Tagged: Group Policy Troubleshooting
May 3, 2017 at 7:32 am #13906
I’ve got a strange issue that I’ve run out of ideas on. I’ve got a user side GPO configured to add the current logged on user to the local Remote Desktop Users group if that user is a member of our VPN AD group. The policy works great except on (so far) a few machines, and I was hoping to figure out what the issue is without having to re-image. Here is what I’ve done so far:
The Application Event logs show no events that indicate issues with this preference item
I’ve compared the Trace UserAndGroupsUser.log between a working and non working, and I’m not finding anything that is different other than the one line that says “Added group member” on the working machine.
On a broken machine, I can see in the RSOP report that the policy has applied. In that same report I can see that the user is a member of the VPN group.
The GPO is filtered on the VPN group. The GPPE Local Users and Groups, Local Group Preference Item is NOT using any Item Level Targeting. I’ve tried both the setting on the Preference Item to Add the current user, as well as adding the user via the %DomainName%\%LogonUser% – Add to this group method. No difference.
Is there anything in the Trace log I should be looking for that would give me a better idea of what the issue is?
Is there anything else on the system I can look at or test?
Thanks in advance, any help on this is much appreciated.
EdMay 3, 2017 at 8:05 am #13907
Forgot to add, both the working an non working clients are running Windows 7 SP1May 3, 2017 at 2:26 pm #13909
Unfortunately I don’t see anything that would jump out as to why it works on some and not others. One thing to check–are all of these clients using the same DC to process GP? If not, then you might want to check to make sure that the errant machines’ DC is replicating SYSVOL correctly.
DarrenMay 3, 2017 at 9:43 pm #13910
So it appears that you are applying a computer level policy, but filtering based on users – I believe you would also need adjust your filter to also include Domain Computers.
When you report that it is not working, are you waiting for the GP Refresh interval of about 90 mins to complete? Try running a “gpupdate” in a command window while logged in as a user to see if that helps.
I’ve never tried what you’re trying, but try these items to see if they help.May 15, 2017 at 7:38 am #13913
Hi Daren and Aakash,
Thanks for the response. Darren, pertaining to checking which DC the working vs non working clients are using, they are using the same DC. I’ve also deleted all the local GPO cache and forced the client to re-download, and that had not change.
Aakash, This is a user GPO with user side settings, linked to an OU full of user objects. I’m not waiting for the GP refresh interval because I’m forcing a gpupdate manually via cmd prompt, as well as logging the user on.
I was hoping that their might be some other log file to look at, or condition on the client to look for that would give me an idea of what might be happening, beyond the GPPE trace files.
Oh well, I guess a re-image is the only solution.
Thanks for the feedback.
You must be logged in to reply to this topic.
- Group Policy Storage Whitepaper Updated!
- Elevating AD Domain Access With Write Access on the Domain NC Head
- Performing a Denial of Service on AD–How Hard Is it Really?
- Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers
- How To Think About Windows Group Policy–An Infrastructure Architect’s Take