none
Group policy applies inconsistently

    Question

  • I have a small network with one Domain Controller.  I have a set of computers that are all in the same OU (and as far as I know they are all identical), and a set of users that are all in the same OU (and as far as I know they are all identical).  Everything was working fine until I went on vacation 3 weeks ago.  When I got back the GPO was not applying for some of the users.  When I run GP Result, I find that some users work on some computers:

    Computers:       M1     M2    M3

    Users

    A                       X       X       X

    B                       X       Y       X

    C                       X       X       X

    D                      X        X       Y

    E                      X        Y        X

    I have a second user GPO and those users are all working fine on all computers.

    The Group Policy Event log shows only 2 warnings:  One for NETLOGON and one for SYSVOL:

    This machine is configured to retrieve Group Policy files from a file share in an insecure way.

    UNC Path: \\dpl.lan\NETLOGON

    Mutual Authentication Enforced: false

    Integrity Enforced: false

    Guidance: The UNC path contains logon scripts and/or files that control system security policies. Microsoft recommends configuring Windows to require both mutual authentication and integrity when accessing files on this UNC path.

    For details on configuring Windows machines to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.

    Log Name:  Microsoft-Windows-GroupPolicy/Operational

    Source:GroupPolicy (Microsoft-Windows-GroupPolicy)

    logged: 7/18/2016 10:08:04 PM

    Event ID:  9001

    Task Category:  None

    Level:  Warning

    Keywords:

    User:  SYSTEM

    Computer:  my.computer.lan

    OpCode:  Info

    Why did it stop working?  How can I fix it?

    Thanks


    Peggy Thrasher

    Tuesday, July 19, 2016 8:29 PM

Answers

  • Hi Peggy,

    Thanks for your post.

    If those computers installed update MS16-072?

    I suggest you check if those computers have installed the updates during your vacation.

    If yes, I suggest try to fix the problem with those actions below.

    1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    2. If you are using security filtering, add the Domain Computers group with read permission.

    For more information, you could refer to the article below.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    Here is a blog about how to use PowerShell to check the updates issue for your reference.

    MS16-072 – Known Issue – Use PowerShell to Check GPOs

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 6:59 AM
    Moderator

All replies

  • Hi Peggy,

    Thanks for your post.

    If those computers installed update MS16-072?

    I suggest you check if those computers have installed the updates during your vacation.

    If yes, I suggest try to fix the problem with those actions below.

    1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    2. If you are using security filtering, add the Domain Computers group with read permission.

    For more information, you could refer to the article below.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    Here is a blog about how to use PowerShell to check the updates issue for your reference.

    MS16-072 – Known Issue – Use PowerShell to Check GPOs

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 6:59 AM
    Moderator
  • Thank you SO much!!

    This was exactly my problem.


    Peggy Thrasher

    Wednesday, July 20, 2016 2:44 PM
  • Hi,

    I am glad to hear that your problem has been resolved.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 21, 2016 2:14 AM
    Moderator