none
Domain group policy works for some settings but not others!

    Question

  • Hello,

    I seem to have a very weird issue. My DC is Win2012R2 and I'm working with a Win10 (Anniv. update) I have a domain GP set which seems to apply to my Win10 machine just fine, however it only applies some settings. I run a "gpresult /h" and see that the settings are applied, and the Winning GPO is the correct domain GP, however when I run the gpedit on the Win10 machine, I see different results. For e.g. in Computer Config > Policies > Administrative templates > Windows Components >AutoPlay Policies,  I have "Turn off Autoplay" enabled. When I log into Win10 machine, and open "gpedit", I see that same setting as "Not Configured". Shouldn't this be configured and grayed out as it's getting this from the DC? Any help, advice, comments are appreciated!

    Thanks,
    -Sau

    Wednesday, August 24, 2016 3:52 PM

Answers

  • Hi Sau,
    According to the reference from Florian Frommherz that he answered in the following thread:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/cf7d5184-6850-4457-bd78-f89552b45ccc/domain-policy-settings-not-visible-in-gpedit?forum=winserverGP
    This is because the security settings are treated a little different than other domain group policies. Security settings are written directly into the local machine's security database and therefore show up in gpedit.msc (as that security database is the place gpedit looks at to get its settings from). That also the reason why all settings are greyed out for security settings if there's a domain GP in place ( - also, rsop.msc doesn't show security settings made locally because of that, if memory saves). There are basically two places where local GP and domain GPs are stored. Security settings from domain and local share a common place.
    You could see more details from that thread.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sau Pat Monday, August 29, 2016 8:32 PM
    Monday, August 29, 2016 1:47 AM
    Moderator

All replies

  • Hi Sau,
    I have re-produced the same behavior with you based on the test in my lab environment.
    In my opinion, the behavior may be expected, When you open gpedit on client, it is used to configure local group policy. And it doesn’t mean that the domain group policy is not applied correctly.
    If you want to check if the domain policy is successfully applied, in addition to view group policy report, you could also check the registry as the group policy take effect by modifying system registry.
    For example, you have deployed policy to turn off autoplay, you could directly check the NoDriveTypeAutoRun entry value with 0xFF value in the following registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
    It is also verified successfully in my test:

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 25, 2016 5:15 AM
    Moderator
  • Thanks Wendy. I was just confused since the Audit, User rights Assignment and Security Options under the Local Policies, do get grayed out if they are Configured using the Domain GP and wondered why it would be different.

    -Sau

    Thursday, August 25, 2016 4:47 PM
  • Hi Sau,
    According to the reference from Florian Frommherz that he answered in the following thread:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/cf7d5184-6850-4457-bd78-f89552b45ccc/domain-policy-settings-not-visible-in-gpedit?forum=winserverGP
    This is because the security settings are treated a little different than other domain group policies. Security settings are written directly into the local machine's security database and therefore show up in gpedit.msc (as that security database is the place gpedit looks at to get its settings from). That also the reason why all settings are greyed out for security settings if there's a domain GP in place ( - also, rsop.msc doesn't show security settings made locally because of that, if memory saves). There are basically two places where local GP and domain GPs are stored. Security settings from domain and local share a common place.
    You could see more details from that thread.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sau Pat Monday, August 29, 2016 8:32 PM
    Monday, August 29, 2016 1:47 AM
    Moderator
  • Thank you.

    -S

    Monday, August 29, 2016 8:32 PM