In this article, we'll talk about typical reasons why a particular Group Policy Object (GPO) might not apply to an organizational unit (OU) or a specific domain computer/user. I think this article will be useful for both new and experienced AD Group Policy administrators to understand how Group Policy and GPO architecture work. The article describes potential issues with applying GPOs related to domain-level policy settings, as well as troubleshooting GPOs on Windows clients. Almost all of the settings described in the article are configured using the Group Policy Management Console (
How to Resolve Connection Error to Azure AD Connect Sync Service
How to copy files or folders to all computers via GPO
How to work with dynamic groups in Azure Active Directory
How to use data loss prevention in Office 365
Apply MFA to SharePoint online sites with conditional access policies
Managing the scope of the GPO
If a specific policy parameter is not applied to a client, check the scope of the GPO. If you configure the setting in the section Settings of Computer , your Group Policy must be linked to an OU with computer objects. The same is true if you set your parameters in the settings of user .
To apply user settings to computers, you need to enable GPO loopback processing mode (more on this later).
Also, make sure that the object you are trying to apply the GPO to is in the correct users' computers or AD container (OU). You can search by domain using the
dsa.mscADUC console(). The OU in which the object is located is specified in the tab Object.
How to use Group Policy security filtering to apply GPOs to selected groups?
Check the settings for Security Filtering in your policy. By default, all new GPO objects in the domain have permissions enabled for the group Authenticated Users . This group includes all users and computers in the domain. This means that the policy will apply to all users and computers in its scope.
In some cases, you want a specific GPO to only apply to members of a specific domain security group (or specific users/computers). To do this you need to remove the group Authenticated users security filter and add the target group or accounts to the filter.
If you assigned a security filter to a group, make sure that the desired object is a member of that AD group.
Also, verify that the group you added to Security Filtering has at permissions Read and Apply group policy with the option To allow checked in GPO -> Delegation -> Advanced tab.
If you are using non-default GPO security filters, ensure that there is no explicit ban on GPO usage for target groups (Deny).
Group Policy GPO WMI Filtering
You can use special WMI filters in the GPO. This allows you to apply a policy to your computers based on some WMI query. For example, you can create a WMI GPO filter to apply a policy only to computers running the specific version of Windows, to computers in the specific IP subnet, to laptops only, etc.
When using Group Policy WMI filtering, make sure your WMI query is correct. You should only select the devices you need and your target computers should not be deleted. You can test your WMI filter on any computer using PowerShell:
gwmi -Query 'select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"'
If the query returns any data, the WMI filter is applied to this computer.
Disable User or Computer Settings in Group Policy Object
As we already mentioned, each GPO has two independent sections:
- Computer configuration – settings applied to the computer;
- Configuration of user – user settings.
If your GPO only configures user settings or only computer settings, you can disable the unused policy section. This will reduce GPO traffic and allow you to reduce GPO processing time on clients.
Check the status of the GPO in the tab Details of the policy properties in
GPMC.msc. Note the value in the drop-down list Status of GPO .
As you can see, 4 options are available:
- All settings disabled – all policy settings are disabled (GPO does not apply);
- Computer configuration settings disabled – your GPO's computer configuration-only settings are not applied;
- User configuration settings disabled – user configuration section settings are not applied;
- Able – all GPO settings are applied to the target AD objects (the default value).
Group Policy Delegation
Permissions configured for a policy are shown on the tab Delegation of the GPO. Here you can see which groups can change the GPO settings and whether the policy is applied to them. You can grant privileges to manage GPO from this console or use the Active Directory Delegation Wizard in ADUC. If “Enterprise Domain Controllers” is given access permission, this policy can be replicated between Active Directory domain controllers (note if you have GPO replication issues between DCs). The permissions on the Delegation tab correspond to the NTFS permissions assigned to the policies directory in the SYSVOL folder.
Block inheritance and enforcement in group policy link
Inheritance is one of the main concepts of Group Policy. By default, high-level policies are applied to all objects nested in the domain hierarchy. However, an administrator can block all legacy policies from applying for the specific OU. To do this, right-click the OU in the GPMC and select Block inheritance.
Organizational units with the blocked inheritance option enabled are marked with a blue exclamation point in the console.
If a Group Policy is not applied to a client, verify that it is in the OU with the inheritance option blocked.
Note that domain policies with the property imposed enabled are applied even to OUs with the inheritance setting blocked (you can see the inherited policies applied to the container in the Group Policy Inheritance).
GPO Scopes and Policy Processing Order (LSDOU)
To remember the order in which group policies are applied in the domain, remember the abbreviation LSDOU . GPOs are applied to clients in the following order:
- Local computer policies ( local ) set in the local GPO editor console gpedit.msc (if they are set incorrectly, you can reset them);
- GPO at the level of site ( site );
- level GPO domain ( domain ).
- Organizational unit level GPOs ( Organization unit ).
The last policies have the highest priority. This means that if you enable some Windows setting at the domain level, it can be disabled by another policy at the OU level (the policy closest to the object in the AD hierarchy will win).
When using the option forced , the policy that is higher in the domain hierarchy wins (for example, if the Default Domain Policy has the Forced option enabled, it will have a higher priority than any other GPO).
An administrator can also change the policy processing order using the GPMC console. To do this, select an OU and go to the tab Linked Group Policy Objects . There is a list of GPOs applied to this OU with the priority displayed. Policies are processed in reverse order (from bottom to top). This means that a policy with Link Order 1 will be applied last. You can change the GPO priority using the arrows in the left column and move a policy up or down in the list.
Managing enabled GPO links
Any GPO object linked to an AD organizational unit can have the option Link Enabled activated or deactivated. If the link is disabled, its icon will be grayed out. When the link is disabled, the policy is not applied to clients, but the link to the GPO object is not removed from the domain hierarchy. You can enable the GPO link at any time.
Explanation of Group Policy loopback processing mode
For example, if you apply a policy with settings defined in the User Configuration section to an organizational unit with computers, those settings will not be applied to the user without using a loopback. Loopback processing mode is enabled in Computer Configuration -> Administrative Templates -> System -> Group Policy -> Configure User Group Policy loopback processing mode .
This loopback processing policy has two possible modes:
- Merge – GPOs based on the user's location are applied to the computer, and then GPOs linked to the computer are applied. If there are conflicts between User OU and Computer OU policies, Computer Configuration level policies take precedence.
Note that when using Loopback processing with Merge mode, the policy is actually executed twice. Consider this when using login scripts.
- Replace – only policies assigned to the OU containing the computer the user is logged on to will be applied to the user.
Use the Group Policy Modeling Wizard
You can use the feature GPO modeling in the domain policy management console (
gpmc.msc). GPO modeling allows the administrator to obtain the resulting policies that will be applied to a specific Active Directory object.
Go to the Group Policy Modeling section and run the Group Policy Modeling Wizard .
Select the specific OU or user/computer for which you want to get the resulting policy report.
Then follow the GPO Modeling Wizard questions. As a result you will get a report (check the tab Details ), which shows which policies are applied to the AD object and which are not. If a policy is applied or rejected due to a GPO filter, this will be visible in the report.
Enable Group Policy Preferences Debug Log
In modern versions of Active Directory, there is an additional Group Policy extension – Group Policy Preferences (GPP). GPP allows you to apply additional settings using GP client side extensions. For example, through GPP you can:
- Deploy printers via GPO;
- Add users to the local administrators group on a domain computer;
- Map network drives ;
- Deploy registry settings;
- Copy folders and files to users' computers;
To troubleshoot Group Policy Preferences, you can use a special logging mode – Group Policy Preferences Tracking.
You can enable this mode via the parameter in the section Settings of Computer -> Policies -> Administrative Templates -> System -> Group Policy -> Registry and Tracing . There are separate logging options for different GPP parameters.
For example, I want to check how a registry parameter with proxy settings is applied via a GPO . To do this, I enable the option Configure Logging and Tracing Registry Preferences . Here you can configure the logging and debug parameters and the log size.
After applying the policy to the client, open the
C:\ProgramData\GroupPolicy\Preference\Trace\Computer.log, file for detailed GPP status.
Disable this GPO option after finishing GPP debugging.
Also, keep in mind that GPP has additional options for item-level targeting to filter when a policy is applied.
Troubleshooting GPOs applied on Windows clients
the gpresult ,
rsop.mscand Windows Event Viewer are used to troubleshoot and debug Group Policy on the client side. The first two tools provide the resulting set of policies that have been applied to the Windows device.
To get a simple report on the GPOs applied on the computer, run the command:
gpresult / r
The command will return a list of Applied Group Policy Objects and GPOs that do not apply. The list of filtered GPOs can contain the following items:
- Not applied (empty) – the policy is assigned but does not contain settings;
- Denied (WMI Filter) – the policy was not applied because the WMI filter does not match this computer;
- Denied (Security) – The Group Policy ACL does not have permission to apply the GPO to this object;
- Disabled (GPO) – disabled computer or user settings section in GPO settings.
To get an HTML report with the resulting GPO, use the command:
gpresult /hc:\reports\gpreport.html /f
The gpresult RSoP HTMP report contains GPO errors, processing time for certain policies and CSEs, and other useful information. This helps to understand why some GPOs are processed for a long time. This report shows which policy settings were applied and by which specific GPOs.
The Group Policy Client service (
gpsvc) must be running on Windows to process GPOs. Check if the service is started using PowerShell :
You also need to remember how Group Policy is updated in Windows. By default, GPOs are refreshed in the background every 90 minutes + a random time offset from 0 to 30 minutes. However, an administrator can change this range using the “ Set group policy refresh interval for computers ” under Computer Configuration -> Administrative Templates -> System -> Group Policy in the GPO.
You can use Event Viewer to find GPO processing events. Filter system log by source GroupPolicy (Microsoft-Windows-GroupPolicy) . Also, look closely at the events in the Applications and Services Logs -> Microsoft -> Windows -> Group Policy -> Operational.
Some additional tips when debugging GPOs:
- When reviewing domain password policies, keep in mind that only one domain password policy can be configured using GPMC (usually in the Default Domain Policy). Use fine-grained password policies if you need to use separate password and account lockout policies for specific users or groups;
- I also recommend using Microsoft AGPM tool (Advanced Group Policy Management), which allows you to maintain version control of GPOs and the rules for their approval;
- Use the Central Group Policy Store for ADMX templates. In this case, you do not need to manually deploy the Group Policy admx files to all computers.
In conclusion, I will recommend keeping your GPO structure as simple as possible and not creating unnecessary policies. Use a transparent policy naming scheme. The name of the GPO should clearly indicate what it is for.
Was this article helpful?
To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...
Help us to keep the project active!