "group-a"
  on "test computer" run "gpupdate /force", reboot, log in
  Issue: notepad is not being started.
  What I'm aiming for is obvious: Depending on the membership of group-a I want to configure certain programs that should be started whenever a user logs in.
  gpresult /R returns that it would be applying the GPO. (It actually is but the setting "run these programs at user login" is not being applied.)
  For debugging I started MMC / RSoP on one of the machines on which the GPO should have been applied and found that "run these programs at user login" is not set (which seems to be the reason why the GPO won't work on the machines).
  Searching the web I found similar reports
  [1] [2] but no solution was found and the user used a workaround instead.
  If I change the GPO so that I use the very same setting in "user configuration" instead of "computer configuration" it works as long as I add "authenticated users" to the Security Filtering. But then the GPO is applied to all users
  and not only to the ones using computers which are members of group-a. According to this howto [3] I should not remove "authenticated users" but alter the security setting instead. However, the howto seems to be aimed ad w2k3 and using Win2k8 I cannot
  find security settings "apply" for "authenticated users" so I cannot remove that setting, there's only "read" or "read and modify".
  So two questions:
  1. Why doesn't it work when using "computer settings"
  2. What about that Security Filtering with removing "authenticated users" and using group-a instead?
  T.
  [1] http://social.technet.microsoft.com/Forums/windows/en-US/0e280490-fba6-4ced-aba5-ae49c60e44bd/computer-gpo-run-these-programs-at-user-logon-not-working-as-intended-on-win7-clients?forum=w7itproinstall
  [2] http://social.technet.microsoft.com/Forums/windows/en-US/8cb78bf8-33ec-461e-8604-32d82d016685/run-these-programs-at-user-logon?forum=winserverGP
  [3] http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

  Hi,
  sounds like you find the answer already.
  If you have any further question, please feel free to let me know.
  Have a nice day!
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support