Failure Scenario

Group Policy applies inconsistently because stale domain controllers still answer some client requests.

This page is for incidents where GPO looks “random”: some users or subnets receive the new policy, others hold onto old settings, and test results shift after reboot or network location changes.

Search GPO IssuesOpen AD Domain
Situation

Policy inconsistency is often a DC and SYSVOL consistency problem first.

Clients apply policy through the domain controllers they locate and the SYSVOL content they can reach. If DC locator behavior, site awareness, SYSVOL replication, or replication freshness is inconsistent, policy results will appear random even when the GPO itself is correct.

What To Verify

Track which controller each client is actually using.

  • Identify the DC contacted by healthy versus unhealthy clients.
  • Compare SYSVOL state and policy version across those controllers.
  • Check replication health for the partitions that affect policy and logon behavior.
  • Validate site/subnet mapping so DC locator sends clients to the intended site.
  • Separate computer policy, user policy, and loopback-driven effects.
Working Sequence

Prove the inconsistency instead of chasing it by feel.

  • Gather results from both an affected and unaffected client in the same timeframe.
  • Map each client to the DC and SYSVOL source it actually used.
  • Repair replication or site mapping before changing the GPO itself.
  • Retest once clients consistently bind to healthy controllers.
  • Only revisit policy logic after domain-controller consistency is restored.