dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1350
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558

Premium Member

GPO results on PC are different ...

This is really stumping me. I have a Forest level Server 2008R2 domain, and a Windows 7 SP1 Enterprise x64 client. I have a chain of rather complex GPOs that apply at the domain, OU, subOU etc level. The GPO modeler makes it look like the "right" thing should happen.

When I log in to a standard user account on the client computer and test the GPO settings by opening a command window and doing gpupdate /force, the "right" thing happens and the GPOs apply like I expect.

If I then wait 90 minutes for the gpo update to occur automatically, *different* settings seem to apply.

Specifically I've set a computer policy to hide "switch user". This works after a gpupdate /force, and the ctrl-alt-del screen doesn't show "Switch User". If I come back later after presumably the group policy auto refresh, the "switch user" comes back on the ctrl-alt-del screen. Every time I manually update the policy, that entry comes into force.

Why would the auto refresh of group policy not do *the same thing* as running gpupdate /force? It seems like they *should* do the same thing.

Badger3k
We Don't Need No Stinkin Badgers
Premium Member
join:2001-09-27
Franklin, OH

Badger3k

Premium Member

How many domain controllers do you have? I've ran into some weird GPO related issues and found that the 2 DCs were not replicating correctly. So sometimes the proper GPOs would be applied and sometimes they wouldn't depending on which DC you hit.

workablob
join:2004-06-09
Houston, TX

workablob to jp10558

Member

to jp10558
Sync all of your DCs en masse with this.

repadmin /syncall /A /P /e /d

Dave
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558

Premium Member

Thanks for this suggestion. I think actually the issue turned out to be client side, and was a third party program having a hidden setting not in their GPO but in their local GUI that was toggling the setting separate from GPO application. I guess the standard gpupdate didn't re-apply the setting because the GPO value hadn't incremented? Still looking at this, but won't till next year after the holidays.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

Are you sure you don't have conflicting policies assigned to the same user? Have you checked the eventlog to see if there's an explanation? Sometimes a completely unrelated issue can cause group policies to stop processing mid-process, so you get half the settings.

JB9
Stay Gold
Premium Member
join:2009-05-14

JB9

Premium Member

^ I would do an rsop.msc on the machine that is having 'issues'. Might be a permission setting on a GPO.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121

Premium Member

said by JB9:

^ I would do an rsop.msc on the machine that is having 'issues'. Might be a permission setting on a GPO.

This is my answer as well. RSOP is a beautiful thing once you wrap your brain around it, along with Badger's suggestion above. I've had DCs get confused and there were conflicting entries in SYSVOL, that makes for some fun times.