locked
Group Policy not applying anything to clients. not even default domain policy RRS feed

  • Question

  • I made a small domain on my Hyper V environment with 1 DC and 2 windows 10 clients

    Internal Virtual switch

    DC has static IP, ADDS, GP, DNS. it is server 2008r2 with 2003 functional level. (mirroring production setup)

    Clients have static IP, have been joined to the domain

    Clients can ping DC and DC can ping clients

    DNS entries in DC are correct for all 3 machines

    The client computers are in the gpolab.com/TestComputers OU

    I have created a GPO to set default mail client (it's checked enabled and only item in GPO) to Outlook and have link enabled it to the gpolab.com/TestComputers OU for domain computers

    The clients don't get the default domain policy either and it is link enabled as well

    Monday, May 7, 2018 9:50 PM

All replies

  • Hi altimav8,

    Please check that you don't have replication problems and that your PDC emulator is reachable.

    Have you tried running the gpupdate /force command on the DC and the client computer and check the result?

    Kind regards,
    Leon


    Don't forget to visit my blog The System Center Blog

    Monday, May 7, 2018 10:00 PM
  • Hi,

    Can you tell us which right you have on these GPOs (Delegation Tab) ?

    Best Regards,

    Wednesday, May 9, 2018 7:00 AM
  • At the beginning I added myself to the domain admins group. delegation tab shows allowed permissions for domain admins as "edit settings, delete, modify security" and inherited as No
    Wednesday, May 9, 2018 7:07 PM
  • Do I need replication with only one DC? How would I check if PDC emulator is reachable?
    Wednesday, May 9, 2018 7:13 PM
  • From the client; 

    Open command prompt (As administrator) 

    Run Gpupdate /sync (this will force a reboot) 

    Once it comes back up, log back into the system, 

    Once logged back in.. 

    Open Command prompt again as administrator.. 

    Now open File explorer, Open Root of C drive

    Create folder called Temp

    Now back to the Command prompt.. 

    Type in Gpresult /Z > c:\temp\Result.txt

    Open the Text document, check to see if there are errors, or if it completes, it should tell you what policies have been applied.. 


    Rob

    Wednesday, May 9, 2018 7:22 PM
  • I did as you instructed. Here are the results. It looks like it applied the default email. when i check gpedit.msc the default mail admin template select "microsoft outlook" is enabled. But when I check start -> settings -> default apps it has no selection. If i open a *.msg file it will open outlook. But if click a shortcut i made on the desktop "mailto:example@email.com" it opens windows 10 mail client.

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    c 2017 Microsoft Corporation. All rights reserved.

    Created on ?5/?9/?2018 at 1:41:46 PM

    RSOP data for GPOLAB\aqueel on O16-W10-1703 : Logging Mode
    -----------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  10.0.15063
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\aqueel
    Connected over a slow link?: No

    COMPUTER SETTINGS
    ------------------
        CN=O16-W10-1703,OU=TestComputers,DC=GPOLAB,DC=com
        Last time Group Policy was applied: 5/9/2018 at 1:40:02 PM
        Group Policy was applied from:      W2008R2.GPOLAB.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        GPOLAB
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Default Email
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            O16-W10-1703$
            Domain Computers
            System Mandatory Level

        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  90

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  24

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  7

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            LSAAnonymousNameLookup
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59058
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                    Computer Setting:  1

                N/A

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    Folder Id: Software\Clients\Mail\
                    Value:       77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 79, 0, 117, 0, 116, 0, 108, 0, 111, 0, 111, 0, 107, 0, 0, 0
                    State:       Enabled

                GPO: Default Email
                    Folder Id: Software\Clients\Mail\
                    Value:       77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 79, 0, 117, 0, 116, 0, 108, 0, 111, 0, 111, 0, 107, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=Aqueel Suleman,CN=Users,DC=GPOLAB,DC=com
        Last time Group Policy was applied: 5/9/2018 at 1:40:35 PM
        Group Policy was applied from:      W2008R2.GPOLAB.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        GPOLAB
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            N/A

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Admins
            Denied RODC Password Replication Group
            High Mandatory Level

        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Increase a process working set
            Shut down the system
            Remove computer from docking station
            Change the time zone
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Create symbolic links
            Obtain an impersonation token for another user in the same session

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                N/A

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A

                        
    • Edited by altimav8 Wednesday, May 9, 2018 9:02 PM
    Wednesday, May 9, 2018 8:53 PM
  • From your output it seems that your GPO is applied on the workstation

    So which part did you configured on this GPO, computer settings or user settings ?

    Best Regards,

    Thursday, May 10, 2018 9:53 AM
  • I applied the default domain policy and the computer settings for default email to be microsoft outlook. gpedit.msc says its set to microsoft outlook but start -> settings -> default app for mail is still windows mail or not selected even after signout and reboot. not sure how else to test it.

    Thursday, May 10, 2018 12:31 PM
  • What is the Domain controller? 

    It Looks like a 2008R2 DC, which doesn't know what windows 10 is, or for that matter apps.. in 2012R2 you get the ability to modify Applications versus programs, but i don't believe that option exists in 2008R2, you may have to upgrade to 2016 or 2012R2 minimal to get this to work as you are attempting to do.. (ill be honest even 2012R2 doesn't work as well as 2016 in working with 10 clients and Group policy) 

    You can however script this.. 

    More information on this can be found here: 
    https://superuser.com/questions/1045349/where-windows-10-stores-default-email-app-in-its-registry


    Rob

    Thursday, May 10, 2018 3:49 PM
  • The DC is 2008R2 running as 2003 domain functional level. This is our current production setup for domain of several thousand clients

    It makes sense that old DCs wouldn't be able to manage windows 10 group policy well.

    The ADM file i was using is below. As I said earlier it shows up on the client machine in gpresult and in registry but doesn't change the "default app settings" so I guess it doesn't know what to do with it. Control Panel vs Settings tool i'm guessing

    CLASS MACHINE
    CATEGORY !!Default_E-mail_Client
     POLICY !!Default_Client
     KEYNAME "SOFTWARE\Clients\Mail"
     EXPLAIN !!Explain_Default_Client
      PART !!labeltext_Default_Client EDITTEXT
       VALUENAME ""
     DEFAULT "Microsoft Outlook"
       END PART
      END POLICY
    END CATEGORY
     
    [strings]
    Default_E-mail_Client="Default e-mail client policy"
    Default_Client="Default e-mail client"
    Explain_Default_Client="This policy configures Outlook as the default e-mail client"
    labeltext_Default_Client="Default E-mail Client:"
    Microsoft_Outlook="Microsoft Outlook"


    Thursday, May 10, 2018 5:03 PM
  • Yeah even my 2012R2 system on a 2012R2 domain forest level has issues with managing Windows 10. Some things work, but not everything, in my test 2016 Domain it works a little different, there are some ADM(x) files available for Windows 10 that i can't get to work on 2012R2 either, so i just assume this is how they are playing the "You need to upgrade" typical process.. Honestly though, having 1k+ machines and dealing with this on a per machine basis.. i would look into upgrading to 2016 server, i don't know what your AD setup looks like but i recently (14 months ago) went from 2003R2 to 2012R2 and it took me a few hours, but was nothing major. At minimal you can always just add a 2016 Server to your DC setup and use that to manage the Windows 10 machines policies.. I know it's not a simple point and click.. but this is the new Microsoft world order.. rolling over the IT people one update at a time.. ;) 

    Good luck


    Rob

    Thursday, May 10, 2018 5:19 PM
  • Hello,

    Just to clarify some point, you can manage Windows 10 workstation on a domain with only DC 2008R2 but what you have to do is create the GPO from a Windows 10 workstation maybe it's what you have to do in order to have access to the app part.

    Remote Server Administration Tools for Windows 10 is your friend on that, if you have implemented Central Store you will need to put the admx file from a Windows 10 workstation

    Best Regards,

    Thursday, May 10, 2018 5:40 PM
  • Hi,

     

    Please remember to mark useful reply as answer, which would be much more efficient for other forum community members to find useful information.

     

    Best Regards,

     

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 14, 2018 1:54 PM