none
Policy applied is ghost. Where's it cached?

    Question

  • I know lengthy posts don’t get much response, because of the intense focus required on the reader’s part, to fully understand the situation presented. I’ll try my best to be to the point here. Domain names and IP schema are not the actual ones in use presented here, for obvious reasons.

    Lab setup: Server 2008R2 domain controller set up as test.local domain. This PDC also has WSUS installed. Workstations are not joined to the test domain, and I use a wsus.reg file that I merge in the workstation registry to get it to point at the test.com WSUS. When setting up new workstations, this saves a ton of time getting them up to date before deploying them to the production domain.

    Production setup: Server 2012R2 Standard as PDC.  This server has AD, DNS, DHCP and Group Policy Management roles.

    Domain has mix of Win 7 Pro and Win 8.1 Pro.

    Also have a Server 2008R2 Standard member server joined to the domain. The 2008R2 server does NOT have AD installed. It’s joined to the domain no differently than the workstations are. The 2008R2 server has WSUS installed, along with RD Gateway all configured with a certificate for remote access, and was the very last computer to be joined to the domain.

    Problem: I have a WSUS policy on the PDC that directs workstations to point to the 2008R2 server for their WSUS updates. But the distribution of this policy is the weirdest thing I’ve ever seen. If I remove the policy (by remove, I mean delete it from existence in its entirety) then nothing is distributed to the workstations. On any workstation I can check the registry at HKLM/Software/Policies/Microsoft/Windows and the WindowsUpdate key is not there as expected. Starting the Windows Update applet in control panel shows that it gets updates from the MS site. All as expected.

    However, when I create and implement the policy to point to my WSUS server in the production environment, policy distribution “appears” to occur because the WindowsUpdate key appears in the registry as it should. HOWEVER (and this is the weird part) the values of the WUServer and WUStatusServer shows it pointing to the WSUS server in the lab. Completely different IP address! This occurs on about 10 workstations, a mix of Win 7 and 8.1.

    I’ve deleted the policy, rebooted all servers and workstations, recreated policies, ran gpupdate /force until my fingers hurt, and I just can’t seem to get it to point to anything but the production server which is in another city 15 miles away with no physical connection of any type, in any way, form or fashion to the test lab setup. Where is this cached at on the workstations? Note that all of these computers have been reloaded from the ground up within the last month or so. So this is in effect, a  “new” production network in every sense of the word.

    Friday, May 20, 2016 6:43 PM

Answers

  • Okay, I've got the problem solved. Seems the cause was "user error" whereas I had forgotten a very basic GPO fundamental. I'll repeat it here for the sake of others, as I've seen a few other posts in this forum with the same problem as me, just with different policies.

    The order in which policies are applied does matter. Machine/Computer policies need to be applied before user policies. Since my WSUS policy is a machine/computer policy, when it's listed last among my 9 policies, it will not get applied. If it does get applied, then either it's not applied correctly, or I just get lucky. Since machine policies are applied on boot and user policies applied on login, by having the WSUS machine policy last it was either not being applied at all on user login, or was applied incorrectly using cached information from somewhere in la-la land.

    When I grouped my policies it was more than just making machine policies first in the order of application too. Policies need to be applied in the order they appear in the policy template. I have 5 computer policies. Since the WSUS policy is actually the last policy in the Computer Configuration container of the template, I made it the 5th policy applied in the policy application order list of the GUI.

    Same rule holds true for user policies. User policies should be applied after machine policies, and those user policies should be applied in the order they are in the Users Configuration section of the policy template.

    Once I did all this, not only were all policies applied correctly every time on every computer, I also had two more computers pop up in the WSUS Console this morning, that I was totally unaware of having this issue, due to my focus on the 10 other computers I was aware of.

    Much thanks to DonPick for helping me get my head straight. This was a case of I couldn't see the forest because the trees were in the way. A return to the simple basics of GPO fundamentals is all that was needed to figure this out and fix it.

    • Marked as answer by Carl1959 Saturday, May 21, 2016 5:16 PM
    Saturday, May 21, 2016 5:16 PM

All replies

  • So, when you create and link a GPO, what actually arrives at the scoped client machine, is different from what you've configured within the GPO?

    At an affected client machine (use Win8.1 for this if you can, because it will show you more detail than Win7), do a gpresult /h blah.html

    Open the html file in IE and look for anomalies.

    Domain Group Policy (assuming you're using the classic Admin Templates methods and not GPP) mainly consists of .POL files, which are delivered to the client and are merged during the GP processing by the CSE's at the client.

    You can sometimes find that stale .POL files might get left behind, from a previous configuration, and this can throw weird symptoms.

    Or, there might be some AD replication or SYSVOL replication issues, such that the Domain GP creation process is not correctly completing (or it could be getting interference from some "security" product)

    When you are "deleting" and "creating" the Domain GP, are you doing that via GPMC/GPME, or are you using some scripting or import/export tools?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 12:01 AM
  • Yes. On the workstation I delete the WSUS entries in the registry manually. Then I reboot the computer so that the policy from the production server will be applied. However, it appears as if the workstation "magically" gets the policy settings from the test server in the lab 15 miles away (which is physically impossible - so it has to be magic. :)) But just to reiterate as a reminder, if I delete the policy from the production server entirely, then no WSUS policy is applied to any workstation on the domain. I put the policy back, and it's successfully applied to every workstation on the domain, with 10 of the workstations pointing to the test WSUS server in the lab, which is 15 miles away and not connected to the production domain in any way, form or fashion.

    Did a gpresult /v on a Win 7 machine (win 8.1 not available to me for this at the moment) and there's nothing "abnormal" that jumps out at me - other than the fact it's setting the wsus server in the registry to the WSUS server in the lab 15 miles away.  The results file is at the end of this post, for your review. note that computer names, domain names and the such have been changed from what the "really" are, for obvious reasons.

    As for policy templates, I've honestly no clue what you're talking about with admin templates method and GPP. I'm using whatever is installed by default in WinServer 2008R2 Std when you add the group policy role.

    I'm not sure what .POL files are (other than the fact that .POL is short for policy) and a search of the workstation hard drive reveals no files with a .pol filename extension. However, there are a fair number of java.policy files that I don't think relate to this issue.

    I'm not following you clearly on your reference to replication or SYSVOL replication issues. All 24 computers use the same common login username of DOMAIN\USER (not the real one of course), yet only about 10 of the computers have this specific issue, and only with this specific policy. All other polices are applied and implemented just fine.

    When I'm deleting/creating the policys in the production domain, I'm using the GUI provided for policy management in the administrative tools applet of Control Panel on the Server 2012R2 Std domain controller.

    I'm be no means an expert when it comes to GPOs, yet I do have what I consider to be a deeply clear understanding of how to "manage" them. But when it domes to dealing with issues such as this, Sheldon Cooper knows more about social skills than I do about the inner workings of GPO. That's why I suspect these 10 computers are pulling the policy from a local cache, and calling that "good/applied successfully", when it needs to be pulling from the actual server itself. If my suspicions are correct, then all I need to know is where this secret cache location is, so I can clear it.

    Of course, knowing how MS does things, it won't be this simple, right? So I greatly appreciate you taking the time to address this with me.

    For the below results file, (so you can better understand it) I have a custom group in AD called "WSUS Computers" and only the domain computers are in this group. No, I am not using targeting either. Heres' the results file. The results file is broken up in separate posts, since I'm limited to 6000 characters.

    Saturday, May 21, 2016 2:34 AM
  • Created On 5/20/2016 at 10:05:12 PM

    RSOP data for DOMAIN\user on MYCOMPUTER : Logging Mode
    -----------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\user
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=MYCOMPUTER,CN=Computers,DC=DOMAIN,DC=LOCAL
        Last time Group Policy was applied: 5/20/2016 at 10:01:30 PM
        Group Policy was applied from:      DOMAINSERVER.DOMAIN.LOCAL
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DOMAIN
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            WSUS Policy
            MSE Policy
            Workstation Restart Policy
            Windows Defender Policy
            Remote Users Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            IE Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            IIS_WPG
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            MYCOMPUTER$
            WSUS Computers
            Domain Computers
            Authentication authority asserted identity
            System Mandatory Level
           
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  4294967295

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  24

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  6

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            LSAAnonymousNameLookup
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59058
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                    Computer Setting:  1

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                GPO: Remote Users Policy
                    Groupname: Remote Desktop Users
                    Members:   DOMAIN\user
                               DOMAIN\rbeckett
                              
            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\IncludeRecommendedUpdates
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\DisableRemovableDriveScanning
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\EnableFeaturedSoftware
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\UseWindowsUpdate
                    State:       disabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 55, 0, 50, 0, 46, 0, 50, 0, 48, 0, 46, 0, 54, 0, 53, 0, 46, 0, 50, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\DisableArchiveScanning
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\AllowPause
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\ScheduleTime
                    Value:       236, 4, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\RepairContentServerSource
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeout
                    Value:       15, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleTime
                    Value:       176, 4, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\2
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\DisableRestorePoint
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
                    Value:       4, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\AvgCPULoadFactor
                    Value:       100, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Quarantine\PurgeItemsAfterDelay
                    Value:       5, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\DisableOSUpgrade
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\ScheduleDay
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\AvgCPULoadFactor
                    Value:       95, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupFullScan
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 55, 0, 50, 0, 46, 0, 50, 0, 48, 0, 46, 0, 54, 0, 53, 0, 46, 0, 50, 0, 58, 0, 56, 0, 53, 0, 51, 0, 48, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTimeMinutes
                    Value:       15, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\DisableRoutinelyTakingAction
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\PurgeItemsAfterDelay
                    Value:       7, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutomaticMaintenanceEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\DisableCatchupQuickScan
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableScheduledSignatureUpdateOnBattery
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Remediation\Scan_ScheduleTime
                    Value:       236, 4, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\ScheduleTime
                    Value:       44, 1, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\ArchiveMaxDepth
                    Value:       20, 0, 0, 0
                    State:       Enabled

    Saturday, May 21, 2016 2:51 AM
  •             GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleDay
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Remediation\Scan_ScheduleDay
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\CheckForSignaturesBeforeRunningScan
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
                    Value:       23, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableOnAccessProtection
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\DisableCatchupFullScan
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\ScanOnlyIfIdle
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\ScanParameters
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\UX Configuration\DisablePrivacyMode
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\ScanOnlyIfIdle
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\ScanParameters
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval
                    Value:       6, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Signature Updates\ForceUpdateFromMU
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeoutEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Windows Defender Policy
                    KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\DisableRestorePoint
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIOAVProtection
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AlwaysAutoRebootAtScheduledTime
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Scan\ScheduleDay
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: MSE Policy
                    KeyName:     Software\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableRealTimeMonitoring
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: WSUS Policy
                    KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency
                    Value:       1, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=JVC User,OU=Active Business Users,DC=DOMAIN,DC=LOCAL
        Last time Group Policy was applied: 5/20/2016 at 10:02:55 PM
        Group Policy was applied from:      DOMAINSERVER.DOMAIN.LOCAL
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        DOMAIN
        Domain Type:                        Windows 2000
       
        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Folder Redirection Policy
            IE Policy
            Block Google Chrome Policy
            Desktop Background Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Windows Defender Policy
                Filtering:  Not Applied (Empty)

            WSUS Policy
                Filtering:  Denied (Security)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            MSE Policy
                Filtering:  Not Applied (Empty)

            Remote Users Policy
                Filtering:  Denied (Security)

            Workstation Restart Policy
                Filtering:  Denied (Security)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            Remote Desktop Users
            BUILTIN\Users
            BUILTIN\Administrators
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Admins
            Desktop Background Group
            Redirected Folders Group
            Authentication authority asserted identity
            Denied RODC Password Replication Group
            High Mandatory Level
           
        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Shut down the system
            Remove computer from docking station
            Increase a process working set
            Change the time zone
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Create symbolic links

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                GPO: Folder Redirection Policy
                    Name:         regedit.exe
                    Parameters:   /s offlinefiles.reg
                    LastExecuted: 2:02:57 AM

            Logoff Scripts
            --------------
            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{b9724719-9893-49a7-9f7f-5c118887ae0b}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
                    Value:       0, 0, 4, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{b9724719-9893-49a7-9f7f-5c118887ae0b}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\SaferFlags
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Desktop Background Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
                    Value:       52, 0, 0, 0
                    State:       Enabled

                GPO: IE Policy
                    KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\Start Page
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 115, 0, 58, 0, 47, 0, 47, 0, 119, 0, 119, 0, 119, 0, 46, 0, 103, 0, 111, 0, 111, 0, 103, 0, 108, 0, 101, 0, 46, 0, 99, 0, 111, 0, 109, 0, 47, 0, 63, 0, 103, 0, 119, 0, 115, 0, 95, 0, 114, 0, 100, 0, 61, 0, 115, 0, 115, 0, 108, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\ItemData
                    Value:       103, 0, 101, 0, 97, 0, 114, 0, 115, 0, 45, 0, 99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 45, 0, 111, 0, 112, 0, 116, 0, 46, 0, 109, 0, 115, 0, 105, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Explorer\PowerButtonAction
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Desktop Background Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
                    Value:       92, 0, 92, 0, 106, 0, 118, 0, 104, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 92, 0, 100, 0, 101, 0, 115, 0, 107, 0, 116, 0, 111, 0, 112, 0, 92, 0, 105, 0, 109, 0, 97, 0, 103, 0, 101, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f05b1eb1-8e51-4c54-8305-9099b70b1ac6}\Description
                    Value:       0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1eba8a10-699e-4428-9b7c-870194ed661b}\ItemData
                    Value:       99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 115, 0, 101, 0, 116, 0, 117, 0, 112, 0, 46, 0, 101, 0, 120, 0, 101, 0, 0, 0
                    State:       Enabled

                GPO: Block Google Chrome Policy
                    KeyName:     Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f49a403b-5889-4eea-9ec7-755cfc3cf7da}\ItemData
                    Value:       99, 0, 104, 0, 114, 0, 111, 0, 109, 0, 101, 0, 46, 0, 101, 0, 120, 0, 101, 0, 0, 0
                    State:       Enabled

                GPO: IE Policy
                    KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
                    Value:       1, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                GPO: Folder Redirection Policy
                    KeyName:      InstallationType:  basic
                        Grant Type:        Exclusive Rights
                        Move Type:         Contents of Local Directory moved
                        Policy Removal:    Leave folder in existing location
                        Redirecting Group: N/A
                        Redirected Path:   \\DOMAINserver\RedirectedFolders$\%USERNAME%\Documents

    Saturday, May 21, 2016 2:54 AM
  • Yes. On the workstation I delete the WSUS entries in the registry manually.
    Then I reboot the computer so that the policy from the production server will be applied.
    However, it appears as if the workstation "magically" gets the policy settings from the test server in the lab 15 miles away (which is physically impossible - so it has to be magic. :))

    But just to reiterate as a reminder, if I delete the policy from the production server entirely, then no WSUS policy is applied to any workstation on the domain.
    I put the policy back, and it's successfully applied to every workstation on the domain, with 10 of the workstations pointing to the test WSUS server in the lab, which is 15 miles away and not connected to the production domain in any way, form or fashion.

    Hmm. Generally, and, by default, once a "classic" Admin Templates-based Domain GP (i.e. a nice simple one which merely pokes in some registry keys/values like this one) has been applied, it isn't re-asserted.
    So the first thing which seems odd to me, is that when you manually delete the reg keys, that a reboot is repopulating those keys. That doesn't typically happen. There are ways to cause that to happen, but I'm not seeing any of those methods in your gpresult output.

    I suspect there's something going on outside of Domain GP's direct/obvious influence.
    I can see a user logon script, named "folder redirection", but it looks to be doing a regedit regfile merge. It could be some errant keys/values in that file, or, something else is in play, which isn't showing in your output so I don't think it's GP doing the deed.

    Logon Scripts
    -------------
    GPO: Folder Redirection
    Policy Name: regedit.exe
    Parameters: /s offlinefiles.reg
    LastExecuted: 2:02:57 AM

    Are there any other things on these machines, like a scheduled task, script, something in the Run keys in registry, or some other software product running on the machines which could be "injecting" the incorrect values?

    Does the Windows event log(s) show anything launching or occurring at/around the bootup time?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 6:55 AM
  • As for policy templates, I've honestly no clue what you're talking about with admin templates method and GPP. I'm using whatever is installed by default in WinServer 2008R2 Std when you add the group policy role.

    You can see in the gpresult output, that GP is categorised or classified into several different sub-types, one of which, is Administrative Templates. (GPP i.e. Group Policy Preferences, is a different type/method. I can't recall if GPP methods are revealed by gpresult /v, which is why I suggested to use gpresult /h)
    GPP, when used in conjunction with classic GP, can end up in overlapping settings, leading to confusion ;)

    Resultant Set Of Policies for Computer 
    ---------------------------------------       
         Software Installations
             ----------------------
                 N/A       
         Startup Scripts
             ---------------
                 N/A       
         Shutdown Scripts
             ----------------
                 N/A       
         Account Policies
             ----------------
                 <stuff>       
         Audit Policy
             ------------
                 N/A       
         User Rights
             -----------
                 N/A       
         Security Options
             ----------------
                 <stuff>    
         Event Log Settings
             ------------------
                 N/A       
         Restricted Groups
             -----------------
                 <stuff>
                                
         System Services
             ---------------
                 N/A       
         Registry Settings
             -----------------
                 N/A       
         File System Settings
             --------------------
                 N/A       
         Public Key Policies
             -------------------
                 N/A       
         Administrative Templates
             ------------------------
                 <your WU/WSUS settings stuff etc>


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 7:08 AM
  • I'm not following you clearly on your reference to replication or SYSVOL replication issues. All 24 computers use the same common login username of DOMAIN\USER (not the real one of course), yet only about 10 of the computers have this specific issue, and only with this specific policy. All other polices are applied and implemented just fine.

    If you have more than one single Domain Controller, the DC's will be replicating between each other, to provide you with redundancy and availability for your AD.

    Domain Group Policy (as distinct from Local Group Policy), is composed of several different component blobs of goop, some of which is stored within the AD (and so is replicated along with that goop), and the other bits of GP are files which are stored in a share on the DC, named SYSVOL.
    SYSVOL is replicated across the DC's using either FRS or DFS-R.

    For Domain GP to work correctly, when you create or modify a GPO, the blobs of goop which comprise the GPO need to be replicated across all DC's for consistent GP processing. So, if these replication services are unhealthy, you will have inconsistency and therefore unpredictable outcomes.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 7:15 AM
  • I think you got me pointed in the right direction now. I've a total of nine polices (ten if you include the default domain policy, which I always never touch).  I disabled 8 of the policies, leaving only my WSUS policy active. Rebooted a workstation, and the WSUS policy was applied correctly.

    Apparently, this has something to do with the order in which policies are applied. My WSUS policy was next to last in my list. So I'm moving it to the top as number 2, (I leave default domain policy at the top, as always) then start enabling policies one at a time to see what happens.

    I'll post back later in the day and let you know what I find.

    Saturday, May 21, 2016 7:15 AM
  • When I'm deleting/creating the policys in the production domain, I'm using the GUI provided for policy management in the administrative tools applet of Control Panel on the Server 2012R2 Std domain controller.

    Ok, that sounds like the standard/builtin Group Policy Management Console / Group Policy Management Editor, which is fine.
    (there are lots of ways to do things with Windows, including plenty of "unsupported" ways, out there is the real world ;)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 7:18 AM
  • Okay, I've got the problem solved. Seems the cause was "user error" whereas I had forgotten a very basic GPO fundamental. I'll repeat it here for the sake of others, as I've seen a few other posts in this forum with the same problem as me, just with different policies.

    The order in which policies are applied does matter. Machine/Computer policies need to be applied before user policies. Since my WSUS policy is a machine/computer policy, when it's listed last among my 9 policies, it will not get applied. If it does get applied, then either it's not applied correctly, or I just get lucky. Since machine policies are applied on boot and user policies applied on login, by having the WSUS machine policy last it was either not being applied at all on user login, or was applied incorrectly using cached information from somewhere in la-la land.

    When I grouped my policies it was more than just making machine policies first in the order of application too. Policies need to be applied in the order they appear in the policy template. I have 5 computer policies. Since the WSUS policy is actually the last policy in the Computer Configuration container of the template, I made it the 5th policy applied in the policy application order list of the GUI.

    Same rule holds true for user policies. User policies should be applied after machine policies, and those user policies should be applied in the order they are in the Users Configuration section of the policy template.

    Once I did all this, not only were all policies applied correctly every time on every computer, I also had two more computers pop up in the WSUS Console this morning, that I was totally unaware of having this issue, due to my focus on the 10 other computers I was aware of.

    Much thanks to DonPick for helping me get my head straight. This was a case of I couldn't see the forest because the trees were in the way. A return to the simple basics of GPO fundamentals is all that was needed to figure this out and fix it.

    • Marked as answer by Carl1959 Saturday, May 21, 2016 5:16 PM
    Saturday, May 21, 2016 5:16 PM
  • Well done, glad you got it sorted out.
    It does seem like a Link Order/Precedence matter, which is one of the trickier things to diagnose without seeing the console.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, May 21, 2016 10:54 PM
  • Hi,
    I am glad that the issue is solved. And appreciate your update and share. It will be greatly helpful to others who has the same problem.
    Thank you for your effort again.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 23, 2016 7:09 AM
    Moderator