none
Some New GPO Settings Won't Take

    Question

  • Hi all,

    I have a few GPO-related questions/issues today. 

    1. I updated some NTP-related GPOs. 
    Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Global Configuration:
    All settings are default except the following:
    MaxNegPhaseCorrection (1800)
    MaxPosPhaseCorrection (1800)

    Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers
    All settings are default except the following:
    SpecialPollInterval (900)

    So the GPOs appear in GPRESULT as expected as well as RSOP, but the updated settings do not appear in the registry as I would expect.  Oddly, if I run w32tm /query /configuration the times display properly.

    Does anyone have any thoughts as to why it isn't updating in the registry?  Is the registry omitted if the settings are specified via GOPO? 
    These settings are for server hardening in relation to regulatory compliance, so it needs to be verified that it is set as necessary.

    2. I attempted to rename the domain Guest account by using the following GPO:
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename
    guest account

    This fails for whatever reason.  Running RSOP shows a red error message on this item, and if I view it I am told to look up the winlogon.log, but unfortunately I do not find anything which pertains to the Guest account, be it by name or SID.

    Does anyone have any insight they can share with me on these two issues?  Any insight that can be provided would be welcomed.

    Thanks in advance!

    Wednesday, June 03, 2015 2:41 PM

All replies

  • Hi Paul,

    >>Does anyone have any thoughts as to why it isn't updating in the registry?  Is the registry omitted if the settings are specified via GOPO? 

    Where did we check the group policy result report, on domain controller? The setting is used to specify Clock discipline and General values for Windows Time services for domain controllers.

    Regarding time configuration in AD, the following blog can be referred to for more information.

    “It’s Simple!” – Time Configuration in Active Directory

    http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

    >>This fails for whatever reason.  Running RSOP shows a red error message on this item,

    Here, we can try to run command gpresult/h c:\report.html with administrative privileges to generate the group policy result report to check if some more information can be found.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 08, 2015 10:35 AM
    Moderator
  • ...Where did we check the group policy result report, on domain controller? The setting is used to specify Clock discipline and General values for Windows Time services for domain controllers.

    Regarding time configuration in AD, the following blog can be referred to for more information.

    “It’s Simple!” – Time Configuration in Active Directory

    http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx ...

    Hi Frank,
    Yes, this is on the DCs, and yes, I verified the settings on the DCs.  Again, it seems to be applying properly (gpresult shows it is being applied and RSoP doesn't show any errors).  My concern is that the settings are not showing up in the registry, but they are showing up if I run w32tm /query /configuration.
    And thank you for the link; I actually used that when I set up my time-related GPOs about six weeks ago (along with the wiki written by Mr. X).  

    ...Here, we can try to run command gpresult/h c:\report.html with administrative privileges to generate the group policy result report to check if some more information can be found...

    Nothing odd shows up here.  Again, there is an error in the RSoP, but nothing odd shows up here.
    I just went ahead and renamed the account via DSA, but it would be nice if this GPO worked. 

    The main thing I am trying to deal with now is why the time settings show up via w32tm but not in the registry. 

    Monday, June 08, 2015 1:53 PM