A setting on a workstation is wrong and I cannot tell which GPO wins.
With multiple GPOs the order is local, site, domain, OU, with enforced and blocked inheritance as overrides. RSOP and gpresult show what actually lands on a given machine or user.
Try this first
- 1On the affected PC run gpresult /h c:\temp\rsop.html /scope both and open the report.
- 2Find the setting, see which GPO is 'Winning GPO' and which other GPOs attempted to set it.
- 3In Group Policy Management verify the scope: linked at the right OU, security filtering correct, WMI filter not unintentionally blocking.
- 4If user settings fail to land on a terminal server, check loopback processing mode (Replace or Merge) on the computer object's OU.
- 5Change one variable at a time, run gpupdate /force, reboot if the setting only applies at logon, and retest.
When to bring us in
If the Winning GPO is correct but the effect is missing on the PC, suspect client-side extensions not running, a stopped Group Policy Client service, or a corrupt registry.pol.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.