none
Windows 10 not implementing the GPO from windows server 2008

    Question

  • Hi 

    We are running on windows 2008 domain environment with a central store. GPO for screensaver does not work on windows 10. 

    Attach is the gpresult. To my account the Wallpaper and the Screensaver is link to the OU of mine. Other users that are set roaming profile logged in previously on windows 7 and logged in on the windows 10 settings files does not come. Tried adding the templates on the central store but it doesn't work so i deleted and copied back the local templates on one of the server.

    • Edited by Mard.05 Tuesday, April 18, 2017 11:45 PM
    Tuesday, April 18, 2017 9:56 PM

All replies

  •  Hi,
    I am sorry that attach of the gpresult could not be seen,please confirm  it again.
    And you could have a try to disable the UNC hardening for netlogon and sysvol Shares in the registry on windows 10 machines, please refer to: https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015
    Best regards,
     Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 19, 2017 11:24 AM
    Moderator
  • Hi Wendy,

    Please see below gpresult removed some info due to privacy.

    before disabling the unc hardening on my windows 10 PC.

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    c 2016 Microsoft Corporation. All rights reserved.

    Created on 4/10/2017 at 10:08:12 PM

    -----------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  10.0.14393
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\User\
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=
        Last time Group Policy was applied: 4/10/2017 at 9:55:09 PM
        Group Policy was applied from:      
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            New Group Policy Object
            Desktop Shortcuts
            ScreenSaver New

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Denied (Security)

            New Group Policy Object
                Filtering:  Not Applied (Unknown Reason)

            Local Group Policy
                Filtering:  Not Applied (Unknown Reason)

            Desktop Shortcuts
                Filtering:  Not Applied (Unknown Reason)

            ScreenSaver New
                Filtering:  Not Applied (Unknown Reason)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users

    after disabling the unc hardening on my windows 10 PC and gpupdate /force the reboot. same is encountered. I think this is with admx templates but i dont now the right procedure on how to test without damaging our current GP's.

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    © 2016 Microsoft Corporation. All rights reserved.

    Created on 4/19/2017 at 8:39:22 PM


    -----------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  10.0.14393
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=
        Last time Group Policy was applied: 4/19/2017 at 8:37:55 PM
        Group Policy was applied from:      
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            New Group Policy Object
            Desktop Shortcuts
            ScreenSaver New

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Denied (Security)

            New Group Policy Object
                Filtering:  Not Applied (Unknown Reason)

            Local Group Policy
                Filtering:  Not Applied (Unknown Reason)

            Desktop Shortcuts
                Filtering:  Not Applied (Unknown Reason)

            ScreenSaver New
                Filtering:  Not Applied (Unknown Reason)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users     
    Wednesday, April 19, 2017 12:41 PM
  • Hi,
    Please test on a problematic windows 10 client to delete the file in the following path: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
    And then re-apply the GPO and re-login again to see if group policy works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 21, 2017 3:16 PM
    Moderator
  • check for impact from this:

    https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14,-2016

    (if you have this problem, you have to adjust the permissions upon your GPOs to fix it)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, April 22, 2017 10:00 AM
  • Hi Wendy,

    I've deleted the file and then initiated a gpupdate /force then restart but after restart it still doesn't work the gpresult is still same as above.

    Tuesday, April 25, 2017 5:07 AM
  • Hi Don,

    Sorry I don't understand. I've added the Domain Computers to have read access to the GPO.

    Can you explain further what should I do ?

    Tuesday, April 25, 2017 1:28 PM
  • Hi Don,

    Sorry I don't understand. I've added the Domain Computers to have read access to the GPO.

    Can you explain further what should I do ?

    Did you check that via the Delegation tab on the GPO ?

    https://social.technet.microsoft.com/Forums/windows/en-US/6658cc74-593c-432f-b766-e7062830f643/group-policy-problem-not-applied-unknown-reason?forum=winserverGP


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, April 26, 2017 8:29 AM
  • Dear Don,

    Tried adding it but problem still persists.

    Tuesday, May 2, 2017 4:39 AM
  • Open your GPMC and select (left-mouse-click) the GPO of interest.
    In the right-hand-side pane, examine:

    "Scope" tab... can you see the expected links to the domain-root or Site or OU? (this confirms you have correctly linked the GPO for the desired scope)

    "Details" tab... can you see the "GPO Status" selector? Is this set to the expected/desired selection? (Is it set = All settings disabled?)
    Observe the Unique ID of the GPO. This is the policy GUID. Make a note of the first few characters of this GUID, e.g. {ABCD1234-5678-etc

    "Settings" tab... this should show your desired settings (e.g. Enable screensaver... etc) Is this as expected/desired?

    "Delegation" tab... this should show the relevant security filters etc. Is this set as desired?

    Then, in the GPMC, navigate in the left-hand-side pane, to the OU which contains the user object in question.
    Is this OU flagged with a BLUE !    ???
    Check the parent OUs also, to see if any are flagged with the BLUE !
    The BLUE !, indicates that inheritance is blocked. This can also be the cause of "Filtering: Not Applied (Unknown Reason)"

    Now on a computer where the test user is logged on, open Windows File Explorer.
    In the address bar, click in the bar, and navigate to the SYSVOL on your domain controller, e.g.
    \\contoso.com\SYSVOL\contoso.com\Policies\
    The user should be able to view these folders without issue.
    The subfolders of this point, are the GUIDS of all your GPOs.
    You should be able to see: {ABCD1234-5678-etc
    The user should be able to explorer into that GUID subfolder, and see the files/subfolders within.
    This test verifies that the test user can successfully access the GPO (permissions check).
    If this test fails, there is a security/access problem, or, there is some other security issue affecting the GPO.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, May 2, 2017 10:46 AM
  • Open your GPMC and select (left-mouse-click) the GPO of interest.
    In the right-hand-side pane, examine:

    "Scope" tab... can you see the expected links to the domain-root or Site or OU? (this confirms you have correctly linked the GPO for the desired scope)

    "Details" tab... can you see the "GPO Status" selector? Is this set to the expected/desired selection? (Is it set = All settings disabled?)
    Observe the Unique ID of the GPO. This is the policy GUID. Make a note of the first few characters of this GUID, e.g. {ABCD1234-5678-etc

    "Settings" tab... this should show your desired settings (e.g. Enable screensaver... etc) Is this as expected/desired?

    "Delegation" tab... this should show the relevant security filters etc. Is this set as desired?

    Then, in the GPMC, navigate in the left-hand-side pane, to the OU which contains the user object in question.
    Is this OU flagged with a BLUE !    ???
    Check the parent OUs also, to see if any are flagged with the BLUE !
    The BLUE !, indicates that inheritance is blocked. This can also be the cause of "Filtering: Not Applied (Unknown Reason)"

    Now on a computer where the test user is logged on, open Windows File Explorer.
    In the address bar, click in the bar, and navigate to the SYSVOL on your domain controller, e.g.
    \\contoso.com\SYSVOL\contoso.com\Policies\
    The user should be able to view these folders without issue.
    The subfolders of this point, are the GUIDS of all your GPOs.
    You should be able to see: {ABCD1234-5678-etc
    The user should be able to explorer into that GUID subfolder, and see the files/subfolders within.
    This test verifies that the test user can successfully access the GPO (permissions check).
    If this test fails, there is a security/access problem, or, there is some other security issue affecting the GPO.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, May 2, 2017 10:46 AM
  • Dear Don,

    I have another user which in a different OU(User X).
    The computer in question is mine and it is on the OU that has block inheritance but the GP is link to our OU.

    Scope" tab... can you see the expected links to the domain-root or Site or OU? (this confirms you have correctly linked the GPO for the desired scope)
    YES
    "Details" tab... can you see the "GPO Status" selector? Is this set to the expected/desired selection? (Is it set = All settings disabled?)
    Observe the Unique ID of the GPO. This is the policy GUID. Make a note of the first few characters of this GUID, e.g. {ABCD1234-5678-etc
    It is Enabled
    "Settings" tab... this should show your desired settings (e.g. Enable screensaver... etc) Is this as expected/desired?
    Yes
    "Delegation" tab... this should show the relevant security filters etc. Is this set as desired?
    This is where I'am confused. The settings is working on Windows 7 but not on Windows 10 pc
    Then, in the GPMC, navigate in the left-hand-side pane, to the OU which contains the user object in question.
    Is this OU flagged with a BLUE !    ???
    Check the parent OUs also, to see if any are flagged with the BLUE !
    The BLUE !, indicates that inheritance is blocked. This can also be the cause of "Filtering: Not Applied (Unknown Reason)"
    On my OU inheritance is blocked but the GP for screensaver is link to my OU
    Now on a computer where the test user is logged on, open Windows File Explorer.
    In the address bar, click in the bar, and navigate to the SYSVOL on your domain controller, e.g.
    \\contoso.com\SYSVOL\contoso.com\Policies\
    The user should be able to view these folders without issue.
    The subfolders of this point, are the GUIDS of all your GPOs.
    You should be able to see: {ABCD1234-5678-etc

    I can access it without a problem and the other user

    Here is the gpresult /r from the windows 7

    the screensaver and the wallpaper is working fine.

    ActiveX-Whole
            Filtering:  Disabled (GPO)

        Default Domain Policy
            Filtering:  Denied (Security)

        New Group Policy Object
            Filtering:  Not Applied (Unknown Reason)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Desktop Shortcuts
            Filtering:  Not Applied (Unknown Reason)

        Compatibility
            Filtering:  Disabled (GPO)

        ScreenSaver New
            Filtering:  Not Applied (Unknown Reason)

    Wednesday, May 3, 2017 9:43 AM
  • Dear Don,

    I have another user which in a different OU(User X).
    The computer in question is mine and it is on the OU that has block inheritance but the GP is link to our OU.

    Scope" tab... can you see the expected links to the domain-root or Site or OU? (this confirms you have correctly linked the GPO for the desired scope)
    YES
    "Details" tab... can you see the "GPO Status" selector? Is this set to the expected/desired selection? (Is it set = All settings disabled?)
    Observe the Unique ID of the GPO. This is the policy GUID. Make a note of the first few characters of this GUID, e.g. {ABCD1234-5678-etc
    It is Enabled
    "Settings" tab... this should show your desired settings (e.g. Enable screensaver... etc) Is this as expected/desired?
    Yes
    "Delegation" tab... this should show the relevant security filters etc. Is this set as desired?
    This is where I'am confused. The settings is working on Windows 7 but not on Windows 10 pc
    Then, in the GPMC, navigate in the left-hand-side pane, to the OU which contains the user object in question.
    Is this OU flagged with a BLUE !    ???
    Check the parent OUs also, to see if any are flagged with the BLUE !
    The BLUE !, indicates that inheritance is blocked. This can also be the cause of "Filtering: Not Applied (Unknown Reason)"
    On my OU inheritance is blocked but the GP for screensaver is link to my OU
    Now on a computer where the test user is logged on, open Windows File Explorer.
    In the address bar, click in the bar, and navigate to the SYSVOL on your domain controller, e.g.
    \\contoso.com\SYSVOL\contoso.com\Policies\
    The user should be able to view these folders without issue.
    The subfolders of this point, are the GUIDS of all your GPOs.
    You should be able to see: {ABCD1234-5678-etc

    I can access it without a problem and the other user

    Here is the gpresult /r from the windows 7

    the screensaver and the wallpaper is working fine.

    ActiveX-Whole
            Filtering:  Disabled (GPO)

        Default Domain Policy
            Filtering:  Denied (Security)

        New Group Policy Object
            Filtering:  Not Applied (Unknown Reason)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Desktop Shortcuts
            Filtering:  Not Applied (Unknown Reason)

        Compatibility
            Filtering:  Disabled (GPO)

        ScreenSaver New
            Filtering:  Not Applied (Unknown Reason)

    Ah, ok.

    This now makes sense to me. You are using Block Inheritance, and, you have also directly linked the same GPOs to the relevant OU.

    That is why the GPOnames are appearing twice;
    These are the GPOs which are linked to the OU, and they are being processed/applied (these are not filtered):

    Applied Group Policy Objects
        -----------------------------
            New Group Policy Object
            Desktop Shortcuts
            ScreenSaver New


       

    These are the GPOs which are not being applied because they are filtered due to Security Filter (the DDP) or they are filtered due to Blocked Inheritance [ shown as Not Applied(Unknown Reason) ]

    The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Denied (Security)

            New Group Policy Object
                Filtering:  Not Applied (Unknown Reason)

            Local Group Policy
                Filtering:  Not Applied (Unknown Reason)

            Desktop Shortcuts
                Filtering:  Not Applied (Unknown Reason)

            ScreenSaver New
                Filtering:  Not Applied (Unknown Reason)

    So, it seems that all the GP is blocked+linked+filtered according to your design. It seems that GP is processing %100 correctly, so I don't think that it's a GP processing problem at all.

    I think you have settings within the GPO which are simply not relevant to a Win10 computer, or, the settings within the GPO are not understood by Win10, e.g. maybe you have to set additional settings because Win10 is different to Win7 ?

    It's time to look more closely at the actual settings within the GPO. You could also examine the event logs for GP-processing on the client PC to confirm that Windows10 is (or is not) correctly processing the GP settings.

    Ultimately, it's entirely possible that there is no GP-processing issue at the Win10 client PC, but, it is possible that Win10 itself is ignoring the settings for some other reason.

    If you are able to find the events on the Win10 PC for GP-processing, and those events show no processing errors, now it comes to diagnosing why Windows will not do what you are configuring it to do.

    e.g., if I configure GPO to activate screensaver settings after 10minutes, and if I configure those settings to run a specific screensaver named flyingtoasters.scr, GP-processing will apply+process without errors, but, flyingtoasters.scr will never really launch if I have not placed the flyingtoasters.scr onto the PC  :)

    This example would mean that my GP does not work, but it does not generate an error.

    You can examine the event logs a the client to look for further detail. You may also need to enable deeper GP logging on the client to understand such issues. The default logging depth won't necessarily reveal this type of misconfiguration/incomplete-configuration.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, May 3, 2017 9:26 PM
  • Hi 

    We are running on windows 2008 domain environment with a central store. GPO for screensaver does not work on windows 10. 

    Attach is the gpresult. To my account the Wallpaper and the Screensaver is link to the OU of mine. Other users that are set roaming profile logged in previously on windows 7 and logged in on the windows 10 settings files does not come. Tried adding the templates on the central store but it doesn't work so i deleted and copied back the local templates on one of the server.

    Lets also review your original question/scenario..

    screensaver settings don't apply to Win10.....ok
    Do *any* other GPOs correctly apply to this Win10 PC?

    Please explain your statement "Other users that are set roaming profile...Win7...Win10 settings files does not come" ?
    Do you mean, a user account is configured for RUP, this works fine if the PC is Win7, but if the same user logs on to a Win10 PC the RUP does not occur?
    This can be for various reasons but may be nothing related to GP, it could simply be the way you are implementing RUP.
    RUP will not be cross-compatible between Win7 & Win10. This is because the Win7 RUP uses a V2-style RUP construction but Win10 uses a newer V4 or V5-style construction.
    We observed similar issues when migrating from WinXP to Win7 - we had to separate those RUPs.
    I have also seen other discussions about RUP on Win10 does not work very well, but I have not tested RUP on Win10 myself as yet.

    Ultimately, almost all GP is simply placing some registry keys/values onto the client PC.
    It is then completely up to Windows on the client PC to do what those registry keys/values instruct.
    If the registry keys/values are not-applicable or contain incorrect or incomplete data - GP does not care about that - GP has done its job to place the registry keys/values and if that task is successful, then there is no GP error at all.
    But this does not mean that Windows will then behave as you expect, because there may be other reasons why Windows won't do that thing e.g. you placed an incorrect filename in the setting or you did not do some other task e.g. copy the file which the settings need (this is simply an example)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, May 3, 2017 9:40 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 8, 2017 1:06 PM
    Moderator