none
Group Policy applying user configuration but not the computer configuration.

    Question

  • I have been trying to troubleshoot this issue for over a week now. We are running Windows Server 2012 with active directory / Group Policy Management. It seems to me that no matter what I change under the computer configuration of a GPO is not being applied. When doing a GPreport from a machine it is showing that these settings are being applied but they actually are not being applied at all. All of the user configuration policys I set are working fine but anything under the Computer Configuration section of a group policy seems to do nothing but shows up in the report and rsop.
    Thursday, January 8, 2015 8:44 PM

All replies

  • Where have you linked the gpos? Presume to an ou? Do the computers live in that ou? Did you disable computer configuration or mess with security filtering?
    Friday, January 9, 2015 7:51 AM

  • Group Policy Results
    Data collected on: 1/8/2015 3:33:03 PM
    Summary
    Computer Configuration Summary
    General
    Computer name HNN\ADTEST-PC
    Site Default-First-Site-Name
    Last time Group Policy was processed 1/8/2015 3:28:55 PM
    Group Policy Objects
    Applied GPOs
    Name Link Location Revision
    GoogleChrome HNN.LOCAL AD (5), Sysvol (5)
    Computer Firewall Ports HNN.LOCAL/ComputersOU AD (3), Sysvol (3)
    Default Domain Policy HNN.LOCAL AD (18), Sysvol (18)
    Denied GPOs
    Name Link Location Reason Denied
    Local Group Policy Local Empty
    Security Group Membership when Group Policy was applied
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    HNN\ADTEST-PC$
    HNN\Domain Computers
    S-1-18-1
    Mandatory Label\System Mandatory Level
    WMI Filters
    Name Value Reference GPO(s)
    None
    Component Status
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 1/8/2015 3:29:08 PM
    Registry Success 1/8/2015 3:26:56 PM
    Security Success 1/8/2015 3:26:57 PM
    User Configuration Summary
    General
    User name HNN\administrator
    Domain HNN.LOCAL
    Last time Group Policy was processed 1/8/2015 3:32:03 PM
    Group Policy Objects
    Applied GPOs
    Name Link Location Revision
    GoogleChrome HNN.LOCAL AD (32), Sysvol (32)
    Default Domain Policy HNN.LOCAL AD (1), Sysvol (1)
    Denied GPOs
    Name Link Location Reason Denied
    Local Group Policy Local Empty
    Security Group Membership when Group Policy was applied
    HNN\Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    HNN\Group Policy Creator Owners
    HNN\Domain Admins
    HNN\Enterprise Admins
    HNN\Schema Admins
    S-1-18-1
    HNN\Denied RODC Password Replication Group
    Mandatory Label\High Mandatory Level
    WMI Filters
    Name Value Reference GPO(s)
    None
    Component Status
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 1/8/2015 3:32:05 PM
    Software Installation Failed 1/8/2015 3:32:05 PM
    Software Installation failed due to the error listed below.

    The installation source for this product is not available. Verify that the source exists and that you can access it. 

    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 1/8/2015 3:32:04 PM and 1/8/2015 3:32:05 PM.
    Computer Configuration
    Policies
    Windows Settings
    Security Settings
    Account Policies/Password Policy
    Policy Setting Winning GPO
    Enforce password history 24 passwords remembered Default Domain Policy
    Maximum password age 42 days Default Domain Policy
    Minimum password age 1 days Default Domain Policy
    Minimum password length 7 characters Default Domain Policy
    Password must meet complexity requirements Enabled Default Domain Policy
    Store passwords using reversible encryption Disabled Default Domain Policy
    Account Policies/Account Lockout Policy
    Policy Setting Winning GPO
    Account lockout threshold 0 invalid logon attempts Default Domain Policy
    Local Policies/Security Options
    Network Access
    Policy Setting Winning GPO
    Network access: Allow anonymous SID/Name translation Disabled Default Domain Policy
    Network Security
    Policy Setting Winning GPO
    Network security: Do not store LAN Manager hash value on next password change Enabled Default Domain Policy
    Network security: Force logoff when logon hours expire Disabled Default Domain Policy
    Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
    Policy Setting Winning GPO
    Automatic certificate management Enabled [Default setting]
    Option Setting
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
    Update and manage certificates that use certificate templates from Active Directory Disabled
    Public Key Policies/Encrypting File System
    Certificates
    Issued To Issued By Expiration Date Intended Purposes Winning GPO
    Administrator Administrator 11/29/2114 2:19:06 PM File Recovery Default Domain Policy

    For additional information about individual settings, launch Group Policy Object Editor.
    Public Key Policies/Trusted Root Certification Authorities
    Properties
    Winning GPO [Default setting]
    Policy Setting
    Allow users to select new root certification authorities (CAs) to trust Enabled
    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
    Windows Firewall with Advanced Security
    Global Settings
    Policy Setting Winning GPO
    Policy version 2.20 Computer Firewall Ports
    Disable stateful FTP Not Configured
    Disable stateful PPTP Not Configured
    IPsec exempt Not Configured
    IPsec through NAT Not Configured
    Preshared key encoding Not Configured
    SA idle time Not Configured
    Strong CRL check Not Configured
    Inbound Rules
    Name Description Winning GPO
    Windows Management Instrumentation (WMI-In) Inbound rule to allow WMI traffic for remote Windows Management Instrumentation. [TCP] Computer Firewall Ports
    This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module
    Enabled True
    Program %SystemRoot%\system32\svchost.exe
    Action Allow
    Security Require authentication
    Authorized computers
    Authorized users
    Protocol 6
    Local port Any
    Remote port Any
    ICMP settings Any
    Local scope Any
    Remote scope Any
    Profile Domain
    Network interface type All
    Service winmgmt
    Allow edge traversal False
    Group Windows Management Instrumentation (WMI)
    Remote Scheduled Tasks Management (RPC) Inbound rule for the Task Scheduler service to be remotely managed via RPC/TCP. Computer Firewall Ports
    This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module
    Enabled True
    Program %SystemRoot%\system32\svchost.exe
    Action Allow
    Security Require authentication
    Authorized computers
    Authorized users
    Protocol 6
    Local port Dynamic RPC
    Remote port Any
    ICMP settings Any
    Local scope Any
    Remote scope Any
    Profile Domain
    Network interface type All
    Service schedule
    Allow edge traversal False
    Group Remote Scheduled Tasks Management
    Remote Scheduled Tasks Management (RPC-EPMAP) Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Task Scheduler service. Computer Firewall Ports
    This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module
    Enabled True
    Program %SystemRoot%\system32\svchost.exe
    Action Allow
    Security Require authentication
    Authorized computers
    Authorized users
    Protocol 6
    Local port RPC endpoint mapping
    Remote port Any
    ICMP settings Any
    Local scope Any
    Remote scope Any
    Profile Domain
    Network interface type All
    Service RPCSS
    Allow edge traversal False
    Group Remote Scheduled Tasks Management
    Connection Security Settings
    Administrative Templates
    Policy definitions (ADMX files) retrieved from the local machine.
    System/Group Policy
    Policy Setting Winning GPO
    Startup policy processing wait time Enabled Default Domain Policy
    Amount of time to wait (in seconds): 30
    System/Logon
    Policy Setting Winning GPO
    Always wait for the network at computer startup and logon Enabled Default Domain Policy
    Assign a default domain for logon Enabled Computer Firewall Ports
    Default Logon domain: HNN
    Enter the name of the domain
    Extra Registry Settings
    Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

    Setting State Winning GPO
    Software\Policies\Microsoft\Windows\Personalization\NoChangingLockScreen 1 Default Domain Policy
    Software\Policies\Microsoft\Windows\System\ProcessTSUserLogonAsync 1 Default Domain Policy
    User Configuration
    Policies
    Software Settings
    Installed Applications
    Google Chrome
    Winning GPO GoogleChrome
    Product Information
    Name Google Chrome
    Version 66.30
    Language English (United States)
    Platform x86
    Support URL
    Deployment Information
    General Setting
    Deployment type Assigned
    Deployment source C:\AgentPrograms\googlechromestandaloneenterprise.msi
    Installation user interface options Maximum
    Uninstall this application when it falls out of the scope of management Disabled
    Do not display this package in the Add/Remove Programs control panel Disabled
    Install this application at logon Enabled

    Advanced Deployment Options Setting
    Ignore language when deploying this package Disabled
    Make this 32-bit X86 application available to Win64 machines Enabled
    Include OLE class and product information Disabled

    Diagnostic Information Setting
    Product code {c3ff5acb-174a-3e07-ae2a-62063fbcc9b1}
    Deployment Count 0
    Security
    Permissions
    Type Name Permission Inherited
    Allow HNN\Domain Admins Full control No
    Allow NT AUTHORITY\Authenticated Users Read No
    Allow NT AUTHORITY\SYSTEM Full control No
    Allow HNN\Domain Computers Read Yes
    Allow HNN\Domain Admins Read, Write Yes
    Allow HNN\Enterprise Admins Read, Write Yes
    Allow NT AUTHORITY\Authenticated Users Read Yes
    Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read Yes
    Allow NT AUTHORITY\SYSTEM Read, Write Yes
    Allow CREATOR OWNER Read, Write Yes
    Allow inheritable permissions from the parent to propagate to this object and all child objects Enabled
    Advanced
    Upgrades Setting
    Required upgrade for existing packages Disabled
    Packages that this package will upgrade GPO
    None
    Packages that will upgrade this package GPO
    Google Chrome (2) GoogleChrome

    Transforms
    None
    Cause
    This application was applied due to the following conditions:
    The application was assigned.
    Its language matched the system language.
    HNNZOIPER
    Winning GPO GoogleChrome
    Product Information
    Name HNNZOIPER
    Version 1.0
    Language English (United States)
    Platform x86
    Support URL
    Deployment Information
    General Setting
    Deployment type Assigned
    Deployment source C:\AgentPrograms\HNNZOIPER.msi
    Installation user interface options Basic
    Uninstall this application when it falls out of the scope of management Disabled
    Do not display this package in the Add/Remove Programs control panel Disabled
    Install this application at logon Enabled

    Advanced Deployment Options Setting
    Ignore language when deploying this package Disabled
    Make this 32-bit X86 application available to Win64 machines Enabled
    Include OLE class and product information Disabled

    Diagnostic Information Setting
    Product code {4d9a0f38-d9fa-4c42-b9af-926295ea6550}
    Deployment Count 0
    Security
    Permissions
    Type Name Permission Inherited
    Allow HNN\Domain Admins Full control No
    Allow NT AUTHORITY\Authenticated Users Read No
    Allow NT AUTHORITY\SYSTEM Full control No
    Allow HNN\Domain Computers Read Yes
    Allow HNN\Domain Admins Read, Write Yes
    Allow HNN\Enterprise Admins Read, Write Yes
    Allow NT AUTHORITY\Authenticated Users Read Yes
    Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read Yes
    Allow NT AUTHORITY\SYSTEM Read, Write Yes
    Allow CREATOR OWNER Read, Write Yes
    Allow inheritable permissions from the parent to propagate to this object and all child objects Enabled
    Advanced
    Upgrades Setting
    Required upgrade for existing packages Disabled
    Packages that this package will upgrade GPO
    None
    Packages that will upgrade this package GPO
    None

    Transforms
    None
    Cause
    This application was applied due to the following conditions:
    The application was assigned.
    Its language matched the system language.
    Friday, January 9, 2015 1:56 PM
  • The Computers live in there own created OU called Computers I assumed they were fine in there. But I have tried creating an OU for a computer and still the settings never seem to actually apply to the computer itself.
    Friday, January 9, 2015 1:57 PM
  • Any update on this can't seem to find any resolution
    Monday, January 12, 2015 2:26 PM
  • HI Envec,

    1) Did you check GPO refreshment is happening ? any clue in the event logs.

    2) Has the problematic machine has connectivity to the domain controller on port 445 ?

    After ensuring the above type gpupdate /force, and reboot if required.


    Regards, Prabhu


    Tuesday, January 13, 2015 12:58 PM
  • Thanks for the response Prabhu I can telnet to the domain controller on 445 and yes GPO refreshment is happening theres no real errors in the event logs besides telling the user that he needs to log off in order to get some policys which never apply no matter how many times you log off. I have ran the gpupdate /force command and rebooted these pcs several times.
    Tuesday, January 13, 2015 2:15 PM
  • so non of your computer gpos work at all , just so that im clear?

    Create a gpresult /h and upload via skydrive or similar

    Tuesday, January 13, 2015 3:25 PM
  • https://onedrive.live.com/redir?resid=9BF7669C1A5FD76E!772&authkey=!AAOTZK93tQxFKRY&ithint=file%2chtml
    Tuesday, January 13, 2015 5:37 PM
  • There you go and correct it doesnt seem to be applying any of the computer configuration settings. But the user configurations seem to be working fine. But as you can see in the GPresult it shows that it actually sees those settings 
    • Edited by Envec Tuesday, January 13, 2015 5:42 PM
    Tuesday, January 13, 2015 5:40 PM
  • HI,i Do see the default domain policy in the report. Any other GPO you are pointing to..?

    And would like to know how you assume computer configurations are not getting applied.


    Regards, Prabhu

    Wednesday, January 14, 2015 5:50 AM
  • > There you go and correct it doesnt seem to be applying any of the
    > computer configuration settings. But the user configurations seem to be
    > working fine. But as you can see in the GPresult it shows that it
    > actually sees those settings
     
    I suppose you are referring to computer settings in "GoogleChrome"? What
    settings are there for computers?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, January 14, 2015 8:29 AM
  • The main policy not applying is the wait for network before login this is not applying causing the Software GPO's not to install. There is a domain policy as well under the user OU that I am applying it to but that domain policy also has the wait for network applied as well.
    Wednesday, January 14, 2015 2:01 PM
  • > The main policy not applying is the wait for network before login this
    > is not applying
     
    So well, then why do we see this in your report in computer configuration?
     
    Policy Setting Winning GPO
    Always wait for the network at computer startup and logon Enabled
    Default Domain Policy
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, January 14, 2015 4:19 PM
  • Exactly you see it in the report but its not applying. I can see the network connect after logging in and if you look at the report it says Software Installation did not complete policy processing because the user needs to log on again for the settings to be applied. Group Policy will attempt to apply the settings at the user's next logon.

    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 1/13/2015 11:00:23 AM and 1/13/2015 11:00:23 AM.

    The reason its not installing is because its not picking the network up before logging in. No matter how many times I log out log back in or do a gpupdate still no results. Now if I log into a user account on the actual ad server it does try to install these GPO's.

    Wednesday, January 14, 2015 4:29 PM
  • Am 14.01.2015 um 17:29 schrieb Envec:
    > Exactly you see it in the report but its not applying. I can see the
    > network connect after logging in
     
    I would rephrase this to "it is applying, but not working as expected" :)
     
    Give this a try and set it to 60: http://gpsearch.azurewebsites.net/#319
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, January 15, 2015 10:46 AM
  • This policy is already set. Still doesnt seem to be working the way it should be still logs right in after entering credentials on any authenticated user.
    Thursday, January 15, 2015 1:59 PM