none
New GPO - inaccessible, empty or disabled - 2012 Domain - applied to W7 computer

    Question

  • Can anyone tell me what I can do to fix my new GPO not arriving on my W7 or W10 computers?

    2012 Domain (with one 2008 DC in the mix)

    New group policy apx 2 days old is a user config setting:  Disable WPAD
    (unchecks the Automatically Detect Settings in IE, Connections, LAN ....via reg file)

    The group policy results wizard on the Summary tab of gpmc.msc, reports this and all other policies are Inaccessible, Empty or Disabled. (there is no version mismatch seen indicating a replication problem)

    This report is rather incorrect as the older group policies are applying fine, when checked on the target PC.  ie my mapped drives are there, document redirection etc.

    This same report on the details tab shows all the attempts I have made to get it to apply by adding different groups to the security filtering:

    ie: it reflects what is seen in the GPO object view Delegation tab correctly:
    Authenticate Users - read
    CG-Laptops - read (computer group of which the target is a member)
    Domain Users - read
    and edit for the more privileged users such as domain admins etc

    This same report on the policy event tab logs repeatedly: Security policy in the Group policy objects has been applied successfully.

    From the target PC I ran gpresult /H and the output shows 13 policies applied, when 14 are set on this Test OU in AD.
    Of course the one missing is the Disable WPAD policy.
    The local output also has mistakes in reporting: it reports under component status that my policy to map drives did not complete due to the user needing to log off and back on again...well the mapped drives are all there an working.

    I have reviewed MANY blogs and suggestions on this problem to no avail.

    Some people believe this problem is related to recent security vulnerabilities that MS patched for group policy.

    I believe I am losing my patience with this non-sense.

    Please can someone suggest something logical ?

    thanks

    Andy


    Wednesday, October 19, 2016 6:44 PM

Answers

  • Hi Andy,
    I do understand the painful feeling of fixing issue, however, let us keep patience on it:)
    First of all, I agree with “Some people” that please check if MS16-072 update is installed on clients and domain controllers. If yes, this issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
    To resolve this issue, please use the Group Policy Management Console (GPMC.MSC) to add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, please add the Domain Computers group with read permission.
    You could see details from: https://support.microsoft.com/en-sg/kb/3163622
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by AndySpecial Thursday, October 20, 2016 6:48 PM
    Thursday, October 20, 2016 5:41 AM
    Moderator

All replies

  • Hi Andy,
    I do understand the painful feeling of fixing issue, however, let us keep patience on it:)
    First of all, I agree with “Some people” that please check if MS16-072 update is installed on clients and domain controllers. If yes, this issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
    To resolve this issue, please use the Group Policy Management Console (GPMC.MSC) to add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, please add the Domain Computers group with read permission.
    You could see details from: https://support.microsoft.com/en-sg/kb/3163622
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by AndySpecial Thursday, October 20, 2016 6:48 PM
    Thursday, October 20, 2016 5:41 AM
    Moderator
  • Wendy, My first reply appears to have not save correctly...so here is a shorter version.

    From MS16-072 only KB3159398 is applied.
    KB3163622 is not seen in wsus nor the target pcs
    KB3163016,17, & 18 as seen in wsus but not installed anywhere as they are superceded.

    Authenticated Users with read permissions has always been applied to most of my policies.
    When I added Domain Computers with read permissions, things started to happen.

    I will get back to you with the final results and have marked your answer as correct.

    thank you

    Andy

    Thursday, October 20, 2016 6:52 PM