Group Policy (GPO) is not applying to the clients
CAUSE 1 - Policy is not linked to correct OU
CAUSE 2 - Block Inheritance cause the setting not to pass down
CAUSE 3 - Policy is disabled
CAUSE 4 - User's Policies that are applied to the Computers OU are applied only when the computer is booted, which is before any users have logged in, so no user-specific settings can be applied. For a setting like a Favorites file, which is added to each user's home Library, the policy has to be on a User OU. Policies that are applied to User OUs are applied to each user when the user logs in.
CAUSE 5 - The /var/opt/quest/vgp/extensions file has been removed or unregistered
CAUSE 6 - DFS replication some or all of SYSVOL was not replicating to one Domain Controller
CAUSE 7 - Product Defect 338118 in version 22.214.171.12480 and earlier.
situations apply/unapply a policy depending on which GC was used.
CAUSE 8 - Security filtering is setup and a group added. However the compter object is missing from the group.
1 - Ensure the policy has been linked to the correct OU. If it is a computer policy ensure the policy is linked to the OU the computer is in. If it is a user policy ensure it is linked to the OU the users are in. With user's policy there is a Microsoft policy set to change the behavior called Loopback processing mode.
2 - List GPC linked to this computer: /opt/quest/bin/vgptool listgpc
Lists Group Policy Object details from Group Policy Container and Active Directory container links for objects assigned to this container.
The results displayed by this command are listed in order by the container to which the Group Policy Objects are assigned. The resulting information comes from both the Group Policy Container and the container with the link itself. By default, the resulting list of group policy objects includes only those that are not blocked by the block inheritance setting. Depending upon the options to this command, more details may be obtained.
Usage: vgptool listgpc [-u user] [-l] [-x]
-u user specify the Unix name of the user for whom to lookup policy
-l long output (all the info from Active Directory)
-x unfiltered list (includes disabled and blocked inheritance)
3 - To find what OU the computer object is located: /opt/quest/bin/vastool -u host/ info id
vgptool applies our group policies using Client Side Extensions (CSE). The CSEs determine how policies are applied.
Also useful is doing a ls -l /var/opt/quest/vgp and checking date on the extensions file to see if it was changed when the issue began.
To check the status of Active Directory and Sysvol replication on each server
1 - Run Gpotool.exe to check the number of unique Group Policy objects available on the network, and the status of each of these Group Policy objects on each domain controller. The status output from Gpotool.exe indicates all necessary information to diagnose if Active Directory and Sysvol are synchronized for each domain controller that you can connect to.
3- If Active Directory is not synchronized between domain controllers, run Active Directory Replication Monitor (Replmon.exe), which can provide additional information about the state of Active Directory synchronization, and provide assistance in resolving the problem.
4 - Check sysvol to ensure data exist
Upgrade to a later version of the product. To download new release please go to: https://support.oneidentity.com/authentication-services/download-new-releases
Add the computer object to the group that is listed in the security filter of the GPO.