GP Not Updating on Client Machines

[PreviousPoster]

Hello all, I was not sure what forum I needed to post in (and being a complete noob) so i posted here.

Problem is, I have recently taken over a school network and the Group Policy seems to be in a bit of a mess. There are at least 50 GPO's, and about 10 "default" GPO's sitting around and it dont seem to be doing its job properly. Basically, on some GPO's i will try to edit it and it will say something along the lines of "Cannot be found".

Also when changes are made to a GPO, they are not always updated on the machines that are meant to be updated. To be honest the whole thing is a state and I am pretty sure there is no magical tool that can fix it for me so I guess im just looking for advice on what my options are?

Thank You
glennym

[AdamV]

Welcome to the forums, and the fun that is Group Policy!

Backup the existing policies (through the GPMC) and save and/or print the policy settings reports from GPMC as a starting point.

The first thing you need to do is map out what the current policies which you can see should be doing - where they are linked, roughly what settings they cover (at a high level first - eg 'Internet Explorer configuration') etc. Check the inheritance / enforce / blocking carefully and look out for loopback policies.

Backup the existing policies (through the GPMC) and save and/or print the policy settings reports from GPMC.

Then look for inconsistencies and overlap in that structure. You might also find 'orphaned' policies which are no longer linked anywhere. You can back them up and delete them, or for now just rename as "Orphan - Office 2003 policy" or whatever. I would suggest keeping them around for a while as they may have settings which would be useful - whoever set this up may not realise that they were not in force.

Now you know what you have, you need to work out what effect it is having in the real environment. Test sample workstations with different user accounts.

Check for local policies which may have been set on workstations and could be giving undesired results.

So you know what the policies ought to do and actually do, and what you would like them to do, all that remains is to get from A to B. This might involve some AD restructure or creation of security groups to help along the way. You may also decide that the best thing to do with the default policies is to return them to their "as installed" state and individually change them to apply the settings you actually want.

After all that, you keep the policies you want, delete what you don't, make a new backup and everything will be wonderful.

Sounds easy, right?

It's all about being methodical and thorough (and documenting as you go along). A logical approach and resisting the urge to do too much at once will help enormously.

When do you need to get this sorted by? I guess as a school environment you have a better chance during the summer break to make big changes with less risk, but are you experiencing problems which need fixing in the next month or so for the current academic year?