none
GPO Settings Partially Applying

    Question

  • Hi,

    I am trying to lock-down the Control + Alt + Delete screen on my Windows 7 Professional x64 computers, especially take away the Task Manager. I have the appropriate settings configured in a GPO, which is attached to an OU, but only some of them are taking affect. For example, I set it so the last user is not displayed in the username dialog box. That works. I removed the "Switch user" option from the Control + Alt + Delete screen and that works as well. However, the other settings, which are in the User section of the GPO and not the Computer section are not applying. I also have the GPO set to enable remote desktop through a registry edit and that is not working either.

    According to the Event Log, the GPO changes are being seen and applied, just the computers don't have the desired settings removed. There are a bunch of 36871 errors (A fatal error occurred while creating an SSL client credential. The internal error state is 10013.) in the log as well a s a bunch of 7006 (The ScRegSetValueExW call failed for Start with the following error: Access is denied). I can't find a specific example of a resolution for these two issues that pertains to my situation. I am not running AVG antivirus and I am not running MS Forefront. Gpresult shows the policy as being applied in the computer section, but not there (also not filtered out) in the user section.

    Where should I look next to troubleshoot?

    Thanks


    Jason Watkins MCSE, MCSA, MCDBA, CCNA

    Monday, March 02, 2015 5:08 PM

Answers

  • Hi Jason,

    >>I have the appropriate settings configured in a GPO, which is attached to an OU, but only some of them are taking affect

    >>which are in the User section of the GPO and not the Computer section are not applying.

    Based on the description, are the domain user accounts in the OU to which we linked the GPO? If not, we need to move the user accounts to the OU or we can link the GPO to the OU where the user accounts currently reside. Besides, we can run cmd command gpresult/h report.html to collect group policy result report to better check how group policy settings are applied.

    Best regards
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, March 03, 2015 9:42 AM
    Moderator

All replies

  • Hi Jason,

    >>I have the appropriate settings configured in a GPO, which is attached to an OU, but only some of them are taking affect

    >>which are in the User section of the GPO and not the Computer section are not applying.

    Based on the description, are the domain user accounts in the OU to which we linked the GPO? If not, we need to move the user accounts to the OU or we can link the GPO to the OU where the user accounts currently reside. Besides, we can run cmd command gpresult/h report.html to collect group policy result report to better check how group policy settings are applied.

    Best regards
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, March 03, 2015 9:42 AM
    Moderator
  • I think I figured this out. The computers, to which the policy was applying, were using local accounts to log in to Windows. This is why the user part of the GPO wasn't applying. If you were to log in with a domain user account, the settings still wouldn't apply unless the user account was located in that OU. I enabled the Loopback function to merge the computer and user settings and now the domain user gets the policy settings. Great! Thanks!

    Jason Watkins MCSE, MCSA, MCDBA, CCNA

    Tuesday, March 03, 2015 10:37 PM
  • Been a good day for you lol. That's how gpos are applied for future ref, happy your sorted though
    Tuesday, March 03, 2015 11:16 PM