Why you cannot see Site-Based GPOs inside the Inheritance Tab of the GPMC

Apr
3
2011

…

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot…

“

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

“

First,  Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, let’s take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn’t make these markups.. he did. Thank you Dave !)

AD1

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example “Hide Screen Saver Option”, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. “Why can’t I see it here, in the Group Policy Inheritance tab?”

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to “avoid confusion” it won’t show site-based GPOs in the Group Policy Inheritance tab.  For instance, let’s pretend that “Default First Site” was really named “Detroit.” And, let’s also pretend that there was a second site named “Dublin” (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin – what is the Resultant Set of Policy – RIGHT NOW for anyone in the Human Resources OU? Answer? We don’t know.

We don’t know, because we don’t know if we’re talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn’t show (ie: assume) where the user (or computer) is at that moment.

Therefore, you’ll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it’s at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !