none
Group policy unable to apply firewall change on Windows 7 cilent - blocked

    Question

  • I manage about 100 computers on a single domain.

    the problem started when I made some changes to the automatic update gpo.  After a few days, all of my computers had reported to WSUS except one.  So my troubleshooting started out centered on wsus, but now things are just not working and i'm stumped.

    Basically

    I have just made several changes to group policy including but not limited to:

    • Computer - change automatic update settings for both default policy and a specific ou policy
    • Computer - change windows firewall policy > domain profile > protect all network connections from "disabled" to "not configured" - this setting, in conjunction with "prohibit use of Internet Connection firewall" which is also not configured on the policy is supposed to allow administrators to modify firewall policies on the desktop.

    Problem is, I can't run "gpupdate /force".  So I tried in administrative command prompt (start > cmd > run as administrator) while logged in both as the computer administrator AND a domain administrator.

    All of my other computers that needed to have gpudate /force run on them, ran it no problem.  One machine is failing to apply the computer policy.  See below for more information

    So I restarted the desktop. (I also shut it down and turned it back on) 

    When I try to access the Firewall settings after either boot, I am blocked with the message: "Some settings are managed by your system administrator" and the drop down is greyed out.

    Here is how the thought process played out:

    1. WSUS is returning an error that points to not getting the wsus server from group policy "WSUS server: http://"
    2. gpupdate /force returns the message: "The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved." consistently. 
    3. gpresult.htm points to a policy from a previous domain named "{F7201EE6-D721-4A34-BEAA-D4263CD1BC86}" which generally means whatever it was, it's gone now.  This policy turns on the firewalls and a few other things.
    4. My Admin users are not able to edit the local group policy "Failed to open the group policy object on this computer.  You may not have appropriate rights"
    5. Firewall settings indicate they are controlled by group policy with all profiles forced to "on", even for users in the Local Administrator group.
    6. I followed suggestions here: https://technet.microsoft.com/en-us/library/cc728209(v=ws.10).aspx and everything is in order except that "Internet Connection Sharing" was disabled.  My admin user was able to enable it, but when I tried to start it it threw the message "started then stopped". 

    So, is there a way to ditch that old, non-existent policy from the computer's memory for these settings and all the settings it's showing it controls in gpresult.htm? 

    I am not able to do the things that should fix it because the policy itself is stopping me.  It's quite annoying and i'd rather not replace the computer.

    Wednesday, March 04, 2015 5:20 PM

Answers

  • Hi,

    >>The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO.

    Before going further, what's this GPO for? Is this an existing local GPO or domain GPO? Based on the description, we can try to disjoin the computer from the domain and rejoin it to see if it helps.

    If the situation persists, we can try to delete the following registry keys on the computer and restart the computer to see if it helps:

    HKLM\Software\Policies\Microsoft

    HKCU\Software\Policies\Microsoft

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    Regarding this point, we can refer to the suggestion provided by Arthur Li in the following thread.

    Old domain gone, but GP lives on

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/75ab1158-e460-4aa5-8658-402836e6096a/old-domain-gone-but-gp-lives-on?forum=winserverGP

    Important & Caution: Back up the registry before we modify it, because serious problems might occur if we modify the registry incorrectly.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    The above worked with one addition.  I also had to back up and delete C:\windows\system32\group policy hidden folder.  As soon as i did that, the  gpupdate /force pulled the correct policy and i am updating the machine now.
    • Marked as answer by mdt109 Monday, March 09, 2015 3:05 PM
    Monday, March 09, 2015 3:04 PM

All replies

  • Hi,

    >>The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO.

    Before going further, what's this GPO for? Is this an existing local GPO or domain GPO? Based on the description, we can try to disjoin the computer from the domain and rejoin it to see if it helps.

    If the situation persists, we can try to delete the following registry keys on the computer and restart the computer to see if it helps:

    HKLM\Software\Policies\Microsoft

    HKCU\Software\Policies\Microsoft

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    Regarding this point, we can refer to the suggestion provided by Arthur Li in the following thread.

    Old domain gone, but GP lives on

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/75ab1158-e460-4aa5-8658-402836e6096a/old-domain-gone-but-gp-lives-on?forum=winserverGP

    Important & Caution: Back up the registry before we modify it, because serious problems might occur if we modify the registry incorrectly.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 06, 2015 2:04 AM
    Moderator
  • Hi,

    >>The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO.

    Before going further, what's this GPO for? Is this an existing local GPO or domain GPO? Based on the description, we can try to disjoin the computer from the domain and rejoin it to see if it helps.

    If the situation persists, we can try to delete the following registry keys on the computer and restart the computer to see if it helps:

    HKLM\Software\Policies\Microsoft

    HKCU\Software\Policies\Microsoft

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    Regarding this point, we can refer to the suggestion provided by Arthur Li in the following thread.

    Old domain gone, but GP lives on

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/75ab1158-e460-4aa5-8658-402836e6096a/old-domain-gone-but-gp-lives-on?forum=winserverGP

    Important & Caution: Back up the registry before we modify it, because serious problems might occur if we modify the registry incorrectly.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    The above worked with one addition.  I also had to back up and delete C:\windows\system32\group policy hidden folder.  As soon as i did that, the  gpupdate /force pulled the correct policy and i am updating the machine now.
    • Marked as answer by mdt109 Monday, March 09, 2015 3:05 PM
    Monday, March 09, 2015 3:04 PM