question

ct2326 avatar image
0 Votes"
ct2326 asked AnshulKumarMINDTREELIMITED-5501 commented

RSOP User Configuration only have Local Group Policy and not fetching from AD

I performed a gpresult after a "gpupdate /force", the user configurations are all with a winning gpo of Local Group Policy. I'm suspecting that it is not fetching from the AD, as the computer configurations are with a winning gpo of the server.

Or could it be that if the user configurations were already updated once, they will be stored in the Local Group Policy as reflected? Because I ran the gpresult after a second gpupdate with a user policy update failed.

windows-active-directory
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ct2326,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @ct2326,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
ct2326 avatar image ct2326 DaisyZhou-MSFT ·

Hi @DaisyZhou-MSFT ,

I recreated my GPO and was not able to apply the GPO to my workstation for user settings. But it was applied for the computer settings. The gpresult /r did not even show the GPO under the user settings.

114992-20210715-153917.jpg
The above is a screenshot for computer settings. And the one below is for computer settings.
114993-20210715-153925.jpg

I've checked that the workstation is in the correct domain. I've also set the GPO to Link enabled and Enforced.

Thank you.

Regards,
Tc


0 Votes 0 ·
ct2326 avatar image ct2326 DaisyZhou-MSFT ·

Hi @DaisyZhou-MSFT ,

There is this error in the user settings even though user policy update was successful.

Under component status in user settings,
Group Policy Infrastructure failed

Group Policy Infrastructure processed successfully but failed to log Resultant Set of Policy information.
"The operation completed successfully.
Note: Due to GP core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
Additional information may have been logged. Review the policy events tab in the console or the application event log for events from <date> <time>"
What should I do to rectify this?
Thank you.
Regards,
Tc

0 Votes 0 ·

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ct2326 edited

Hello @ct2326,

Thank you for posting here.

Here are my answers for your references.

Or could it be that if the user configurations were already updated once, they will be stored in the Local Group Policy as reflected?
A: No, if the user configurations were already updated once, they will be not stored in the Local Group Policy as reflected.

Because I ran the gpresult after a second gpupdate with a user policy update failed.
A: Based on my knowledge, if you configured multiple domain user policy for one domain user, even if you run gpupdate and the result fails, this does not mean that all user policies have failed. Assuming that only one user policy fails, the other user policies will also be displayed in the gpresult results.

Maybe the failed user policy is also displayed in the gpresult results with failure reason.


Usually, one domain user can view his/her user configuration (including local gpo settings if configured and domain gpo settings if configured) as below:

Here is my test lab, domain name is a.local, one user is A\u1, and one domain client is vchzho356.


Method 1

1.Logon one domain-joined client using his/her domain account.
2.Open CMD (do not run as Administrator).
3.Run gpupdate /force command.
4.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
5.Open gpo.html and check all the settings under "User Details".

When we open the html file, it looks like this. For example:

112424-gpo1.png

112415-gpo2.png


Method 2

1.Logon one domain-joined client using his/her domain account.
2.Open CMD (do not run as Administrator).
3.Run RSOP.msc on the client and click Enter.

For example:
112416-gpo3.png


Method 3

Domain Administrator collect domain user policy on one DC.

1.Open Group Policy Management.
112425-rs2.png

112426-rs3.png

112417-rs4.png

112387-rs5.png

112410-rs6.png

2.Click Details tab to check user policy.
112461-rs1.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



gpo1.png (52.9 KiB)
gpo2.png (28.4 KiB)
gpo3.png (23.4 KiB)
rs2.png (91.0 KiB)
rs3.png (17.1 KiB)
rs4.png (18.8 KiB)
rs5.png (14.8 KiB)
rs6.png (35.3 KiB)
rs1.png (70.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DaisyZhou-MSFT,

I've checked from the gpresult and it showed under the "User Details > Component Status" that the Group Policy Infrastructure processed successfully but failed to log Resultant Set of Policy.

Under the "User Details>Component Status>Registry", I was able to view the log of it. Inside it, it only show that the "List of applicable Group Policy objects" contains the Local Group Policy and not any of the GPOs in the AD. But for the "Computer Details>Component Status>Registry" I was able to find the GPOs in the AD.

In addition, for the "User Details>Settings", it states "No settings defined". But I was able to find the headers, Policies and Preferences in the "Computer Details>Settings"

When I check the Windows Logs>System in the Event Viewer, it shows a GroupPolicy event of "Group policy settings for computer were processed successfully. New settings from 3 Group Policy objects were detected and applied." but not a single one of group policy settings for user. However there is also a Service Control Manager Event where it states that the Group Policy Client service terminated unexpectedly.

May I know how do I approach these issues?

Thank you.

Regards,
Tc

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @ct2326,

Thank you for your update.

Please check if you have configured domain user policy for this user. We do not need to view “Computer Detail”.

1.Which user do you want to check if you configured domain user policy? I mean what domain user account.
2.Which OU is this user in?
3.What GPOs are linked to this OU?

For example:

I have a domain user named aa1,
AA1 is in OU named test1,
And I linked three GPO named wallpaper and copy file.
113716-gpo6.png


1.Logon one domain-joined client using his/her domain account.
2.Open CMD (do not run as Administrator).
3.Run gpupdate /force command.

113783-gpo5.png

  1. run gpresult /r and get the result.
    113670-gpo.png


5.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
6.Open gpo.html and check all the settings under "User Details".

When we open the html file, it looks like this. For example:

113784-gpo3.png


113785-gpo4.png

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



gpo6.png (39.0 KiB)
gpo5.png (7.1 KiB)
gpo.png (96.2 KiB)
gpo3.png (54.6 KiB)
gpo4.png (34.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ct2326 commented

Hello @ct2326,

Thank you for your update.

Please check if you edit computer configuration or user configuration?
Please check which OU did you link this GPO?
Please check if you put user objects or computer objects in this OU?


Usually, for computer configuration, you can configure as below:

Create an OU (PCOU)and put computer objects in this OU.
Create a GPO and link it to PCOU.
Edit GPO computer configuration.
Logon machine using one domain Admin account.
Run gpupdate /force on one machine it PCOU.
You will see the corresponding computer GPO and its computer settings.


Usually, for user configuration, you can configure as below:

Create an OU (UserOU)and put user objects in this OU.
Create a GPO and link it to UserOU.
Edit GPO user configuration.
Logon machine using one domain account in UserOU.
Run gpupdate /force on any domain machine.
You will see the corrseponding user GPO and its user settings.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DaisyZhou-MSFT ,

Both computer and user configuration were edited, meaning in one single GPO there's both computer and user configurations, namely GPO1 and GPO2, with different configurations.

For my case, this GPO is under an OU named Workstation with some other GPO as well.
It's something like:
Workstation
-> GPO1(user config + computer config)
-> GPO2(user config + computer config)

Both are linked and enforced. But both of them are not applied in the user settings but applied only in computer settings.

So am I supposed to have computer and user configuration in two separate GPO and under two separate OU? Or it is okay for both the separated computer and user configuration GPOs to be in the same OU?

Also, for the settings of computer configuration only and user configuration only is at the Details tab of the GPO under the GPO Status, am I right?

Thank you.

Regards,
Tc

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ct2326 edited

Hello @ct2326,

Thank you for your update.

You can have the two following configurations.

Configuration 1

You can have an OU named Workstation with both user objects and computer objects.

Workstation
-> GPO1(user config + computer config)
-> GPO2(user config + computer config)

Then user objects in OU named Workstation will apply user config in GPO1 and user config in GPO2.
Then computer objects in OU named Workstation will apply computer config in GPO1 and computer config in GPO2.

Configuration 2

Or you can have an OU named Workstation with both user objects and computer objects.

Workstation
-> GPO1 (computer config)
-> GPO2 (user config )

Then user objects in OU named Workstation will apply user config in GPO2.
Then computer objects in OU named Workstation will apply computer config in GPO1.



Would you please check if there are user objects in your OU named Workstation for your case?



Q1: So am I supposed to have computer and user configuration in two separate GPO and under two separate OU?
A1: I suggest we had better do like this. To avoid confusion, a GPO only edits one policy setting, and is named after a friendly display name.

For example:

Two parallel OUs

OU (User objects are in this OU)named ITdepartment links one GPO named drive maps (only with user configuration).
OU (computer objects are in this OU)name Desktop links one GPO named autoupdate (only with computer configuration).


Or one parent OU named ITdepartment with two child OU:

OU (User objects are in this OU)named Employee links one GPO named drive maps. User objects are in this OU
OU (computer objects are in this OU)name Desktop links one GPO named autoupdate.


Q2: Or it is okay for both the separated computer and user configuration GPOs to be in the same OU?
A2: See above.

Q3: Also, for the settings of computer configuration only and user configuration only is at the Details tab of the GPO under the GPO Status, am I right?
A3: Domain users can only see his/her GPO with user settings.
Domain Administrator can see his/her GPO with user settings and GPO with computer settings.

For example:

If one GPO named GPO1 with both user settings and computer settings. and applies to u1 and Domain Administrator and PC1.
Domain users can only see his/her user settings within GPO1.
Domain Administrator can see his/her user settings within GPO1 and computer settings within GPO1.



Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI @DaisyZhou-MSFT ,

So in my case, I am already using the configuration 1 that you have mentioned above.

But by computer objects and user objects how can I differentiate them?

And also, how can I check whether there are user objects in the OU?

Furthermore, if I am using configuration 1, may I know why is the user policy unable to be "fetch" from the AD?

The security filtering has only Authenticated Users, which should be able to have the user policy applied am I right?

Or is it due to the enforced and link both enabled on two different GPO that may be causing a problem?

Thank you.

Regards,
Tc

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @ct2326,

Thank you for your update.

But by computer objects and user objects how can I differentiate them?

And also, how can I check whether there are user objects in the OU?

A1: Look.
115431-ou1.png



Furthermore, if I am using configuration 1, may I know why is the user policy unable to be "fetch" from the AD?
A2: You must have user object (such as user1) in the OU. And as I mentioned above.

1.Logon one domain-joined client using his/her domain account (user1).
2.Open CMD (do not run as Administrator).
3.Run gpupdate /force command.
4.If we can run command in step 3 successfully, we can import user configuration by running gpresult /h C:\temp\gpo.html and then click Enter (create a folder named temp in C drive).
5.Open gpo.html and check all the settings under "User Details".

Then the user can "fetch" the user policy from the AD.

The security filtering has only Authenticated Users, which should be able to have the user policy applied am I right?

A3: Yes, Authenticated Users include domain user and domain computer.

Or is it due to the enforced and link both enabled on two different GPO that may be causing a problem?

A4: No, it does not matter.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Please click "Accept Answer" and upvote it if the Answer is helpful.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




ou1.png (22.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI @DaisyZhou-MSFT ,

If that's the case its kinda weird as Authenticated Users include both users and computers joined to the domain, which the workstation and users are. But they don't seem to be able to "fetch" the GPO's user settings from the AD. From the information that you have provided, I am pretty sure I got everything right though.

But for the user and computer objects, I am supposed to add them in one by one? Or the security filtering of Authenticated Users is already sufficient?

Thank you.

Regards,
Tc

0 Votes 0 ·

Hello @ct2326,

Thank you for your update.

Or the security filtering of Authenticated Users is already sufficient?
A: If you do not want to filter users or computers in the specific OU, Authenticated Users is already sufficient.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
ct2326 avatar image
0 Votes"
ct2326 answered DaisyZhou-MSFT commented

Hi @DaisyZhou-MSFT ,

If in the event I were to try to split the user and computer configurations, I will just have to set from enabled to User configurations only and Computer configurations only, am I right?

Regards,
Tc

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ct2326,

Thank you for your update.

If in the event I were to try to split the user and computer configurations, I will just have to set from enabled to User configurations only and Computer configurations only, am I right?
A: Where did you set from enabled to User configurations only and Computer configurations only? Please provide the screenshot if possible.

I think you do not need to set it.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·

Hello @ct2326,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·