Hello,
We have a problem where any group policies defined on the organizational units of the user aren't applied when the user logs in to any of our Windows 2008 R2 servers.
Consider the following (simplified) situation:
Servers
- 2 Windows 2003 domain controllers
- Several Windows 2008 R2 domain members
- Several Windows 2003 domain members
Active directory
- Domains
- MyDomain
- GPO: DefaultDomainPolicy
- OU: MyUsers
- GPO: UserPolicy1
- GPO: UserPolicy2
- ...
- Users: User1, User2, User3, ...
- OU: MyServers
- GPO: ServerPolicy1
- GPO: ServerPolicy2
- ...
- Servers: My2008Server1, My2008Server2, My2008Server3, ...
- Servers: My2003Server1, My2003Server2, My2003Server3, ...
- OU: MyUsers
- GPO: DefaultDomainPolicy
- MyDomain
On the Windows 2003 domain members, all works as expected. When User1from OUMyUsers logs on to My2003Server1, these policies are applied:
- DefaultDomainPolicy
- UserPolicy1
- UserPolicy2
- ServerPolicy1
- ServerPolicy2
When User1 logs on to My2008Server however, only these policies are applied:
- DefaultDomainPolicy
- ServerPolicy1
- ServerPolicy2
UserPolicy1 and UserPolicy2 are not applied. We check the applied policies using gpresult /user <username> /s <servername>. The results show thatUserPolicy1 and UserPolicy2 don't get applied at all; gpresult doesn't mention them at all.
Everything else works as expected on the 2008 R2 servers:
- Changes to DefaultDomainPolicy and ServerPolicy1 are processed correctly.
- The event log doesn't contain errors about group policy processing, only happy messages like "The Group Policy settings for the user were processed successfully. New settings from 2 Group Policy objects were detected and applied."
We've reproduced the correct and incorrect behaviour for multiple users, multiple servers, multiple GPO's. We didn't find a situation where the 2008 servers worked as expected or where the 2003 servers did not.
Any help would be highly appreciated!
Cheers,
Aron