Group policy not applying unless a local administrator


  • I am trying to figure out this oddity but I seem to have a problem with a group policy that is not applying the computer policy unless the user is an administrator.

    Server 2008 R2.  Specifcally I am trying to set the site to zone assignment for internet explorer for passthrough authentication in Citrix and while it works with my admin account I really don't want to make everybody an administrator just to get the settings to apply.  Can anybody think of something that I have missed?  Standard permissions on the Group policy of Authenticated users

    Wednesday, September 30, 2015 9:50 PM

All replies

  • Hi DennisAston,

    Thanks for your post.

    Please use rsop and gpresult to check the appliance of this group policy on your domain users.

    There's two basic components on the GPO, User and Computer. When we configure settings under User Configuration, these settings apply to domain user accounts, regardless of which computer they log onto.

    when we configure settings under Computer Configuration, these settings apply to computer accounts, regardless of which user logs onto the computers.

    In your scenairo, you configure settings under Computer Configuration, right? Please check the result of group policy, it will show you the applied settings logged on as a user. To make sure there's no deny settings under User Configuration.

    Besides, you may follow the steps to do the troubleshooting.

    10 Common Problems Causing Group Policy To Not Apply

    Best Regards,

    Mary Dong

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Thursday, October 1, 2015 4:21 AM
  • Thanks Mary.  I realized I posted in frustration and didn't give enough information.

    I have uploaded the HMTL and text versions of the logs to my onedrive account.  Here is the link:

    OneDrive Link

    My administrator user account is named astode-admin
    My regular account is named astode

    Computer name is FSH-XA-01

    I realize there is a lot of sensitive information in that log but I am not sure how much can be helped right now.

    Anything worth doing is worth doing right.

    • Edited by DennisAston Thursday, October 1, 2015 9:02 PM clarifying points
    Thursday, October 1, 2015 9:00 PM
  • Just to be clear, the same user that is having a problem with the policy as a normal user level (my normal account) suddenly has the settings work when they are added to the local administrators group on the computer. 

    Anything worth doing is worth doing right.

    Thursday, October 1, 2015 10:32 PM
  • What do you have in security filtering? Is it 'Authenticated Users'? or a group contains 'Administrators' security grout?
    Thursday, October 1, 2015 10:50 PM
  • > anybody think of something that I have missed?  Standard permissions on
    > the Group policy of Authenticated users
    Elevated prompt, "gpresult /h report.html & report.html". Is your GPO
    applied to the failing user? Is the setting you are missing present in
    the report?

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, October 2, 2015 10:27 AM
  • Sorry, thanks for checking this with me.  Standard Authenticated Users on the group policy Security Filtering section.

    Anything worth doing is worth doing right.

    Wednesday, October 7, 2015 9:50 PM
  • Yes, the settings missing are present in the report.  Had to tweak the command line to get it to run elevated under my normal user account (gpresult /USER domain\username /h report.html /f).

    All of the entries below should be in the local session for the user on the Citrix XenApp server.  They show in the report as expected, but when the user logs in (my normal account), I get a greyed out configuration section letting me know these settings are controlled by GPO, but they don't actually come across in the logon session.  If I make the user an administrator on the machine they will populate however.  NO OTHER CHANGES MADE OTHER THAN MAKING THE USER A LOCAL ADMIN.  Its maddening.

    Anything worth doing is worth doing right.

    • Edited by DennisAston Wednesday, October 7, 2015 10:09 PM
    Wednesday, October 7, 2015 10:07 PM