Resolution
fact
NetIQ Group Policy Administrator 2.0
fact
NetIQ Group Policy Administrator 3.0
fact
NetIQ Group Policy Administrator 4.x
fact
NetIQ Group Policy Administrator 5.0
symptom
Only two of the three GPOs in an Organizational Unit appear in the Resultant Set of Policies (RSoP).
cause
This issue occurs when:
fix
NetIQ Group Policy Administrator 2.0
fact
NetIQ Group Policy Administrator 3.0
fact
NetIQ Group Policy Administrator 4.x
fact
NetIQ Group Policy Administrator 5.0
symptom
Only two of the three GPOs in an Organizational Unit appear in the Resultant Set of Policies (RSoP).
cause
This issue occurs when:
- Explicit security filters set on the GPO are not propagated down to the user.
- Security filter was applied and the user the RSoP has been run on is not a member of the filter.
- Apply Group policy has been set to Deny for a user or group (of which the user is a member).
fix
This behavior is by design:
- The security filter set on the GPO determines the scope of application of Group Policies. These filters could either be a specific user, group, or in some cases, a machine account. If a security filter was applied and the user the RSoP has been run on is not a member of the filter, then the GPO will not be a part of the RSoP.
- Verify if the Authenticated Users are still applied to the Group Policy Object, or if a Security Group has replaced the Authenticated Users group. Also, verify if the user account for which the RSoP was generated has a Deny set for that GPO, or if any Security Group that the user is a member of has a Deny set for that GPO.
- If the user is listed on the security filter but Apply Group policy has been set to Deny, then the policy will not be applied. Alternatively, if the user has Apply Group policy set to Allow, but he is a member of any other group that has this set to Deny on that GPO, then he will not receive the policy.
Additional Information
Formerly known as NETIQKB848