none
2003 DC - GPO with login script not applying to users on Win 10

    Question

  • I have a login script that I want to use temporarily.  It is to standardize local computer admins by doing a series of NET USER and NET LOCALGROUP commands.

    I cannot use psexec, at least not very easily, because our current setup (being changed next year) uses Linux based DNS which does not dynamically register workstation host names.  So getting 100+ live leases across 4 locations and remote users would be a nightmare.

    I know the GPO works because I have a test user set up.  If I log into a windows 10 test machines and do a gpupdate /force, than log out and in, nothing happens.  So I run GPRESULT /R and I notice the new GPO is not in the list of applied GPOs.

    If I follow the same exact steps on one of my spare laptops with Win 7, it works as intended.  Any ideas?

    Monday, November 21, 2016 8:57 PM

Answers

  • > nothing happens.  So I run GPRESULT /R and I notice the new GPO is not
    > in the list of applied GPOs.
     
    Are there "old" GPOs? MS16-072? Or the UNC hardening that is enabled in
    W10 by default.
     
    Tuesday, November 22, 2016 12:23 PM
  • Hi,
    Great start from Martin for troubleshooting. Just add some additional information for you to refer based on Martin suggestion:
    1. Make sure that no other GPO is applying to cause the problem, you could go through each GPO to view it.
    2. Check if you have if you have installed MS16-072 on clients and domain controllers, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    3. Have a try to use the following registry settings to disable UNC hardening in Windows 10
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
    “\\*\SYSVOL”
    “RequireMutualAuthentication=0”
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
    “RequireMutualAuthentication=0”
    Please make sure to back up the registry before you modify anything in the registry editor.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 23, 2016 8:13 AM
    Moderator

All replies

  • > nothing happens.  So I run GPRESULT /R and I notice the new GPO is not
    > in the list of applied GPOs.
     
    Are there "old" GPOs? MS16-072? Or the UNC hardening that is enabled in
    W10 by default.
     
    Tuesday, November 22, 2016 12:23 PM
  • Hi,
    Great start from Martin for troubleshooting. Just add some additional information for you to refer based on Martin suggestion:
    1. Make sure that no other GPO is applying to cause the problem, you could go through each GPO to view it.
    2. Check if you have if you have installed MS16-072 on clients and domain controllers, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    3. Have a try to use the following registry settings to disable UNC hardening in Windows 10
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
    “\\*\SYSVOL”
    “RequireMutualAuthentication=0”
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
    “RequireMutualAuthentication=0”
    Please make sure to back up the registry before you modify anything in the registry editor.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 23, 2016 8:13 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 29, 2016 4:49 AM
    Moderator
  • Thank you all for your replies.  I apologize for not getting back sooner.  We have so many projects going on.  Anyways, UNC hardening is causing some issues with my scripts but that is ok, I have some workarounds.

    As far as the GPO actually applying, you all were absolutely right with the MS16-072.  Adding Authenticated Users with READ permissions to the delegation of GPOs fixed the issue.


    • Edited by CHargraves Friday, December 2, 2016 6:50 PM
    Friday, December 2, 2016 6:50 PM
  • Thank you all for your replies.  I apologize for not getting back sooner.  We have so many projects going on.  Anyways, UNC hardening is causing some issues with my scripts but that is ok, I have some workarounds.

    As far as the GPO actually applying, you all were absolutely right with the MS16-072.  Adding Authenticated Users with READ permissions to the delegation of GPOs fixed the issue.

    Friday, December 2, 2016 6:50 PM
  • Hi,
    Great news and thank you for marking the answer.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 5, 2016 1:36 AM
    Moderator