可以使用组策略模拟器来查看为什么组策略应用失败
一般来说,失败的原因有以下几种:
其中Empty GPO denied 的原因,可以检查一下是否机器策略应用到了机器相关的OU,用户策略是否应用到了相关的OU
有一个这样的例子,
父ou 下面有个子OU,2个ou里面包括的都是计算机
有2个GPO分别是A和B
A设置用户的屏幕保护时间为300秒,A应用到父OU
B设置用户的屏幕保护时间为3600秒 B应用到子OU
结果子OU上怎么都应用不上B.显示: denied empty GPO.
原因
A和B策略都是用户策略,对于计算机OU无效
所以应该根据用户来建立父子OU
Security Filtering (GPO Denied)
The user or computer does not have the user rights assigned for the GPO. The required privileges are Read and Apply Group Policy. Alternatively, a GPO might be associated with a Deny ACE, which overrides any other privileges granted to the user or computer. For more information, see Policy settings incorrectly applied or denied due to security filtering .
Disabled Link (GPO Denied)
There is a link to the GPO from a site, domain, or OU in the hierarchy of the user or computer, but that link has been explicitly disabled. You can quickly scan the navigation pane of GPMC for disabled links.
Inaccessible GPO (GPO Denied)
There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:
| • |
The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure. |
| • |
The GPO might have been deleted, but the link to it remains for some reason (such as replication lag). |
| • |
Network connectivity problems might prevent access to the GPO. |
| • |
The client is unable to contact any domain controller. |
Empty GPO (GPO Denied)
A GPO will be denied if it has no settings. This occurs when an administrator has configured a GPO and linked to it, but has not set any policy settings within the GPO. Either remove the link to the GPO or add policy settings to the GPO. If there are no remaining links to the GPO, you should consider deleting it.
WMI Filter (GPO Denied)
A WMI filter applied to a GPO is essentially a Boolean (true/false) decision as to whether the entire GPO should be applied to the client computer. The filter is evaluated at the client when GPO is applied. Based on the embedded WQL query, the GPO will either be enabled or disabled. For more information, see Policy settings incorrectly applied or denied due to WMI filtering .