none
Windows 10 doesn't apply GPO

    Question

  • Hi!

    I have computer with Windows 10 and I configured IE 10 settings (ADMX) in GPO. My IE is 11 but as I know settings 10 also applies to 11. The problem is this policy doesn't aply.

    Group Policy Modeling that it must apply and GPO Result shows that this policy is no visible in Applied GPO also as in Denied GPO.

    Tuesday, July 26, 2016 8:20 AM

Answers

  • > Nope. I have GPO only with User settings that must be applied to all
    > users only on this 2 servers.
     
    In this scenario:
     
    Add both Servers (or a group containing those servers) to security
    filtering. And add Domain Users (NOT AuthUsers!) to security filtering.
    No other ACL configuration required.
     
    • Marked as answer by Dissonance Wednesday, August 03, 2016 12:35 PM
    Tuesday, August 02, 2016 10:54 AM

All replies

  • Let's start with the basics here.  By your problem statement, I believe you must have mis-read the Group Policy Modeling results.  As you stated "computer with Windows 10"...but the GPO settings shown in the screenshot depict the User section of the GPO filled out, not the computer section; if you want this policy to apply to the user one approach is you will need to move the user object into the OU to which the GPO is linked.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, July 26, 2016 11:42 AM
  • Hi, Todd. Yes, I understand and this GPO linked to OU that contains another OU that contains user account that we use for test. 
    Tuesday, July 26, 2016 12:23 PM
  • > Group Policy Modeling that it must apply and GPO Result shows that this
    > policy is no visible in Applied GPO also as in Denied GPO.
     
    If it is neither visible in Applied or denied, then it is "not in
    scope". The user is in the correct OU "Moscow"? Loopback is NOT enabled?
    And you are aware of MS16-072 and its known issues?
     
    Tuesday, July 26, 2016 3:03 PM
  • Hi Martin,

    No, user is not in Moscow, but in the "IT" OU that is under Moscow. Scope was configured for 2 users and it didn't work but as soon as I changed scope to "Authenticated Users" instead of direct account name it works. I don't understand why, because I need to specifty scope only for these users.

    Tuesday, July 26, 2016 8:26 PM
  • Hi,

    Just as Martin said, this behavior is actually described in https://support.microsoft.com/en-us/kb/3163622. One way to fix this is to add "Authenticated Users" with Read permission into the Delegation tab. Another way is to add "Domain Computers" to Security Filtering list.

    Symptoms
    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause
    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Similar thread for your reference:

    Patch Tuesday - KB3159398

    https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Thursday, July 28, 2016 1:46 AM
    Wednesday, July 27, 2016 5:49 AM
    Moderator
  • Ok. Let me some times to check and I will be back.
    Wednesday, July 27, 2016 9:11 PM
  • Little correction. Loopback processing (Merge) is in use. So if I understand your info correctly:

    I map GPO to OU where Computers are located. This GPO has Loopback Processing Enabled. This GPO also has user options configured. It must work only for 2 servers. So I use Filtering: Server1, Server 2 AND AUTHENTIFICATED USERS. Correct?

    Thursday, July 28, 2016 4:39 PM
  • Hi,

    If you are using security filtering, add the Domain Computers group with read permission.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 29, 2016 7:23 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 01, 2016 8:31 AM
    Moderator
  • Hi)

    Thank you. I need configure this policy only for specific servers (User option), that's why I set Loopback processing. So if I set Domain Computers, I will need create new OU and move affected computers into this OU. So I have to create new OU every time and it's inconvinient because it can be several policies.

    So I just configure Security Filtering in one OU where all servers located. It doesn't work. Now as you advice, I ser Authenticated users. I gonna check it tonight.

    Monday, August 01, 2016 11:43 AM
  • > Processing Enabled. This GPO also has user options configured. It must
    > work only for 2 servers. So I use Filtering: Server1, Server 2 AND
    > AUTHENTIFICATED USERS. Correct?
     
    So you have a GPO with both computer and user settings that need to
    apply to 2 servers and some users? Or...?
     
    Monday, August 01, 2016 2:33 PM
  • Nope. I have GPO only with User settings that must be applied to all users only on this 2 servers.

    • Edited by Dissonance Monday, August 01, 2016 2:49 PM
    Monday, August 01, 2016 2:45 PM
  • Hi,

    Thanks for your reply.

    Feel free to let me know if you have any update on this case.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 02, 2016 7:30 AM
    Moderator
  • > Nope. I have GPO only with User settings that must be applied to all
    > users only on this 2 servers.
     
    In this scenario:
     
    Add both Servers (or a group containing those servers) to security
    filtering. And add Domain Users (NOT AuthUsers!) to security filtering.
    No other ACL configuration required.
     
    • Marked as answer by Dissonance Wednesday, August 03, 2016 12:35 PM
    Tuesday, August 02, 2016 10:54 AM
  • Oh...Ok.

    As I understand any domain machine is also member of authenticated users. Isn't it?

    I did as you told. And IT WOKS - THANK YOU! marked as answer.

    Wednesday, August 03, 2016 12:35 PM
  • > As I understand any domain machine is also member of authenticated
    > users. Isn't it?
     
    Yes it is.
     
    > I did as you told. And IT WOKS - THANK YOU! marked as answer.
     
    Welcome :)
     
    Wednesday, August 03, 2016 1:32 PM