Hello
The following is a collection of problems currently being experienced by other users online.
It sounds like you're having trouble with Group Policy not being applied to some domain computers, specifically the policy to block USB devices. There are several reasons why this could be happening, and here are some steps you can follow to troubleshoot and resolve the issue:
- Verify GPO is Linked and Applied Correctly
Check GPO Link: Ensure that the GPO is linked to the correct Organizational Unit (OU) where the target computers reside.
Open Group Policy Management and verify that the GPO is applied to the correct OU or domain.
GPO Scope: Confirm that the security filtering on the GPO allows the intended computers or users to apply it. The default security filtering is usually set to apply to "Authenticated Users," but check to ensure it's not restricted to a specific group.
- Force a Group Policy Update
On the problematic computers, run the following commands in Command Prompt (Run as Administrator):
gpupdate /force
gpresult /h gpresult.html
This will generate a report of the Group Policy application. Check the generated gpresult.html file to see if there are any issues or errors.
You can also try restarting the affected machines to see if that resolves the issue.
- Check Group Policy Processing
Event Logs: Check the Event Viewer on the affected PCs for any Group Policy errors. Look under Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational. This will give you detailed information on whether the policy is being applied or not.
Resultant Set of Policy (RSoP): You can also run Resultant Set of Policy (RSoP) on the affected machines:
Open Run and type rsop.msc.
This will show you the policies that are applied to the machine. Check if your USB block policy is listed.
- Ensure the Policy Settings Are Correct
Double-check the settings in the GPO. For blocking USB devices, it might look like this:
Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access
Set All Removable Storage classes: Deny all access to Enabled.
Verify that the policy is Enabled and not just Not Configured.
- Group Policy Inheritance
Ensure that there are no conflicting policies that might be overriding the USB-blocking policy. Sometimes, settings in higher-level OUs (like the domain or parent OUs) can override child OU settings.
Group Policy Inheritance: Right-click the GPO in Group Policy Management and choose Group Policy Inheritance. This will show if other policies are overriding your USB block policy.
- Check for Windows Firewall or Antivirus Interference
Some third-party antivirus software or Windows Defender may interfere with the application of GPOs or the enforcement of device control policies.
Temporarily disable the antivirus/firewall on the affected PCs and see if the policy gets applied after a reboot.
- Check for GPO Processing Issues (Network Issues)
Sometimes GPOs fail to apply due to network issues, DNS problems, or issues with Active Directory replication. Ensure that the affected PCs can properly reach the domain controller, and that DNS is resolving correctly.
Check if Active Directory replication is occurring as expected.
- Check GPO Permissions
Ensure that the Group Policy permissions for the GPO are set up properly and that the computers have permission to read and apply the policy.
Right-click on the GPO in Group Policy Management and select Edit.
Go to Delegation tab and make sure Authenticated Users or the specific computer group has the correct permissions.
I hope the above information is helpful to you.
Best regards
Runjie Zhai
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)