none
[Solved] Certain GPOs not applying unless user is local admin

    Question

  • Setup: 3 DC's (2012R2, 2008, 2008R2), single AD site, dcdiag results are all good, repadmin results are all good, no related error/warning events logged in Windows Application Log, Group Policy Log, DFS Log or FRS Log on either DC.

    Hi,

    I have around 10 GPO's applying to users. I have recently noticed that 4 of these GPO's are not applying to some users. The GPO's in question control different settings (adding printers, mapped drives, login script, copying files - all configured under the USERS settings section within the policy).

    A few days ago a couple of users reported that their network printers had disappeared, so I just mapped them manually. I now believe these printers disappeared as the GPO was no longer applying. 

    I have confirmed no security filtering, WMI filtering, inheritance blocks or item-level targeting are affecting how and when the GPO's are applied. Replication of GPO's and changes is confirmed working fine between all DC's.

    Further troubleshooting has me believe this is related to permissions on the endpoints. If a user logs into a PC which they are a local admin of (because 'Domain Users' is a group within Local Administrators Group) then all the GPO's get applied. If the user logs into another PC in which they are not a local admin, then only some GPO's but not all. This is seen by running "gpresult /r", and as expected, drives are not mapped, printers not connected, login scripts not run and files not copied.

    I'm trying to find a pattern of why some GPO's apply in this case and some not, but cannot find any correlation. The GPO's that run no matter what permissions the users have also have settings configured under the USER section of the policy.

    This is only a recent problem. Before last week, all GPO's were happily applying to all users on all PCs. What could have changed to my GPO's, or the PC's, for this to suddenly be a problem?

    UAC on all computers is set to the upper-middle option. All users are in the same OU and members of the same group. All computers are in their own OU.

    If I create a new GPO from scratch, link it to the users OU, and set a simple USER setting, such as hide a control panel item, and apply to all users, only those with local admin rights will apply it - confirmed by running "gpresult /r" (in fact, when running this command, the new problem GPO's do not even show as filtered out - they just don't show at all!)

    I'm stumped.




    Friday, July 22, 2016 2:53 PM

Answers

  • I should have searched first! It seems others are posting similar questions and one was answered just today.

    https://support.microsoft.com/en-us/kb/3163622 is the culprit of this issue. 

    To test, I checked the security filtering of a GPO that was not being applied to users when they logged onto PCs without local admin rights.

    This particular GPO had specific security filtering for a group of users. As the above article recommends, I then added "domain computers" (even though the policy settings only affect USERS). I ran "gpupdate /force" on an affected PC then "gpresult /r" and up popped the policy!

    If the security filtering is set to "authenticated users" then you don't need to add "domain computers" as well - it should just work - the above MS update does not break GPO's that use "authenticated users" for security filtering.

    Friday, July 22, 2016 4:00 PM

All replies

  • I should have searched first! It seems others are posting similar questions and one was answered just today.

    https://support.microsoft.com/en-us/kb/3163622 is the culprit of this issue. 

    To test, I checked the security filtering of a GPO that was not being applied to users when they logged onto PCs without local admin rights.

    This particular GPO had specific security filtering for a group of users. As the above article recommends, I then added "domain computers" (even though the policy settings only affect USERS). I ran "gpupdate /force" on an affected PC then "gpresult /r" and up popped the policy!

    If the security filtering is set to "authenticated users" then you don't need to add "domain computers" as well - it should just work - the above MS update does not break GPO's that use "authenticated users" for security filtering.

    Friday, July 22, 2016 4:00 PM
  • Hi,

    Thanks for your posting here and sharing the resolution!

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 25, 2016 7:24 AM
    Moderator
  • Hi all,

    my GPOs are already configured as the guide says.
    But on some of my win10 clients, if the user it's not logged in as local admin, they can't download printer's driver from the server.
    I have tested on two new client yesterday, same result. Until user was logged in as normal user all was working well; 
    If i try to install manually the printer with complete path \\server\printer, it works, can download the proper driver and print.

    so, what's the trouble?

    regards
    f.

    Thursday, May 10, 2018 8:05 AM