dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1211
share rss forum feed

jp10558
Premium
join:2005-06-24
Willseyville, NY

GPO results on PC are different ...

This is really stumping me. I have a Forest level Server 2008R2 domain, and a Windows 7 SP1 Enterprise x64 client. I have a chain of rather complex GPOs that apply at the domain, OU, subOU etc level. The GPO modeler makes it look like the "right" thing should happen.

When I log in to a standard user account on the client computer and test the GPO settings by opening a command window and doing gpupdate /force, the "right" thing happens and the GPOs apply like I expect.

If I then wait 90 minutes for the gpo update to occur automatically, *different* settings seem to apply.

Specifically I've set a computer policy to hide "switch user". This works after a gpupdate /force, and the ctrl-alt-del screen doesn't show "Switch User". If I come back later after presumably the group policy auto refresh, the "switch user" comes back on the ctrl-alt-del screen. Every time I manually update the policy, that entry comes into force.

Why would the auto refresh of group policy not do *the same thing* as running gpupdate /force? It seems like they *should* do the same thing.
--
Opera 11.1; Windows XP Pro SP3;Intel C2Q6600; 3GB DDR2 1066; 1M/128k DSL; Comodo Internet Security 5.3;Proxomitron 4.5j Sidki 2009-06-06,GPG ID:0x0A1C6EE3



Badger3k
We Don't Need No Stinkin Badgers
Premium
join:2001-09-27
Franklin, OH

How many domain controllers do you have? I've ran into some weird GPO related issues and found that the 2 DCs were not replicating correctly. So sometimes the proper GPOs would be applied and sometimes they wouldn't depending on which DC you hit.
--
Team Discovery: Project Hope



workablob

join:2004-06-09
Houston, TX
kudos:2
reply to jp10558

Sync all of your DCs en masse with this.

repadmin /syncall /A /P /e /d

Dave
--
I may have been born yesterday. But it wasn't at night.


jp10558
Premium
join:2005-06-24
Willseyville, NY

Thanks for this suggestion. I think actually the issue turned out to be client side, and was a third party program having a hidden setting not in their GPO but in their local GUI that was toggling the setting separate from GPO application. I guess the standard gpupdate didn't re-apply the setting because the GPO value hadn't incremented? Still looking at this, but won't till next year after the holidays.
--
Opera 11.1; Windows XP Pro SP3;Intel C2Q6600; 3GB DDR2 1066; 1M/128k DSL; Comodo Internet Security 5.3;Proxomitron 4.5j Sidki 2009-06-06,GPG ID:0x0A1C6EE3



urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable

Are you sure you don't have conflicting policies assigned to the same user? Have you checked the eventlog to see if there's an explanation? Sometimes a completely unrelated issue can cause group policies to stop processing mid-process, so you get half the settings.



JB
Stay Gold
Premium
join:2009-05-14
kudos:1

^ I would do an rsop.msc on the machine that is having 'issues'. Might be a permission setting on a GPO.



jester121
Premium
join:2003-08-09
Lake Zurich, IL

said by JB:

^ I would do an rsop.msc on the machine that is having 'issues'. Might be a permission setting on a GPO.

This is my answer as well. RSOP is a beautiful thing once you wrap your brain around it, along with Badger's suggestion above. I've had DCs get confused and there were conflicting entries in SYSVOL, that makes for some fun times.