Group Policy is awesome. It’s powerful. It’s built into the operating system. And it generally works!
In fact, when I find that “Group Policy isn’t working” – it’s not usually that Group Policy itself isn’t working. Almost always (not always, but almost always) it’s something that I did incorrectly which is causing Group Policy to fail to do what I want it to do.
Yes, that’s my short, shameful confession: I’ve been doing Group Policy since Group Policy was “born” and I still occasionally make dumb moves which means that Group Policy appears to “not be working.” But, in fact, it’s working perfectly.
The computer is doing exactly what I told it to do – but, silly me, I told it to do something different than what was in my head.
This one is an easy one to understand, yet, it still occurs with some frequency. That is, do you have the user accounts where you have linked the Group Policy? Here in Figure 1, I’ve got Active Directory Users and Computers fired up and I can see my users. My East Sales Users.
This is all well and good, except I’m having a little bit of trouble with EastSalesUser 6 – he’s not get the Group Policy settings I expect.
And if I look closely at the screenshot, it’s easy to see why.
EastSalesUser6 has been moved (or deleted) from the East Sales Users OU and hence, won’t get the same Group Policy “stuff” his other pals in the East Sales OU do.
This is a super common mistake: just not knowing where the guy is in Active Directory, and expecting him to get the GPOs you want him to.
Similar to the “where is the user account” problem I just described; I have a similar problem with computers. In Figure 2, you can see WIN7COMPUTER1 is nicely tucked inside East Sales Desktops.
So, I would expect WIN7COMPUTER1 to get computer-side Group Policy settings. But since there are no other computers in there, I might not be getting precisely what I expect.
Be sure to move computers into the right OUs when they’re joined to the domain or otherwise need to be replaced.
Yet another common problem / mistake I make all the time.
In Figure 3, we can see that GPO 456 is linked to East Sales Users and West Sales Users.
But if you look closely in Figure 3, you’ll see that the link is Disabled (grayed out) upon East Sales Users.
That means the settings in GPO456 will revert back – not usually what you want.
For what it’s worth, the gray icon is very hard to see in Windows Server 2008 or Windows 7 – so just be super careful on that one.
Even if a GPO is linked perfectly, it still possible that its payload is being specifically prevented from being delivered.
If you look at Figure 4, you can see that GPO’s status is set to “All settings disabled.” That means everywhere that it is linked, the “stuff” inside the GPO will not be delivered as expected. It’s like you’re turning the whole GPO off.
Similarly, you can disable just “half” the payload – the user or computer side as seen in Figure 5.
It’s a similar problem – just take similar precautions and try to avoid doing this. Some folks think it’s a good idea to disable the unused half of a GPO, but, personally, I’m not a big fan of that.