Group Policy Problem

[Guest]

Trying to apply a group user policy to a new OU using domain security group
for a security filtering. All the users and the group are part of this OU.
Group policy does work for some members of the group but not for all of them.
When run gpresult it is showing that those users (non working) are not a
member of the group when the group policy was applied, but in AD users and
computers they all are showing as members of this group. I know about some
known issues with a group policy not being applied when a user is a member of
70 or more groups, but this is not the case, we are in low 10th. We have 2
almost exactly the same users that belong to the same domain security groups
but it does work for one and it does not for another. When I change the
group security filtering to the default – Authenticated Users it does work
for everybody. Tried deleting a group and creating a new one with a different
name (keeping in mind SID), still the same problem. Any help will be greatly
appreciated.

 

[Herb Martin]

Trying to apply a group user policy to a new OU using domain security
group
for a security filtering. All the users and the group are part of this OU.

Group location has NO effect on Group Policy - you must link based on the
OU of the Users (but of course it is fine if they are together).

Group policy does work for some members of the group but not for all of
them.
When run gpresult it is showing that those users (non working) are not a
member of the group when the group policy was applied, but in AD users and
computers they all are showing as members of this group.

Were they already logged on? Group membership only changes at LOGON.

After that, access permissions (ApplyGroupPolicy and READ are required) are
based on the Group at the time of applying the policy, for instance Logon.

I know about some
known issues with a group policy not being applied when a user is a member
of
70 or more groups, but this is not the case, we are in low 10th. We have 2
almost exactly the same users that belong to the same domain security
groups
but it does work for one and it does not for another.

Are you using any DENY permission? (i.e., deny_apply_policy)? The user not
receiving the policy might be in a group with DENY which will take
precedence
usually.

When I change the
group security filtering to the default - Authenticated Users it does work
for everybody. Tried deleting a group and creating a new one with a
different
name (keeping in mind SID), still the same problem. Any help will be
greatly
appreciated.

What are the exact permissions? Give an instance of each (working and not
working) user, with ALL group memberships for each.

 

[Guest]

No deny policy is in place and read and apply group policy is in place and
the users are logged on and even rebooted their machines multiple times. The
group is just not showing up for some of them when the policy is applied and
because of that it is being denied. If I try to use any other group that they
are already memebrs of it works just fine. Something is telling me that
something is wrong with this newely created group.

 

[Herb Martin]

No deny policy is in place and read and apply group policy is in place and
the users are logged on and even rebooted their machines multiple times.
The
group is just not showing up for some of them when the policy is applied
and
because of that it is being denied. If I try to use any other group that
they
are already memebrs of it works just fine. Something is telling me that
something is wrong with this newely created group.

If you want help the questions I asked remain: