Hello,
I've been having difficulty discovering the cause of, and resolving, an issue that I started experiencing a couple of days ago.
When users logged on in the morning, the majority of our GPOs were suddenly no longer being applied. Running gpresult under the context of a standard domain user showed that while some GPOs were showing and being either applied or denied, most of them were showing their UID rather than display name and had a denied reason of 'Inaccessible'.
When attempting to browse to the SYSVOL folders of the inaccessible GPOs, access was denied due to not having permissions. On checking these, the permissions seemed to have been changed from the standard read and execute to none for the 'Authenticated Users'
group.
Correcting these permissions seemed to make the GPOs disappear from gpresult entirely. After going through each GPO, the commonality between the ones that were applying was that they were linked to a computer OU (either directly or by linking to the domain).
Taking one of the previously inaccessible GPOs that contained user-only configuration and linking it to a computer OU caused the GPO to suddenly appear in gpresult for the users (I would assume only for users on machines that were on the linked computer OU).
My only explanation was that somehow loopback processing was taking place, however this was not set on any of the affected GPOs.
It's difficult for me to find any root cause - this did happen the day after I installed updates on one of the domain controllers.
The forest functional level is Server 2003. The DC with all the roles is a 2003 server; we also have 2008 R2 (one of which was the one that was updated) and 2012 DCs. We just have one domain.
I restarted the updated DC into Directory Services Restore Mode and ran an integrity check and semantic database analysis after running out of ideas, which I don't believe returned anything problematic.
Running dcdiag on the DCs didn't return any issues.
Any help or suggestion is much appreciated.