Group Policy Preferences problem with local users and groups configuration over VPN


  • I'm supporting a Win2003 level AD, having already mostly Win2012 R2 domain controllers and few remaining Win2003 domain controllers as well. My problem is following: we have a GPP Local Users and Groups configuration for the client PCs to manage the local Administrators group. By default only a few predefined management groups are added and everything else is deleted. There is however one exception group, if the computer is added to that group, then a second Local Users and Groups configuration kicks in, that only adds the desired groups but does not delete anything from the local Administrators group. This way by default users can't have admin access to their client machines, but our management groups will be added. If a user requests admin access, then we can move his/her client machine to the exception group and add his/her account manually to the local Administrators group. Then the management groups will only be added to the local Administrators group but will not override the content.

    The solution works fine on the internal network, however users frequently complain that they lose admin access over the VPN. It seems the same GPP solution does not work ok over VPN. Do you have any ideas please?


    Wednesday, June 1, 2016 7:03 AM


  • Hi Csaba,
    Before we go further, please run gpresult /h to see if the group policy is applied or not when the user lost admin access over the VPN.
    Then to make the policy apply, please try below:
    1.Ensure proper communication with the domain and domain controller. Please run ipconfig /flushdns and ipconfig /registerdns command on client, ping the domain and the domain controller
    2.Try to force the policy. Please run gpupdate /force command, log the user off and back on without restarting the computer to check if the policy is applied.
    3.Try to apply the policy synchronously. Sometimes over a slow link, target computers will time out before applying policies at logon. Please run gpupdate /sync and reboot client computer to check if the policy is applied.
    In addition, if you are allowing the end user to logon using cache credentials, when
    the logon is done with cached credentials and then a remote access
    connection is established, some Group Policies may be not applied during logon. In this case, to avoid using cached credentials in a remote access connection, users should select the "Logon using dial-up connection" check box on the Windows Logon dialog box. Please also have a try.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Thursday, June 2, 2016 2:12 AM