Troubleshooting GPOs

Jump to: navigation, search

This page will help to troubleshoot issues with group policies.

WARNING: Any changes to your GPO might impact the network and system landscape. Caution is advised and backups and a testing environment should be used.

Checking the GPO and its settings

First of all, the GPO should be checked:

  • Is the GPO assigned to the appropriate site, domain or organizational unit?
  • Is the link enabled?
  • Are the security and WMI filter correct?
  • Is the GPO status "enabled"?

Checking the client's network connection

The client should be checked if the network connection is present and configured correctly, and if the client can reach the domain controller(s).

Trying to update the group policy settings

gpupdate.exe should be able to update the group policy settings. The client will fetch the settings from the domain controller and apply it.

If the settings still do not change, the Event Viewer should contain any entry regarding Group Policies.

Checking the applied GPOs

With gpresult.exe and the parameter /r a report on the group policy situation can be displayed:

gpresult.exe /r

In this report gpresult.exe lists for computer and user configuration the GPOs which are applied and those which are not applied.

First check (in this order):

Applied Group Policy Objects These are the GPOs which are applied to the computer/user. If the GPO is listed here, any other setting in the GPO should be applied. If the other settings apply, it should be checked if the not-applied setting has a Item-level targeting and the Event Viewer should be checked for entries.
The following GPOs were not applied because they were filtered out If the GPO is listed here, the client has issues accessing the GPO. This means, that the computer/user finds the GPO but is not allowed to apply it. The reason is written next to "Filtering:".
The computer/user is part of the following security groups This is important if Security Filtering is used. The filtered security group should be in the list of security group. If not, the user or client should be added to the security group.
Last time Group Policy was applied This is the time the GPOs have been applied last time. This time (with default checking interval) should be less than 2 hours ago. If not, the checking interval might be increased or the client has connection issues.
Group Policy was applied from Domain Controller from which the last settings have been received. The client has to be able to ping and access the server.

Check if the settings are overwritten by another GPO

With rsop.msc the applied settings can be checked with information with GPO did set individual settings. If the GPO indicated is not the intended one, it might and an issue with the order the GPOs are applied or another GPO is set as enforced.

The last step is to use gpresult.exe with the parameter /Z for super-verbose output. This will list all settings in all applied GPOs (even overwritten settings).