GPO does not apply to a specific user or computer

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains the importance of correct Organizational Unit memberships and GPO linking and shows how to check these issues using GPMC and other tools.

Cause

GPOs are applied to a client only if they are linked to a site, domain, or OU to which the computer or the user at that computer belongs.

For troubleshooting purposes, you need a solid understanding of your organization’s Active Directory structure and the Group Policy inheritance and filtering rules. With this information and the Resultant Set of Policy (RSoP) functionality in Windows Server 2003 and Windows XP, you can manipulate your Active Directory structure and your Group Policy links and filters to deliver targeted settings to the users and computers in your organization. The same information is needed to troubleshoot situations where these manipulations produce an unexpected result.

Solution

Check Active Directory Users and Computers to see what site, domain, and OU the user and the computer are in.

In GPMC, expand the Active Directory containers that contain the affected client. In the navigation pane, scan the list of GPOs for each container for disabled links.

GPOs are filtered according to the Active Directory groups that the users and computers belong to. The Active Directory objects in which you place your Active Directory groups and the ways you group users or computers affect how GPOs can be distributed and applied.

Active Directory and FRS replication lag can affect either part of the GPO.

If you have an OU that contains other OUs and you remove Read permissions to the parent OU, then no policy will be processed by computers or users in that OU hierarchy.

If there are conflicting settings in the GPOs that apply to the client, they are resolved according to the Group Policy inheritance rules.

Adding a User or Computer to an OU

When a user or computer is added to an OU, two things need to happen before the GPOs that the new OU links to are applied to the client:

  • The new OU assignment must be replicated to the client’s domain controller.

  • After the replication is complete, you must either log off and log back on again if the user account moved to the new OU, or restart the computer if the computer moved to the new OU.