question

ThomsRlln-2442 avatar image
0 Votes"
ThomsRlln-2442 asked DaisyZhou-MSFT commented

GPO doesn't apply to user of the OU that is linked to

Hi everywhere,

So before explaining my problem I describe to you my small Active Directory environment : two DCs, one Windows Server, and an OU named "X" that contains 6 users including the user "Y".

I tried to write a script that create a GPO that change the background wallpaper to a solid blue one, here is the script :

 #Get-Command -Module GroupPolicy    
     New-GPO -Name "ChangeWallpaperInBlue" -comment "Change the wallpaper to a solid blue color"     
     New-GPLink -Name "ChangeWallpaperInBlue" -Target "OU=X,DC=mydomain,DC=local"          
     Set-GPPrefRegistryValue -Name "ChangeWallpaperInBlue" -Context User -Action Replace -Key "HKEY_CURRENT_USER\Control Panel\Colors" -ValueName Background -Type String -Value "0 0 255"          
     Set-GPPrefRegistryValue -Name "ChangeWallpaperInBlue" -Context User -Action Replace -Key "HKEY_CURRENT_USER\Control Panel\Desktop" -ValueName Wallpaper -Type String -Value "" 

I started it one the primary DC, everything worked.

I checked in the Group Policy Mgmt, the link between the GPO and the OU "X" is ok, in the Security Filtering list Authenticated Users are there and in the Delegation tab the Authenticated Users have Read and Apply the policy rights.

I log into my server with the "Y" username but the wallpaper didn't change.

So to check if my user has a GPO applied, I tried differents commands :

gpresult /user mydomain\X \v and I get : INFO: The user "sevenkingdoms.local\robb.stark" does not have RSoP data.

gpupdate and I get :
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

I opened the GPReport.html but I can find the erroe description of the error precisely, it seems like the GPO are empty in "Denied GPO"...

What did I do wrong?









windows-server-powershellwindows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ThomsRlln-2442,

Thank you for posting here.

I am sorry, I do not familar with PS command, but I will try my best to troublehsoot the GPO issue for you.

If the GPO setting is user configuration , you can logon one member server using domain "Y" account and password.

1.Then create a new folder in C drive name Folder.
2.Open CMD (do not run as Administrator).
3.Type gpresult /h C:\Folder\wallpaper.html and click Enter.
4.Open wallpaper.html and check if there is corresponding GPO setting under "User Details".


If there is no such GPO setting you configured under "User Details".

To better understand our question, please confirm the following information below at your convenience.

1.What actual GPO setting did you configured?
2.Would you please check the GPO status on both DCs?
77586-gpo1.png

3.Would you please check If the GUID of corresponding the GPO is under C:\Windows\SYSVOL\Domain\Policies on both DCs?
77621-gpo.png


Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou



gpo1.png (71.6 KiB)
gpo.png (247.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThomsRlln-2442 avatar image
0 Votes"
ThomsRlln-2442 answered ThomsRlln-2442 edited

Thank you a lot @DaisyZhou-MSFT for your answer,

To answer to the first part of your response, the status of my GPO is on "Enabled" so the user AND computer configurations are enabled (I may have to change to user only actually) then I run gpresult as you suggested and I got this :

77865-wallpaper.png

No GPO applied indeed, it says empty GPO...

Now to answer to the 3 last questions :
1. This GPO replace the values of 2 registry keys, it replaces the value of "HKEY_CURRENT_USER\Control Panel\Colors" with the string "0 0 255" that corresponds to the blue color and it replace the value of "HKEY_CURRENT_USER\Control Panel\Desktop" with an empty string because previously it was the png of the default background.
2. As I noticed in the beginning of my answer, the computer configuration settings is not disabled so I'll change it and see if it changes something.
3. Finally, on the primary DC (the one where I created the GPO) the GUID appeared in the "Policies" folder but on the second DC, the GUID doesn't appear at all in the folder, I may have problem of replication between the DC...

What do you advice me to do now?


Ps : I tried this command

Get-ADComputer -Filter * -SearchBase "OU=Y,DC=mydomain,DC=local" | Foreach-Object {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

that forces the GPO on all computers in the OU but I got this results :

Invoke-GPUpdate : Computer "my server" is not responding. The target computer is either turned off or Remote Scheduled Tasks Management Firewall rules are disabled.

But the corresponding rules are enabled and the computer is turned on!






wallpaper.png (58.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ThomsRlln-2442,

Thank you for your update.

I have two ideas

  1. Please check if you run the script manually on one domain-joined machine to change the background wallpaper to a solid blue one, does it work?
    If so, it seems the script is correct.

2.Are the items under C:\Windows\SYSVOL\Domain\Policies on both DCs the same?
Or the items under C:\Windows\SYSVOL\Domain\Policies on both DCs are the same except (the one where I created the GPO) ?





Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThomsRlln-2442 avatar image
0 Votes"
ThomsRlln-2442 answered DaisyZhou-MSFT commented

Okay thank you @DaisyZhou-MSFT ,
You (and I) found the answer actually! Here it is :
In my case, I should have link my GPO to the Users group of my OU "Y", then I should have set GPO Status to "Computer settings enabled" and finally the "not responding" error was due to some connectivity mistakes!

Also this command is interessant to ensure the GPO is updated everywhere

 Get-ADComputer -Filter * -SearchBase "OU=Computers,OU=Y,DC=mydomain,DC=local" | Foreach-Object {Invoke-GPUpdate -Computer $_.name -Force -RandomDelayInMinutes 0}

Thanks for your time @DaisyZhou-MSFT !



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ThomsRlln-2442,

I am sorry for the late reply.

Thank you for your update and sharing. I am very glad that the problem has been solved.


Best Regards,
Daisy Zhou


If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·