none
OU Policy will not override Local Policy

    Question

  • DC is on Server 2012 R2, Central Store as Windows10_Version 1511 ADMX and clients are on Windows 10 version 1511 build 10586.839.  Reference Image for clients was created using MDT and then deployed across enterprise via SCCM 1602 OSD.  During the reference image build, local group policies were applied.  Now, when attempt is made to change the local policy from GPMC at an OU level, it will not override.  Two specific GPOs in question:

    1.Comp Config>Admin Temp>Win Comp>OneDrive>Prevent the usage of OneDrive for file storage.  This was original set to enable in local group policy on reference PC.  Now attempting to disable policy to allow OneDrive use, but OU policy will not override despite link order of 1 and enforcing. gpresult indicates policy is being applied, but settings it not showing in local gpedit.msc or in registry.  Even tried turning off Local Group Policy Object Processing via Group Policy and Registry without success.

    2.Comp Config>Pol>Win Set>Sec Set>Local Policies/Security Options>Accounts:  Block Microsoft accounts>Users can't add or log on with Microsoft accounts.  With this one, it was set as a local policy on the reference PC, and shows as such in gpedit.msc and registry on client, but does not actually block Microsoft accounts.  If edited locally and OU policy is pushed, again, it will show as applied, but will not block Microsoft accounts.

    I suspect the problems is with the reference image, which is easy enough to redo, but there are hundreds of clients that still need to be rectified.

    Anyone have some ideas?

    Wednesday, April 5, 2017 4:55 PM

All replies

  • I always start by running GPRESULT /h report.html and look at the group policy setting that applied that particular setting. It also list why GPO's were not applied if they are denied...

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Thursday, April 6, 2017 12:24 AM
  • Hi,
    First of all, when we configure group policy settings from GPMC, generally, these setting would not be displayed on local gpeditor, only security settings could be displayed.
    Therefore, as Alan said, please run gpresult /h to view the detail group policy result report, or check the related registry keys if it is changed.
    >> I suspect the problems is with the reference image, which is easy enough to redo, but there are hundreds of clients that still need to be rectified.
    For testing and troubleshooting, I would suggest to choose a client for test. But not sure if you could redo the reference image for only client via SCCM, if it is possible, we would know if reference image is causing the problem.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, April 6, 2017 8:44 AM
    Moderator
  • In my second paragraph, I indicate that I did run gpresult and that it indicates the group policy is indeed applying, but when I go to the registry to verify, it is not.
    Thursday, April 6, 2017 2:27 PM
  • I'm nearly certain the reference image is the culprit and can fix that. What I am trying to figure out is how to rectify the hundreds of clients that already have the image.  Reimaging is not a feasible option, nor is manually changing the local group policy on hundreds of clients.  At this point, I'm testing whether pushing a registry change would give me the results I'm looking for.
    Thursday, April 6, 2017 2:32 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 1:52 PM
    Moderator