Issues in Active Directory

Lately, we have been having several issues with Active Directory.

1. User are constantly locking themselves out - I believe I know the answer to this, but I wanted to ask incase someone has experienced something different. Users will log themselves into multiple computers and then forget to log out. At some point they will change their password which means they are now logged into a computer with a bad password. Since Windows attempts to revalidate the logged in account, the system will pass a bad password and eventually lock out the account. So, could it be something else? Am I missing something?

2. Windows 8 and Windows 10 computers will not apply group policy - We have a bunch of Windows 8 and Windows 10 tablets in our environment. For some reason, they will not apply policy from the domain. I honestly have no idea why this is. Our domain level is 2008R2 so I suppose it could be a schema issue?

Thank you!
soatoneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MacleanSystem EngineerCommented:
With lockouts its generally more common that users might have a Smartphone configured for email using an old password. You could consider deploying netwrix account lockout examiner free, or an equivalent tool to analyze why accounts are being locked out. It should provide a bit more in depth information surrounding these issues. If deploying the Netwrix version do read the deployment manual which shows you how to set your auditing policy on the domain.

You can use the Microsoft tools, but that's a reasonably manual process to go through.

As for question 2, do they not apply any policy what so ever? Have you ran a "gpresult /r" from a command line to check what it is or is not applying?
Will SzymkowskiSenior Solution ArchitectCommented:
For tracing why accounts are locking out will require you to have ad auditing enabled. Check my how to below.

Also  would recommend a 3rd party product called Lepide active directory auditor.

http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/

Lepide AD audit
http://www.lepide.com/lepideauditor/active-directory-auditing.html

Will.
soatoneAuthor Commented:
Thank you both for your responses.

Maclean, running 'gpresult /r' shows that several policies have been applied, but they actually aren't. A prime example is the home page for Internet Explorer. Group policy is supposed to be setting the home page to our local intranet website. Gpresult shows that the appropriate group policy object has been applied, but when I open Internet Explorer it opens the msn.com website.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

MacleanSystem EngineerCommented:
The home page not setting example could be a multitude of factors.
If you are using the old internet explorer maintenance policy from 2003, it will from memory not apply to Internet Explorer 8 and upwards. For IE8 & upwards to function you would need to create a user policy using the "Newer" IE GPO settings under Control Panel Settings >> Internet Settings

Capture.PNG
Also note that you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons. I use F6 to individually enable the bits I want to enforce.

This could potentially be why the current GPO is not applying.
You could test the GPO's are applying by perhaps enabling something innocent for on the users OU such as a new GPO named for example RUN, in which you enable the user policy RUN command to show for all authenticated users.

Capture2.PNG
Once you replicate between the DC's, and log on as a user, the Run menu should show in start if using Windows XP, Vista, 7, 8, 8.1 (Windows 10 will not apply this rule, also note most users utilize Edge on Windows 10, even though IE11 is available under the start menu)

If the run shows on windows 8 machines, then that should give a clear identifier regarding whether the policies are working as intended.
This does not cover whichever other policies you might already have in place of course.

P.S. Do note to be careful applying Start Menu modifications to Windows 10.
I have heard and seen a few occasions where applying Start Menu modifications to Windows 10 machines results in the dreaded "Start Menu Critical Error - System will now log you off" issue.
soatoneAuthor Commented:
We started using Active Directory about 3-4 years ago with the initial domain level at 2008R2. It is not an upgrade from 2003. All group policies were built at the 2008R2 level.

We apply the policy to set the default web page is set through User Configuration>Policies>Windows Settings>Internet Explorer Maintenance>URLs>Important URLs. It works fine on XP and Windows 7 computers, but, as stated above, it doesn't seem to apply to the Windows 8 computers.

I hesitate to implement any policy that could possibly break a Windows 10 installation. Our CEO is using Windows 10 on his tablet and I don't want to be the one responsible for breaking it.

Thanks!
MacleanSystem EngineerCommented:
I would indeed not recommend changing a live policy, but test one, and if proven to work fine, put in a change request to a select amount of test users.
Once everyone is happy, backup the original, and push out the new policy.

Internet Explorer Maintenance has been done away with really for Windows 8 and upward. Hence you will likely not see those apply on Windows 8 and higher if running IE10 or higher

I would setup a Test OU for a test computer, and a test OU for a Test user.
Have them not inherit policies, and only enable the policies which do not include the original internet explorer settings.
Once done, create the test IE GPO from the Control Panel Settings >> Internet Explorer, and test that this works as expected.
soatoneAuthor Commented:
Maclean, thank you very much for all your help.

I am currently doing as you suggested and recreating a new GPO. Could you explain what you mean by "you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons[?]" I am not familiar with that at all.
MacleanSystem EngineerCommented:
I will try, might not be easy to explain.

F5 = Enable all options to enforce
F6 = Enable selective options to enforce
F7 = Disable selective options from being enforced
F8 = Disable all options from being enforced

So the F5 button will underline and activate all policies on a tab that you might wish to enforce when working on the IE settings as per below example where I enforce all Advanced options tab for IE 8

F5.PNG
Next I will show F6, where I only enable what I want to enforce.

F6.PNG
Now for F7. Lets say I want to enable all but 2 options. I will F5 to enforce all, then select the 2 options I do not want to enforce and select F7

F7.PNG
F8 in turn will underline and disable your enforcement over all options if you do not wish to push those down.

F8.PNG
Thing to keep in mind is that if you are on lets say the general tab and hit F5 to enable all, you would still need to go into the sub menu's for Browsing History, Tabs & Accessibility to also enable/disable what you desire there.
Below 2 screenshots show what by default the F5 does to the main security page, and then showing that the settings under browsing history is still not fully enabled.

SecF5.PNGSecF5-2.PNG
I hope this explains it.

I did find an article in MSITPROS which tries to explain this as well in different wording in case that helps.
Jeff GloverSr. Systems AdministratorCommented:
One additional thing I have found, especially with IE preferences. Try installing the RSAT tools on a Windows 10 workstation and then use Group Policy Management from there to work with it. We had the issue with Windows 8.1 where we had to run the GPMC from an Windows 8.1 workstation to enable IE11 preferences.
soatoneAuthor Commented:
I'm currently working on adding a Windows 2012R2 domain controller to our domain. Can I modify Windows 10 Group Policy with that controller? If not, what would I need to do to get it working?
Jeff GloverSr. Systems AdministratorCommented:
Add a Windows 20 machine (or use one you already have). Install the remote server Administration tools on it. That should get you the Group Policy Management Console. When you open it, it should have any settings specific to Windows 10 in it. Although we do not use this for Windows 10 (haven't deployed yet), we had to do it for Windows 8.1.
  Just remember, any Group Policy you create on the Windows 10 machine should be administered from there since you may not see all the changes when viewing the GPO from downlevel machines.

Windows 10 basically crosses to Server vNext (2016). 2012R2 is on the same release version as Windows 8.1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
soatoneAuthor Commented:
I did as you suggested and loaded the RSAT on a Windows 10 computer. I then created a new IE GPO under User Configuration>Preferences>Control Panel Settings>Internet Explorer>Internet Explorer 10. This GPO includes our Intranet page as the home page. On my test computer with my test user, I have restarted the computer and run gpupdate /force several times, but the website remains the default msn.com website.

I have double checked that both the computer and user are in my test OU where the test GPO is applied. I have run gpresult /v to review the policy settings and I can see that my test GPO is being applied.
MacleanSystem EngineerCommented:
Just making sure, the GPO has been applied to the User container, and the homepage is activated in green right? (F6) Just wanting to be 100% sure.
soatoneAuthor Commented:
Sorry, the homepage wasn't activated in green, still getting used to the F button thing. After I activated it and refreshed the policy on the computer the Intranet home page showed up as the default home page.

Maclean and Ivjeff, thank you both for your assistance and your patience.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.