RSOP User Configuration only have Local Group Policy and not fetching from AD

CT 1 Reputation point
2021-07-07T02:27:35.757+00:00

I performed a gpresult after a "gpupdate /force", the user configurations are all with a winning gpo of Local Group Policy. I'm suspecting that it is not fetching from the AD, as the computer configurations are with a winning gpo of the server.

Or could it be that if the user configurations were already updated once, they will be stored in the Local Group Policy as reflected? Because I ran the gpresult after a second gpupdate with a user policy update failed.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-07-07T06:27:29.543+00:00

    Hello @CT ,

    Thank you for posting here.

    Here are my answers for your references.

    Or could it be that if the user configurations were already updated once, they will be stored in the Local Group Policy as reflected?
    A: No, if the user configurations were already updated once, they will be not stored in the Local Group Policy as reflected.

    Because I ran the gpresult after a second gpupdate with a user policy update failed.
    A: Based on my knowledge, if you configured multiple domain user policy for one domain user, even if you run gpupdate and the result fails, this does not mean that all user policies have failed. Assuming that only one user policy fails, the other user policies will also be displayed in the gpresult results.

    Maybe the failed user policy is also displayed in the gpresult results with failure reason.

    Usually, one domain user can view his/her user configuration (including local gpo settings if configured and domain gpo settings if configured) as below:

    Here is my test lab, domain name is a.local, one user is A\u1, and one domain client is vchzho356.

    Method 1

    1.Logon one domain-joined client using his/her domain account.
    2.Open CMD (do not run as Administrator).
    3.Run gpupdate /force command.
    4.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
    5.Open gpo.html and check all the settings under "User Details".

    When we open the html file, it looks like this. For example:

    112424-gpo1.png

    112415-gpo2.png

    Method 2

    1.Logon one domain-joined client using his/her domain account.
    2.Open CMD (do not run as Administrator).
    3.Run RSOP.msc on the client and click Enter.

    For example:
    112416-gpo3.png

    Method 3

    Domain Administrator collect domain user policy on one DC.

    1.Open Group Policy Management.
    112425-rs2.png

    112426-rs3.png

    112417-rs4.png

    112387-rs5.png

    112410-rs6.png

    2.Click Details tab to check user policy.
    112461-rs1.png

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-07-12T07:29:32.167+00:00

    Hello @CT ,

    Thank you for your update.

    Please check if you have configured domain user policy for this user. We do not need to view “Computer Detail”.

    1.Which user do you want to check if you configured domain user policy? I mean what domain user account.
    2.Which OU is this user in?
    3.What GPOs are linked to this OU?

    For example:

    I have a domain user named aa1,
    AA1 is in OU named test1,
    And I linked three GPO named wallpaper and copy file.
    113716-gpo6.png

    1.Logon one domain-joined client using his/her domain account.
    2.Open CMD (do not run as Administrator).
    3.Run gpupdate /force command.

    113783-gpo5.png

    4.I run gpresult /r and get the result.
    113670-gpo.png

    5.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
    6.Open gpo.html and check all the settings under "User Details".

    When we open the html file, it looks like this. For example:

    113784-gpo3.png

    113785-gpo4.png

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  3. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-07-16T03:51:43.59+00:00

    Hello @CT ,

    Thank you for your update.

    Please check if you edit computer configuration or user configuration?
    Please check which OU did you link this GPO?
    Please check if you put user objects or computer objects in this OU?

    Usually, for computer configuration, you can configure as below:

    Create an OU (PCOU)and put computer objects in this OU.
    Create a GPO and link it to PCOU.
    Edit GPO computer configuration.
    Logon machine using one domain Admin account.
    Run gpupdate /force on one machine it PCOU.
    You will see the corresponding computer GPO and its computer settings.

    Usually, for user configuration, you can configure as below:

    Create an OU (UserOU)and put user objects in this OU.
    Create a GPO and link it to UserOU.
    Edit GPO user configuration.
    Logon machine using one domain account in UserOU.
    Run gpupdate /force on any domain machine.
    You will see the corrseponding user GPO and its user settings.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  4. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-07-16T08:32:51.23+00:00

    Hello @CT ,

    Thank you for your update.

    You can have the two following configurations.

    Configuration 1

    You can have an OU named Workstation with both user objects and computer objects.

    Workstation
    -> GPO1(user config + computer config)
    -> GPO2(user config + computer config)

    Then user objects in OU named Workstation will apply user config in GPO1 and user config in GPO2.
    Then computer objects in OU named Workstation will apply computer config in GPO1 and computer config in GPO2.

    Configuration 2

    Or you can have an OU named Workstation with both user objects and computer objects.

    Workstation
    -> GPO1 (computer config)
    -> GPO2 (user config )

    Then user objects in OU named Workstation will apply user config in GPO2.
    Then computer objects in OU named Workstation will apply computer config in GPO1.

    Would you please check if there are user objects in your OU named Workstation for your case?

    Q1: So am I supposed to have computer and user configuration in two separate GPO and under two separate OU?
    A1: I suggest we had better do like this. To avoid confusion, a GPO only edits one policy setting, and is named after a friendly display name.

    For example:

    Two parallel OUs

    OU (User objects are in this OU)named ITdepartment links one GPO named drive maps (only with user configuration).
    OU (computer objects are in this OU)name Desktop links one GPO named autoupdate (only with computer configuration).

    Or one parent OU named ITdepartment with two child OU:

    OU (User objects are in this OU)named Employee links one GPO named drive maps. User objects are in this OU
    OU (computer objects are in this OU)name Desktop links one GPO named autoupdate.

    Q2: Or it is okay for both the separated computer and user configuration GPOs to be in the same OU?
    A2: See above.

    Q3: Also, for the settings of computer configuration only and user configuration only is at the Details tab of the GPO under the GPO Status, am I right?
    A3: Domain users can only see his/her GPO with user settings.
    Domain Administrator can see his/her GPO with user settings and GPO with computer settings.

    For example:

    If one GPO named GPO1 with both user settings and computer settings. and applies to u1 and Domain Administrator and PC1.
    Domain users can only see his/her user settings within GPO1.
    Domain Administrator can see his/her user settings within GPO1 and computer settings within GPO1.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  5. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-07-16T09:31:10.827+00:00

    Hello @CT ,

    Thank you for your update.

    But by computer objects and user objects how can I differentiate them?

    And also, how can I check whether there are user objects in the OU?

    A1: Look.
    115431-ou1.png

    Furthermore, if I am using configuration 1, may I know why is the user policy unable to be "fetch" from the AD?
    A2: You must have user object (such as user1) in the OU. And as I mentioned above.

    1.Logon one domain-joined client using his/her domain account (user1).
    2.Open CMD (do not run as Administrator).
    3.Run gpupdate /force command.
    4.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
    5.Open gpo.html and check all the settings under "User Details".

    Then the user can "fetch" the user policy from the AD.

    The security filtering has only Authenticated Users, which should be able to have the user policy applied am I right?

    A3: Yes, Authenticated Users include domain user and domain computer.

    Or is it due to the enforced and link both enabled on two different GPO that may be causing a problem?

    A4: No, it does not matter.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Please click "Accept Answer" and upvote it if the Answer is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.