GPO not applying to member servers

Hello All,

I am looking for advice regarding GPO's not applying to OU's.

I am currently studying for the 70-291 exam, and have run into a problem when trying to apply WSUS settings to the member servers in my lab domain.

I have three OU's currently defined in my domain for computer accounts, the default DC OU, a Servers OU (for member servers), and a Clients OU (for desktops and laptops). Each of these has it's own GPO assigned to it to apply WSUS settings, placing the computers in the correct WSUS computer groups (e.g. all computer accounts in the Clients OU are placed into the Clients WSUS computer group).

The GPO settings are applying correctly to the DC's OU, and the Clients OU. The problem is that computers in the Servers OU do not recieve any GPO's. If I run gpresult on any of the computers in this OU, then it reports to no GPO's are applied, not even the Default Domain Policy. I have setup each of the OU's and GPO's the same, so I can't see why no GPO's are being applied to computers in the Servers OU.

For information, I have all my computers created in VMware and I have 2 computer accounts in the Servers OU.

Can anybody offer me any advice on this?

Thanks in advance.

Adam.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

bighornsheep

Are the GPOs enforced? Did you try a gpupdate /force on the members server?

ilcram19

you need to enable the user group policy loopback proccessing mode on the gpo

SUMMARY
Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

sprkymrk

ilcram19 wrote:

you need to enable the user group policy loopback proccessing mode on the gpo

SUMMARY
Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

I don't think that applies here ilcram. You only need to use loopback processing when you want a user setting to apply to a computer regardless of who logs in. In this case, the GPO is applying Windows Updates settings found in the Computer Configuration, so they apply to the computer anyway.

I have seen GPO's become corrupt. Can you access the GPO from the member server by connecting to \\dc\sysvol\domain.name\Policies? Are the system clocks on the servers set to the correct time, synched up with the DC's?

ilcram19

i had the same issue with a domain TS i did gp result and the GPO wasnt being applyied and after i did that it worked fine ....or maybe im wrong,....

alharland

Thanks for the reply guys.

I think I have solved this problem now, and it was down to me having a blonde moment. As all my computers are run in VMware, I didn't create each one manually, I created one base image and then copied it for each new server I required and then renamed the VMware image and machine name as needed. There lies my problem. Each VM had the same SID. I have now used newsid.exe to provide each member server with it's own unique SID, then removed each one from the domain, deleted the domain computer account, readded each one to the domain, and then moved the computer account back to the Servers OU.

My GPO's are now applying correctly.

Thanks for all your advice.

I hope this post may be able to help others who make the same stupid mistake that I did.

Regards,

Adam.

alharland

I forgot to add, I also had to delete the SusClientId registry key, found in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate, then stop and start the wuauserv service, and then run wuauclt /resetauthorisation /detectnow.

Cheers,

Adam.