Windows Security Policy Not Updating - Admin Templates Update Fine


  • I have a domain with a mix of physical and virtual servers.  Some time ago another admin may have performed some manual scripted updates at the client level that are now preventing changes in the Security settings from reaching the clients.  Changes made elsewhere in the group policy update fine.

    Single Domain Controller - this is driven by contract policy, but I put that out there as I can't see how replication could be an issue but I'm open to any thoughts.

    The old sysadmin was using the 'default domain policy' instead of a custom named policy for the site.  I copied the old policy to a new name and unlinked the default policy.  When I run gpupdate /force on the client it gives no errors and none appear in the logs.  When I run the rsop I still see default domain policy as the winning policy for the Security settings but everywhere else it's the newly named policy.  Where it gets very interesting for me is that when I right-click the properties for the RSOP I only see it drawing the new policy name and the default domain policy is nowhere to be found.  RSOP throws no errors either.

    Here's what I have done so far without success:

    1. Backed up and deleted HKCU\Software\Policies

    2. Backed up and deleted HKLM\Software\Policies

    3. Backed up and deleted HKCU\Software\Microsoft\Windows\Current Version\Group Policy

    4. Backed up and deleted HKLM\Software\Microsoft\Windows\Current Version\Group Policy

    5. Deleted the c:\Windows\System32\Group Policy folder

    6. Did a non-authoritative rollback on the DC

    All bits and pieces of suggestions I've found during my searches.  I'm a little baffled by what might be causing this.  All other behaviors of the machines is consistent with good DNS settings.  I can take them on and off the domain just fine - and it makes no difference.

    To add to this  - I also did a registry check for the original 'default domain policy' SID on the client machine.  Found several instances and cleared all of those as well.  Did a GPupdate /Force and requeried the RSOP.  Still getting that for the policy in the Security template.

    One more interesting note.  When I run gpresult I get the same data, sort of.  I get the SID for the non-existent 'default domain policy' as the winning GPO in the security section of the html output.  But I get the NAME of the winning GPO for the current domain policy GPO everywhere else.  A recheck of the registry indicates that the old SID no longer exists anywhere so that tells me it's in the filesystem someplace??

    Friday, February 05, 2016 2:13 PM