What causes Group Policy not applying?

GPO not linked to the right OU, or linked but disabled • Security filtering removed Authenticated Users (post-MS16-072 patch breaks this) • WMI filter evaluating false on target • SYSVOL/DFSR replication failure — clients can't read the policy • Loopback processing misunderstood (user policies on terminal servers)

How do I resolve Group Policy not applying?

Find the broken link in scope/filter/replication chain • Restore Authenticated Users with read permission where missing • Repair SYSVOL replication if implicated • Re-test on a clean reboot / new login

How do I prevent Group Policy not applying?

Quarterly GPO audit — orphans, broken links, unused policies • Standardised filter approach (security group + Authenticated Users read) • GPO change documentation / version control • SYSVOL replication monitoring

P3 · Active Directory

Group Policy not applying

Policy changes reach the domain but never appear on clients — or apply inconsistently. Diagnose: link, scope, filter, processing, replication.

Indicators

gpresult /h shows policy 'Denied' or simply absent
Event 1058/1030 on client (failed to access SYSVOL)
New settings work for some users/computers but not others
Drive mappings missing, software install not happening, security settings not enforced

Likely causes

GPO not linked to the right OU, or linked but disabled
Security filtering removed Authenticated Users (post-MS16-072 patch breaks this)
WMI filter evaluating false on target
SYSVOL/DFSR replication failure — clients can't read the policy
Loopback processing misunderstood (user policies on terminal servers)

Diagnostic steps

On affected client: gpresult /h C:\temp\gp.html — read the Denied / Empty / Disabled status for each GPO
Verify GPO link: GPMC → confirm OU link, link enabled, enforced state
Check security filtering — must include either Authenticated Users (read+apply) or specific principals + 'Authenticated Users: Read' minimum (post MS16-072)
Test WMI filter manually if any: Get-WmiObject -Query <filter> on the client
Confirm SYSVOL replication healthy: dfsrdiag replicationstate, ridmondiag
gpupdate /force then re-test

Resolution path

Find the broken link in scope/filter/replication chain
Restore Authenticated Users with read permission where missing
Repair SYSVOL replication if implicated
Re-test on a clean reboot / new login

Prevention

Quarterly GPO audit — orphans, broken links, unused policies
Standardised filter approach (security group + Authenticated Users read)
GPO change documentation / version control
SYSVOL replication monitoring

Tools

gpresult /h
GPMC + GPO Settings reports
Event Viewer (Group Policy operational log)
dfsrdiag, repadmin (for SYSVOL state)
PowerShell: Get-GPO, Get-GPInheritance, Get-GPResultantSetOfPolicy

References

Microsoft Security advisory MS16-072 — Authenticated Users requirement
Microsoft Learn — Group Policy processing and precedence

group-policygpogpresultsysvolactive-directory