none
Windows 8.1 - Security policies not applying

    Question

  • Hi All,

    I'm having a bit of an issue with group policy settings not applying on Windows 8.1. Most of the policies are applying as they should but for some reason certain security settings (Password policy, Account lockout policy, Interactive logon message etc.) are not.

    I can see from GPResult that the policy is not filtered out and can confirm that some of the settings from the policy are getting applied!

    FYI: The DC is WS2003 and we have not imported the Windows 8.1 ADMX templates... Could that be causing the issue?

    Any help you guys might be able offer would be greatly appreciated!

    Thursday, May 15, 2014 3:35 PM

Answers

  • I think i've tracked it down.

    For some reason the following registry values were set to 1, meaning that security policies would not be processed.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoMachinePolicy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoUserPolicy

    Source:

    http://support.microsoft.com/kb/216358


    • Edited by Grantypap Friday, May 16, 2014 5:13 PM
    • Marked as answer by Grantypap Monday, May 19, 2014 7:30 AM
    Friday, May 16, 2014 5:12 PM

All replies

  • What do you see when you do RSOP on Win 8.1 ? Are policies being applied or some are getting failed?

    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, May 16, 2014 3:35 AM
  • As I know, Security policy like Password policy, Account lockout policy, Interactive logon message should work even the DC is Win Server 2003.

    I suggest you check whether these policy are overridden by other GPOs due to the the GPO Priority, you can find detailed information in this link

    Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

     

    Yolanda Zhu
    TechNet Community Support

    Friday, May 16, 2014 6:41 AM
  • The only error i'm seeing is on Internet Explorer Branding (under user configuration). All other components are successful. The desired security settings are not showing within RSOP or by running GPResult /h.

    Friday, May 16, 2014 9:26 AM
  • Hi, I've double checked and it all looks good.

    I've set the 'Logon Message' as a local policy and i can see it when logging on (but still not through RSOP or GPResult).

    As Local Policies have the lowest priority and should be overridden by Group Policies, does that mean it's ignoring the specific security setting... for some reason?!

    Thanks for everyone's help so far!

    Friday, May 16, 2014 9:44 AM
  • I think i've tracked it down.

    For some reason the following registry values were set to 1, meaning that security policies would not be processed.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoMachinePolicy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoUserPolicy

    Source:

    http://support.microsoft.com/kb/216358


    • Edited by Grantypap Friday, May 16, 2014 5:13 PM
    • Marked as answer by Grantypap Monday, May 19, 2014 7:30 AM
    Friday, May 16, 2014 5:12 PM