none
Policy Not Being Applied.

    Question

  • Hello I want to thank you ahead of time for any help that you can provide.

    First in my test domain. I have 2 Group Policies. One is the domain default and the other is what i created. The domain Default has Keberos ticket time for like 10 hours.  The one i created has it set for 20.

    I created a domain group called "test\longerticketime" and added 2 users to that group

    I then added that group to the security filtering and removed the authenticated users. I granted Longertickettime read and apply group policy rights.

    I then enforced that ploicy.

    I then went to check one of the users that i applied this policy to but i am unable to even see the GP being applied to the users when i run gpresult /Scope User /v i am not sure what i am doing wrong.  Any help would be great. Thanks again for your assistance.

    Thursday, July 28, 2016 1:23 AM

Answers

  • > I created a domain group called "test\longerticketime" and added 2 users
    > to that group
     
    No sense in that... Kerberos Ticket times are computer settings, and
    they are only valid at domain level (must apply to DCs).
     
    • Marked as answer by Centaur1963 Thursday, August 4, 2016 8:04 PM
    Monday, August 1, 2016 2:28 PM

All replies

  • Hi,
    First of all, please run gpupdate /force command or reboot clients to take effect the GPO and see if it works.
    And please check if MS16-072 was installed on DC or clients. If that is the case, to resolve this issue, you could use the GPMC to add the Authenticated Users group with Read Permissions on GPO. If you are using security filtering, please add the Domain Computers group with read permission.
    You could see more details from:
    Deploying Group Policy Security Update MS16-072 \ KB3163622
    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
    MS16-072: Security update for Group Policy: June 14, 2016 https://support.microsoft.com/en-sg/kb/3163622
    In addition, I would suggest you put the group into an OU and then apply GPO again to see if it works, because Group Policy settings are processed in the following order: local, site, domain, OU. GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 28, 2016 7:04 AM
    Moderator
  • > I created a domain group called "test\longerticketime" and added 2 users
    > to that group
     
    No sense in that... Kerberos Ticket times are computer settings, and
    they are only valid at domain level (must apply to DCs).
     
    • Marked as answer by Centaur1963 Thursday, August 4, 2016 8:04 PM
    Monday, August 1, 2016 2:28 PM
  • Thanks i did not know that. I will try and apply it to my test DC and see if that works.
    Monday, August 1, 2016 4:46 PM
  • Hi,
    I am checking to see how things are going there on this issue. Is the policy applied to test DC? If there's anything you'd like to know, don't hesitate to ask.
    Appreciate for your update.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 4, 2016 1:27 AM
    Moderator
  • Sorry i thought i marked the answer. Martin Binder had the correct answer. Thanks for all your assistance!
    Thursday, August 4, 2016 8:04 PM