Group Policy is not taking effect on OU

By jeff.friend ·

I am trying to apply a group policy to an OU in Active Directory 2008. For some reason it does not work when linked to just the OU. Here is my setup:

OU contains the computer that the policy needs to apply to and nothing else. The Group Policy is linked to the OU. The overall goal is to have a group policy take effect for users when they log onto a specific computer but not on any of the other computers they may log into.

Is there any method you guys would suggest to begin troubleshooting or if you know what may be the issue please let me know. I have tried several different alternatives to achieving the same result and have had no success.



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

what did gpresult.exe show?

by CG IT In reply to Group Policy is not takin ...
Collapse -

GP Results for the machine that should have policies applied to it

by jeff.friend In reply to what did gpresult.exe sh ...

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/10/2010 at 10:37:23 AM

RSOP data for 3WIRE\csr on VPN3 : Logging Mode

OS Configuration: Member Workstation
OS Version: 6.1.7600
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\csr
Connected over a slow link?: No

Last time Group Policy was applied: 8/10/2010 at 10:37:05 AM
Group Policy was applied from: 3wirepa-vmserv.3Wire
Group Policy slow link threshold: 500 kbps
Domain Name: 3WIRE
Domain Type: Windows 2000

Applied Group Policy Objects
Local Group Policy

The following GPOs were not applied because they were filtered out
Filtering: Disabled (Link)

Default Domain Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
Domain Users
NT AUTHORITY\Authenticated Users
This Organization
VA Users
Medium Mandatory Level

Collapse -

GP Results

by jeff.friend In reply to GP Results for the machin ...

The user and computer are within the organizational unit and the group policy(VA_VPN_GPO) is linked to the organizational unit but it doesn't even list the policy in applied or filtered GPOs in the GPResults. Any ideas?

Thanks for the quick replies guys.

Collapse -

humm the user & computer should not be in the same OU

by CG IT In reply to GP Results

where in the OU structure did you create the OU?

if it's a computer configuration that you want users to have, then you create an OU under the 1 tier computers OU, [or create an special OU on 1st tier] stick whatever computers you want to have the configuration in the OU, the link the GPO to the OU. Note: GPOs linked to the 1st tier computers OU will effect nested OUs through parent/child.
GPOs also have a processing order so it's possible one can filter another.

If you want a user config, same thing.

combination configurations aren't really a good idea to complicated.

also where did you run the gpresult.exe ??

Collapse -


by jeff.friend In reply to humm the user & computer ...

The OU was created right underneath the domain.(so at the same level as computers, users) I am not given the option to create an OU under computers or users.(Computers/users are a different type of container) I also tried to move the OU to computers and was given an error message.(Windows cannot move object VA_VPN because: Access is denied.) I ran the GPresults from the computer that should have the GPO applied to it. The goal is for this GPO to be applied to everyone that logs onto this particular computer.

On a side note I notice that others seem to be having a similar issue and they mention DNS:;leftCol

If DNS could be at fault what could checked to ensure it is or is not the problem.

Thanks again,


Collapse -

the access denied is a problem

by CG IT In reply to update

as the enterprise/domain administrator, you should not get "access denied" and you should be able to create/modify/move OUs, GPOs, Users whatever, anywhere in the OU structure. I would resolve this problem first before trying to resolve any other problems.

Group Policy in a domain environment is processed in a sequential order. local machine, site, domain and OU. local machine GPOs typically are overridden by other GPOs higher in the order [site,domain,OU]. That is where the gpresult comes in. Tells you what the result of all GPOs applied are.

DNS is name to address resolution and in an active directory environment, is used [but not limited to] to query/locate Active Directory services. If your Active Directory DNS servers are not providing correct DNS lookup based upon the Active Directory DNS zones for the domain, you have to fix that as well, before you do anything else.

Collapse -

Security Filter

by rjluvkc In reply to Group Policy is not takin ...

Ensure that you have "Authenticated Users" applied to the policy.
Also, are these wired pcs or wireless devices?
I am assuming this is a GPO login script?

Collapse -

security filter

by jeff.friend In reply to Security Filter

Authenticated users is setup to have the policy applied to it. The computers are all wired.

Collapse -

Just to verify

by NetMan1958 In reply to security filter

that I understand the situation, is all of the following correct:

The GPO is named VA_VPN_GPO ?
It is linked to an OU ?
The user and computer are both in that OU ?
The security group "Authenticated users" is allowed to apply the GPO ?

If all of the above are correct, then in that GPO, are the settings to be applied configured under "User Configuration", "Computer Configuration" or both?

If any or all of the settings are configured in "Computer Configuration", does that computer or a security group that the computer is a member of have permission to apply that GPO?

Collapse -

just a note Netman... he said this is an Active Directory environment

by CG IT In reply to Just to verify

authenticated users are any account that "logs on" anywhere in the forest.

Doesn't mean they have all "rights and permissions".

the guest and annonymous accounts can be used to log on and authenticate and in doing so, become "authenticated users".

Related Discussions

Related Forums