none
Group Policy Not Having Any Effect On Users

    Question

  • There is a specific PC that is only used for users to log onto and change their passwords. No other programs are to be used on this machine. I created a separate OU "Restricted Access OU" and placed the computer in that OU, "PASSWORD" is the machine name.

    I created a policy called "PASSWORD$ Policy" in the Restricted Access OU and have the security filtering applied to PASSWORD computer and Domain Users group. The policy allows domain users group access to the remote desktop users group so anyone can log in to this PC (which works) and also I enabled "Run only specific windows applications" in which I added "na.exe" to the list cause I only what when to use CTRL + ALT + DEL to change the password. 

    Although when a user logs in, they can open what ever applications they want. I also tried blocking command prompt via group policy but that has no effect either. 

    Also could there be a way where I could use a custom user interface perhaps where I can block out the start menu and just add a logout shortcut to the desktop that users can double click to log off after they change their password?

    Thanks.

    Monday, March 13, 2017 9:02 PM

All replies

  • Hi,
    >>Group Policy Not Having Any Effect On Users
    First of all, please confirm some questions for better troubleshooting:
    1. Which node did you configure this GPO: computer configuration or user configuration?
    If you configure group policy under computer configuration, then the GPO will only apply to computer accounts, you should link the GPO to computer accounts OU. The user account will ignore the GPO even if they are located in the same OU.
    2. Was the GPO applied to clients? You could run gpresult /h command to check the result, if GPO is not applied, please check the following article regarding 10 common problems causing group policy to not apply, you could try to check it one by one:
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    3. Please check if MS16-072 update is installed on clients and domain controllers, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    >> where I could use a custom user interface perhaps where I can block out the start menu and just add a logout shortcut to the desktop that users can double click to log off after they change their password
    For me, I would set up a scheduled task to log off user which you could set the trigger in the task as changing password. Task Scheduler gives you a variety of options, such as whether or not to run the application with escalated privileges and setting the application to run only when certain conditions are met.
    You could also create shortcut of a logoff script on desktop, users could click this shortcut to run logoff script.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 14, 2017 7:42 AM
    Moderator
  • > I created a policy called "PASSWORD$ Policy" in the Restricted Access OU and have the security filtering applied to PASSWORD computer and Domain Users group. The policy allows domain users group access to the remote desktop users group so anyone can log in to this PC (which works) and also I enabled "Run only specific windows applications" in which I added "na.exe" to the list cause I only what when to use CTRL + ALT + DEL to change the password.
     
    The computer is in this OU, but the user is not. So the user part of your GPO will not apply unless you enable Loopback.
     
     
    In addition, as Wendy pointed out, check the issues with MS16-072. Although they do not apply in the first place :-)
    Tuesday, March 14, 2017 11:51 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 21, 2017 9:14 AM
    Moderator