none
Group policy fully apply to Windows 7 but only part of the gpo's apply to Windows 10

    Question

  • Hi,

    I'm login with a domain user in two workstations. one is Windows 7 Professional & the other is Windows 10 Enterprise. on the Windows 7 I'm getting all the GPO's from the DC. on the Windows 10 computer I'm getting only 2 GPO's from the 4 we have.

    what can be the problem? i checked everything on the GP level on the dc and on the client computer.

    Do i miss something? i can only see that the "Domain Type" is different.

    Thanks.

    Win 10:

    Win 7:

    Sunday, January 8, 2017 11:36 AM

Answers

  • I did a test today and when i put my computer account to the group where the user is, that the policy is applying on, it's started to work.

    But it's strange cause the GPO that doing the problem is on the user policy level and not under computer.

    Under computer configuration there are more different settings but the one that is not running for me is under user configuration.

    I ran into that workaround:

    Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    1. For every GPO with user or group security filtering you must add to the "Delegation" tab "Authenticated users" group with permissions "READ". Security filtering can stay the same.
    2. For every GPO with Computer security filtering you must add to the "Delegation" tab "Domain Computers" group with permissions "READ". Security filtering can stay the same.

    I'll try that tomorrow.

    We didn't have any problem until we started to use Windows 10. although i had even one win 7 computer with that problem this week, but besides that, all the others are Win 10 computers.

    ***Update***

    Hi,

    I did that as described and it solved the problem:

    For every GPO with Computer security filtering you must add to the "Delegation" tab "Domain Computers" group with permissions "READ". Security filtering can stay the same.

    Thanks.



    • Edited by Maor Zohar Tuesday, January 10, 2017 8:12 AM Solution
    • Marked as answer by Maor Zohar Tuesday, January 10, 2017 8:12 AM
    Monday, January 9, 2017 12:31 PM

All replies

  • Do you have any AD replication issue? Please check your DCs health status using dcdiag and your AD replication health status using repadmin. If you find any issue, please refer to my guideline for troubleshooting: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23

    Please make make sure that the computer is in the correct OU and that it has read and apply group policy permissions for the GPOs you would like to apply.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, January 9, 2017 12:39 AM
  • Thank you Ahmed,

    dcdiag & repadmin outputs are OK in all parameters.

    Computer account is in the correct OU - on the same OU the user resides and the GPO apply.

    Don't understand why there is a different between win 7 & win 10...

    The win 7 computer is even in the same OU that the win 10 computer is & it's working fine.

    :\

    Monday, January 9, 2017 6:26 AM
  • > The win 7 computer is even in the same OU that the win 10 computer is & it's working fine.
     
    Are the missing GPOs in the "not applied" list? If yes, what's the reason the report gives?
     
    Monday, January 9, 2017 10:37 AM
  • I did a test today and when i put my computer account to the group where the user is, that the policy is applying on, it's started to work.

    But it's strange cause the GPO that doing the problem is on the user policy level and not under computer.

    Under computer configuration there are more different settings but the one that is not running for me is under user configuration.

    I ran into that workaround:

    Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    1. For every GPO with user or group security filtering you must add to the "Delegation" tab "Authenticated users" group with permissions "READ". Security filtering can stay the same.
    2. For every GPO with Computer security filtering you must add to the "Delegation" tab "Domain Computers" group with permissions "READ". Security filtering can stay the same.

    I'll try that tomorrow.

    We didn't have any problem until we started to use Windows 10. although i had even one win 7 computer with that problem this week, but besides that, all the others are Win 10 computers.

    ***Update***

    Hi,

    I did that as described and it solved the problem:

    For every GPO with Computer security filtering you must add to the "Delegation" tab "Domain Computers" group with permissions "READ". Security filtering can stay the same.

    Thanks.



    • Edited by Maor Zohar Tuesday, January 10, 2017 8:12 AM Solution
    • Marked as answer by Maor Zohar Tuesday, January 10, 2017 8:12 AM
    Monday, January 9, 2017 12:31 PM