Group Policy Issue

By farmeunit,
in Windows

 Share Followers 0

Recommended Posts

farmeunit
Posted

I have never seen this before and I'm waiting to hear from the company that does our imaging software, as well.

 

We have a blocked inheritance OU for a temporary location during imaging to stop policies from interfering with anything, then they're moved to an OU with basic policies until moved to their final location.  This have worked fine for 2 years.  I have one cart that started out as two laptops that had issues.  I re-imaged them and everything was fine.  I needed to do the whole care anyway, so re-imaged those.  I held back 3 to finish updates and all 3 of them exhibit the same issue.  I can DM the files to someone if the want to see them. 

 

Basically, in the bad one, it has this:D

Quote

 

uring last computer policy refresh on 10/23/2018 2:00:52 PM

 

No Errors Detected

A fast link was detected More information...

Inheritance is blocking all non-enforced GPOs linked above local.domain/ComputersENGL

 During last user policy refresh on 10/23/2018 1:57:18 PM

 

No Errors Detected

Computer was set to process policy in Replace mode More information...

A fast link was detected More information...

 

 

The good one this:

Quote

 

During last computer policy refresh on 10/23/2018 2:00:51 PM

 

No Errors Detected

A fast link was detected More information...

 During last user policy refresh on 10/23/2018 12:19:11 PM

 

No Errors Detected

A fast link was detected More information...

 

 

They are not in that OU any longer, so I don't know why it not pulling the GPOs.  It's actually pulling computer GPO, but not User GPOs.

 

I have tried removing/adding computers to the domain, but nothing changes.  I tried deleting the security database from machine and did a GPUDATE /FORCE and nothing changes.

 

Also:

Quote

 

Computer name DOMAIN\HS-MOB03-STU25

Domain  local.domain

SiteDefault-First-Site-Name

Organizational Unit local.domain/Workstations/Mobile/HS_MS/HSCart03

Block Inheritance local.domainComputersENGL

 

The Block Inheritance flag is only difference in GPRESULT in that section.

Link to post
Share on other sites
sc302
  • Veteran
Posted

So the OU is set to block inheritance

The PC resides in the OU that is set to block inheritance

 

Did you verify where that computer object is located?  Did it move in the domain structure or given an new name that would cause it to move out?  I never liked carpet bombing entire OU's....I use security group membership to identify what users or computers can get that policy.  If it isn't a member of that security group it won't get the policy (yes you can add computers to security groups).

Link to post
Share on other sites
farmeunit
  • Author
Posted

The OU is set to Block Inheritance during imaging.  Once imaging is complete, it is moved to a different OU.  Both OUs are in the root of our domain, so they're at the same lever.

 

The PCs reside in a Workstations folder that has basic machine policies with building and such below it.

 

I verified the computer location.  I check the Attributes on the object to verify it's OU, also.  

 

I actually never realized machines could be added to groups.  I will look into that to see if I can get around my issue temporarily, but probably not.

 

If I manually delete the workstation object BEFORE a re-image, the policies work fine.  I can dis-join, reboot, run GPUPDATE /FORCE /BOOT, delete object, reboot, re-join, reboot, and it will eventually get the right policies, or I can force a GPUPDATE.  We're using LAPS, so that's not really feasible.  I just plan on doing our labs for now, and our laptop carts over Thanksgiving week.

 

I tried several tutorials involving deleting registry keys and/or security databases, but none have work so far.  The only working solutions are the two above.  

 

We plan on setting all our machines to PXE boot, anyway, but were going to wait until next year.   We'll just expedite the process.  Was just hoping someone had an idea of what is happening and a better/easier fix.  I have ticket in with our imaging software people, but I'm sure they'll say it's a Windows issue.  Is funny, in the latest Windows Cumulative Update for 1803, it says that there is a fix for GPO with GPRESULT and RSOP, but it says the policies are applying, they just LOOK like they aren't.  Our policies are NOT applying for sure.

Link to post
Share on other sites
  • 2 weeks later...
sc302
  • Veteran
Posted

Honestly, without seeing it and troubleshooting myself all I can do is shoot in the dark with solutions.  

 

You will have to run different tools to see what is going on as well as checking the event viewer.   

 

gpresult/r in an admin prompt will show you what is supposed to get applied at time of running the command, you can see if they are disabled for some reason.  If you want I can help with it if you want/can have remote support.  

 

gpresult/h at an admin prompt can help identify if there are other policies that are overriding your policy that you are trying to push down.  

 

Also the group policy management console can help too if you the group policy results wizard.  I rarely ever have group policies apply to entire OU, they are usually filtered via security groups....they can be computer security groups or user security groups.....To add a computer to a security group, open the security group in ADUC, go to the Members tab, choose Add, Click the Object Types Button, check off Computers and hit OK, search for your computers you want to add and add them in.  Doing it this way, you do not have to add them to a restricted OU first, then move them out.  You simply have to add them to whatever group you want when you want them to apply the GPO.  I do this with WSUS, dymanic VLANS, wireless, software installs, printer installs, and other policies that I want to be applied to specific groups of user computers.

Link to post
Share on other sites
farmeunit
  • Author
Posted

I figured out the issue finally.  I had created a policy with Loopback Processing.  I didn't realize that would block all the policies.  I had read about loopback before, but didn't fully understand the downside, until now.  I explained everything rather well.  I ran the Modeling Wizard and it was fine.  Thanks for all the other information and the offer to help.  If I run into more issues later, I'll post back.  Once I removed the loopback policy, everything seems to be returning to normal regarding processing.  I just couldn't figure out why it was affecting some and not others until I read that certain article.

 

I definitely like the idea of using Security Groups for computers.  I had never heard that.  Thanks again for the help.

 

 

Link to post
Share on other sites
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • A new Windows 10 Group Policy now lets IT admins disable feature update blocks
      By Abhay V
      A new Windows 10 Group Policy now lets IT admins disable feature update blocks
      by Abhay Venkatesh



      Microsoft releases Windows 10 feature updates in a staggered manner, which means that the rollout targets a small set of users initially, which then expands gradually to more users. However, some devices are blocked from receiving new versions due to ‘safeguard holds’. These are update blocks that are applied to devices that could be affected by known issues – based on the Redmond firm’s telemetry –, that may end up causing blue screens (BSODs) or other performance issues.

      However, a recently added Group Policy aimed at IT admins and professional users can now allow them to bypass these update blocks and pull a feature update from Windows Update. The policy, called “Disable Safeguards for Feature Updates” can be found under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business in the Group Policy Editor. Admins that use an MDM (Mobile Device Management) tool can use the Update/DisableWUfBSafeguards CSP.

      The company explains in a recently updated support document that the ability to disable these safeguard blocks is a temporary measure for IT admins who “stay informed with Update Compliance and the Windows Release Health dashboard” and those that are aware of the risks. The reason the firm calls the policy a “temporary” one is because it is reset after an update and must be manually enabled again.

      The policy was added with the October Patch Tuesday updates and works on Windows 10 version 1809 (October 2019 Update) with devices running Windows Update for Business. Though, the policy description itself mentions Windows 10 version 1903 or newer as the OS requirement.

      The ability to disable safeguards and force an update could be aimed at helping admins perform validation and testing in a business environment. Admins can also use the Update Compliance monitoring tool to ascertain the risks involved with the known issues and decide if a future update is safe enough for deployment.

      Source: Microsoft Support via BleepingComputer

    • Cannot view data usage in settings
      By Richard C.
      As topic title says, the setting app itself opens and works fine, however when I ever I try and click "data usage" the app closes silently.
       
      A log is shown of it now workning in reliability, and I've posted it here.
       

       
      I've tried running dism and it says it found no corruption, I've tried using an alternate user account, and I've tried using the windows update troubleshooter, they all say everything is fine. 
       
      Any idea on what to do next?
    • Customise Tiles in Explorer
      By Premgenius
      I wasn't able to find anything useful, in terms of how to hide/remove the File Size and File Type shown under the File name when Windows Explorer is set to Tiles view, any suggestions?
       

    • Storage Spaces in Windows 10
      By Stoffel
      Hi guys, it's been a while.
      I'm looking for some information about using Storage Spaces in Windows 10 with USB3 external drives.
      At the moment i have 3 HD's storing my Movies and TV series., I do have a bunch of extra USB3 HD's not in use. those 3 HD's contain about 6TB of data.
       
      I'm wondering if it's worth putting all these HD's into a Storage Pool with Parity so if one HD would crash i can recover everything easy. Just as some form of extra security.
       
      I'm aware that this is not the ideal backup situation, or  that there are better option by going with a NAS. I'm not interested in that discussion at the moment, they are all to expensive :) I'm just looking for some info from people using Storage Spaces with parity that can confirm that it actually works reliably over time.
       
      Anybody here that has experience with Storage Spaces in Win 10 with USB3 HD's? Please give me your opinion!
    • Some Cortana oddities with calendar and music
      By Dutchie64
      Hi all,

      Playing around with Cortana on my WIn10 PC, and running into some Cortana related issues. Everything in the Settings app and Cortana is configured and working as far as I can tell...

      First one is Calendar related:
      I'm running the Win10 Calendar app, and using my Google account for the appointments etc. I also added Cortana to add reminders for me,. All this works fine.
      If I now ask Cortana for my schedule for say the next day, it finds results and gives me a list.
      But it ONLY shows me the name of the Calendar entry, no time block or even the day, e.g. just 'Appointment X'. This makes it useless when you have multiple appointments for one, and no time table finishes it off.

      Odd things is also that the Calendar entries ( in month view) are shown as  " 19 GymTime " . Hovering over it will give you the popup with a more correct " date - GymTime 19 - 20 " overview.
      Clicking on  a day gives me a full overview of appointments with the correct start/end times too.
      It looks like some of the information is lost for Cortana?
       
      Funny detail is that Cortana on my phone DOES show me a nice overview of dates, time (in e.g. 19:00-20:00) and appointment entry.
      Same Calendar data form Google, same MS account, same Cortana.... Jay Android?

      Second one is Music:
      I cannot seem to link Cortana to Groove, only online services are listed under the Music notebook. I CAN start Groove via Cortana, but cannot let Groove play an artist or alike via a Cortana request.
      Anyone has a trick for this?

      cheers for any tips,

      rob