group policy Group Policy Issue

[farmeunit]

I have never seen this before and I'm waiting to hear from the company that does our imaging software, as well.

 

We have a blocked inheritance OU for a temporary location during imaging to stop policies from interfering with anything, then they're moved to an OU with basic policies until moved to their final location.  This have worked fine for 2 years.  I have one cart that started out as two laptops that had issues.  I re-imaged them and everything was fine.  I needed to do the whole care anyway, so re-imaged those.  I held back 3 to finish updates and all 3 of them exhibit the same issue.  I can DM the files to someone if the want to see them. 

 

Basically, in the bad one, it has this:D

Quote

 

uring last computer policy refresh on 10/23/2018 2:00:52 PM

 

No Errors Detected

A fast link was detected More information...

Inheritance is blocking all non-enforced GPOs linked above local.domain/ComputersENGL

 During last user policy refresh on 10/23/2018 1:57:18 PM

 

No Errors Detected

Computer was set to process policy in Replace mode More information...

A fast link was detected More information...

 

 

The good one this:

Quote

 

During last computer policy refresh on 10/23/2018 2:00:51 PM

 

No Errors Detected

A fast link was detected More information...

 During last user policy refresh on 10/23/2018 12:19:11 PM

 

No Errors Detected

A fast link was detected More information...

 

 

They are not in that OU any longer, so I don't know why it not pulling the GPOs.  It's actually pulling computer GPO, but not User GPOs.

 

I have tried removing/adding computers to the domain, but nothing changes.  I tried deleting the security database from machine and did a GPUDATE /FORCE and nothing changes.

 

Also:

Quote

 

Computer name DOMAIN\HS-MOB03-STU25

Domain  local.domain

SiteDefault-First-Site-Name

Organizational Unit local.domain/Workstations/Mobile/HS_MS/HSCart03

Block Inheritance local.domainComputersENGL

 

The Block Inheritance flag is only difference in GPRESULT in that section.

[sc302 Veteran]

So the OU is set to block inheritance

The PC resides in the OU that is set to block inheritance

 

Did you verify where that computer object is located?  Did it move in the domain structure or given an new name that would cause it to move out?  I never liked carpet bombing entire OU's....I use security group membership to identify what users or computers can get that policy.  If it isn't a member of that security group it won't get the policy (yes you can add computers to security groups).

[farmeunit]

The OU is set to Block Inheritance during imaging.  Once imaging is complete, it is moved to a different OU.  Both OUs are in the root of our domain, so they're at the same lever.

 

The PCs reside in a Workstations folder that has basic machine policies with building and such below it.

 

I verified the computer location.  I check the Attributes on the object to verify it's OU, also.  

 

I actually never realized machines could be added to groups.  I will look into that to see if I can get around my issue temporarily, but probably not.

 

If I manually delete the workstation object BEFORE a re-image, the policies work fine.  I can dis-join, reboot, run GPUPDATE /FORCE /BOOT, delete object, reboot, re-join, reboot, and it will eventually get the right policies, or I can force a GPUPDATE.  We're using LAPS, so that's not really feasible.  I just plan on doing our labs for now, and our laptop carts over Thanksgiving week.

 

I tried several tutorials involving deleting registry keys and/or security databases, but none have work so far.  The only working solutions are the two above.  

 

We plan on setting all our machines to PXE boot, anyway, but were going to wait until next year.   We'll just expedite the process.  Was just hoping someone had an idea of what is happening and a better/easier fix.  I have ticket in with our imaging software people, but I'm sure they'll say it's a Windows issue.  Is funny, in the latest Windows Cumulative Update for 1803, it says that there is a fix for GPO with GPRESULT and RSOP, but it says the policies are applying, they just LOOK like they aren't.  Our policies are NOT applying for sure.

[sc302 Veteran]

Honestly, without seeing it and troubleshooting myself all I can do is shoot in the dark with solutions.  

 

You will have to run different tools to see what is going on as well as checking the event viewer.   

 

gpresult/r in an admin prompt will show you what is supposed to get applied at time of running the command, you can see if they are disabled for some reason.  If you want I can help with it if you want/can have remote support.  

 

gpresult/h at an admin prompt can help identify if there are other policies that are overriding your policy that you are trying to push down.  

 

Also the group policy management console can help too if you the group policy results wizard.  I rarely ever have group policies apply to entire OU, they are usually filtered via security groups....they can be computer security groups or user security groups.....To add a computer to a security group, open the security group in ADUC, go to the Members tab, choose Add, Click the Object Types Button, check off Computers and hit OK, search for your computers you want to add and add them in.  Doing it this way, you do not have to add them to a restricted OU first, then move them out.  You simply have to add them to whatever group you want when you want them to apply the GPO.  I do this with WSUS, dymanic VLANS, wireless, software installs, printer installs, and other policies that I want to be applied to specific groups of user computers.

[farmeunit]

I figured out the issue finally.  I had created a policy with Loopback Processing.  I didn't realize that would block all the policies.  I had read about loopback before, but didn't fully understand the downside, until now.  I explained everything rather well.  I ran the Modeling Wizard and it was fine.  Thanks for all the other information and the offer to help.  If I run into more issues later, I'll post back.  Once I removed the loopback policy, everything seems to be returning to normal regarding processing.  I just couldn't figure out why it was affecting some and not others until I read that certain article.

 

I definitely like the idea of using Security Groups for computers.  I had never heard that.  Thanks again for the help.