GPOs will not work on OUs

[Samantha]

I have a W2k environment when I apply a GPO to the domain
it takes effect, eg mapping a drive for all users.
However when I apply a GPO to an OU it does not work no
matter what. I thought GPOs can be applied to OUs as well?

 

[Richard McCall [MSFT]]

They do What is in the OU(Users or Computers). Enable the registry setting
in this article.
245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422

 

[Samantha]

Users are in the OU, but all GPO set at the OU level do
not apply I will read the article and thank you Richard.

-----Original Message-----
They do What is in the OU(Users or Computers). Enable the registry setting
in this article.
245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422

--
Richard McCall [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

I have a W2k environment when I apply a GPO to the domain
it takes effect, eg mapping a drive for all users.
However when I apply a GPO to an OU it does not work no
matter what. I thought GPOs can be applied to OUs as

well?


.

 

[Jordan]

Some suggestions:
1. Verify network connectivity
- ran 'netdiag' at client and 'netdiag' & 'dcdiag' on DCs
2. Ensure that your policy are properly configured
- linked to the proper OU
- security filtering (Authenticated Users have Read & Apply Policy)
3. Check replication
- use 'repadmin /showreps' to ensure that there are no replication issue
- use 'gpotool' to verify that policies have been synchronized

Run gpresult again.
Check event logs on clients for error.

 

[Samantha]

Hi Jordan,

Thank you for your response I will try your suggestions.
What I can tell you is: replication is fine,network
connectivity is fine, the policies are properly
configured, and authenticated users have the correct
security settings. I know the GPO works because I will
apply at the root (domain.com)and it is set all objects eg
each person logging on will be map to the G drive.
However when I create the same GPO for a OU example Sale
so that all sales users can be mapped to the T drive, or
whatever else nada,zip,nothing. Why should these GPOs
only work at the root, and they are not security related?

Best regards
Samantha

 

[Jordan]

Some verifications:
1. Are the users in the OU that you have linked the GPO?
2. Verify if there is any security filtering involved (i.e. Authenticated
Users granted the 'Read' and 'Apply Policy' rights).
3. Run GPRESULT /v on the client machine. Check if the Group Policy has been
received by the user.
4. Check if the following registry key is present:
HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts)
HKCU\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts)

If GPO is received and the registry entry is there, there might be some
problem with the script itself. Try executing it manually on the client
machine.

 

[Brian Heilmann]

Hi,

I am having the exact same problem. I have tried the verifications but it
seems that the GPO isn't applied at all - when I run the GPRESULT /v the
GPO's in question isn't there.

Someone have any idea of what's wrong?

Regards

Brian Heilmann / Sysadmin

 

[Brian Heilmann]

Hi,

I have the exact same problem. And I have checked your verifications Jordan.
But GPRESULT /v does not show the group policy. Therefore it seems that it
have not been received by the user.

Actualle if I have a GPO applied to domain.dk it is working, but if I then
move the GPO to an OU beneath the domain.dk it is not working!!!!!!

I don't understand why.

I hope someone can help me.

Regards

Brian Heilmann / Sysadmin