Slow link preventing the gpo from populating? Gavin Wilby IT Support Engineer
From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: 02 October 2015 15:58 To: [email protected] Subject: [NTSysADM] WSUS GPO seems inacessible but only for new members This is odd. I have a GPO which assigns WSUS settings; criteria is that computer account must be in a specific OU, and a member of a specific AD group. This has been working well for years. Now, we've added a couple new servers at a remote site, and so I set them up for WSUS (moved their machine accounts to the right OU, added them to the right group). In AD, that's what I see, and the changes have replicated to all DCs. When I do a Group Processing Policy result for these accounts, it sees that the GPO is being listed as "inaccessible". Also, the GPO is being listed by it's GUID, and not it's name. [Inline image 1] I don't know what's up with that, as the other accounts that this GPO applies to properly show the GPO as applied, and with it's proper name. It's only these new members that are showing this. (I spot checked 3 or 4 other group members; they all show it as applied). So what would cause these new members to not be able to read the GPOs (that's what inaccessible usually means, right?). The GPO is accessible to all the other group members, so it shouldn't be a permissions issue of the GPO itself, I wouldn't think. Doing a "gpresult /r" on these new members, the group membership does NOT show the new groups the account belongs to, but DOES show that it is in the correct OU (I see the OU name in the CN). It says that Group Policy is being applied, as it is listing the 3 GPOs above as being DENIED, but doesn't show the last GPO (the WSUS one). It DOES show the proper group memberships for the logged on user, too. (not that that is relevant to the GPO, but does sort of indicate that the machine is speaking to AD). I see no errors in event log on the member server. Not seeing anything in the event log of the DC that the member says it is getting it's GPO info from, either. Ideas as to where to go next? I have IP connectivity; the member is doing what it's supposed to do (some sort of security camera setup). It does run antivirus - Kaspersky for Windows Servers 8.0.2.213, like other servers. The AV policy shouldn't be blocking anything AD related ... SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. Watterson SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, R.K. Corkhill, M.W. Denton, D.A. Manser, S.E McGowan, J.J. Scott SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.asp ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
