Link to home
Start Free TrialLog in
Avatar of soatone
soatoneFlag for United States of America

asked on

Issues in Active Directory

Lately, we have been having several issues with Active Directory.

1. User are constantly locking themselves out - I believe I know the answer to this, but I wanted to ask incase someone has experienced something different. Users will log themselves into multiple computers and then forget to log out. At some point they will change their password which means they are now logged into a computer with a bad password. Since Windows attempts to revalidate the logged in account, the system will pass a bad password and eventually lock out the account. So, could it be something else? Am I missing something?

2. Windows 8 and Windows 10 computers will not apply group policy - We have a bunch of Windows 8 and Windows 10 tablets in our environment. For some reason, they will not apply policy from the domain. I honestly have no idea why this is. Our domain level is 2008R2 so I suppose it could be a schema issue?

Thank you!
Avatar of Maclean
Maclean
Flag of New Zealand image

With lockouts its generally more common that users might have a Smartphone configured for email using an old password. You could consider deploying netwrix account lockout examiner free, or an equivalent tool to analyze why accounts are being locked out. It should provide a bit more in depth information surrounding these issues. If deploying the Netwrix version do read the deployment manual which shows you how to set your auditing policy on the domain.

You can use the Microsoft tools, but that's a reasonably manual process to go through.

As for question 2, do they not apply any policy what so ever? Have you ran a "gpresult /r" from a command line to check what it is or is not applying?
Avatar of Will Szymkowski
For tracing why accounts are locking out will require you to have ad auditing enabled. Check my how to below.

Also  would recommend a 3rd party product called Lepide active directory auditor.

http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/

Lepide AD audit
http://www.lepide.com/lepideauditor/active-directory-auditing.html

Will.
Avatar of soatone

ASKER

Thank you both for your responses.

Maclean, running 'gpresult /r' shows that several policies have been applied, but they actually aren't. A prime example is the home page for Internet Explorer. Group policy is supposed to be setting the home page to our local intranet website. Gpresult shows that the appropriate group policy object has been applied, but when I open Internet Explorer it opens the msn.com website.
The home page not setting example could be a multitude of factors.
If you are using the old internet explorer maintenance policy from 2003, it will from memory not apply to Internet Explorer 8 and upwards. For IE8 & upwards to function you would need to create a user policy using the "Newer" IE GPO settings under Control Panel Settings >> Internet Settings

User generated image
Also note that you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons. I use F6 to individually enable the bits I want to enforce.

This could potentially be why the current GPO is not applying.
You could test the GPO's are applying by perhaps enabling something innocent for on the users OU such as a new GPO named for example RUN, in which you enable the user policy RUN command to show for all authenticated users.

User generated image
Once you replicate between the DC's, and log on as a user, the Run menu should show in start if using Windows XP, Vista, 7, 8, 8.1 (Windows 10 will not apply this rule, also note most users utilize Edge on Windows 10, even though IE11 is available under the start menu)

If the run shows on windows 8 machines, then that should give a clear identifier regarding whether the policies are working as intended.
This does not cover whichever other policies you might already have in place of course.

P.S. Do note to be careful applying Start Menu modifications to Windows 10.
I have heard and seen a few occasions where applying Start Menu modifications to Windows 10 machines results in the dreaded "Start Menu Critical Error - System will now log you off" issue.
Avatar of soatone

ASKER

We started using Active Directory about 3-4 years ago with the initial domain level at 2008R2. It is not an upgrade from 2003. All group policies were built at the 2008R2 level.

We apply the policy to set the default web page is set through User Configuration>Policies>Windows Settings>Internet Explorer Maintenance>URLs>Important URLs. It works fine on XP and Windows 7 computers, but, as stated above, it doesn't seem to apply to the Windows 8 computers.

I hesitate to implement any policy that could possibly break a Windows 10 installation. Our CEO is using Windows 10 on his tablet and I don't want to be the one responsible for breaking it.

Thanks!
I would indeed not recommend changing a live policy, but test one, and if proven to work fine, put in a change request to a select amount of test users.
Once everyone is happy, backup the original, and push out the new policy.

Internet Explorer Maintenance has been done away with really for Windows 8 and upward. Hence you will likely not see those apply on Windows 8 and higher if running IE10 or higher

I would setup a Test OU for a test computer, and a test OU for a Test user.
Have them not inherit policies, and only enable the policies which do not include the original internet explorer settings.
Once done, create the test IE GPO from the Control Panel Settings >> Internet Explorer, and test that this works as expected.
Avatar of soatone

ASKER

Maclean, thank you very much for all your help.

I am currently doing as you suggested and recreating a new GPO. Could you explain what you mean by "you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons[?]" I am not familiar with that at all.
SOLUTION
Avatar of Maclean
Maclean
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One additional thing I have found, especially with IE preferences. Try installing the RSAT tools on a Windows 10 workstation and then use Group Policy Management from there to work with it. We had the issue with Windows 8.1 where we had to run the GPMC from an Windows 8.1 workstation to enable IE11 preferences.
Avatar of soatone

ASKER

I'm currently working on adding a Windows 2012R2 domain controller to our domain. Can I modify Windows 10 Group Policy with that controller? If not, what would I need to do to get it working?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of soatone

ASKER

I did as you suggested and loaded the RSAT on a Windows 10 computer. I then created a new IE GPO under User Configuration>Preferences>Control Panel Settings>Internet Explorer>Internet Explorer 10. This GPO includes our Intranet page as the home page. On my test computer with my test user, I have restarted the computer and run gpupdate /force several times, but the website remains the default msn.com website.

I have double checked that both the computer and user are in my test OU where the test GPO is applied. I have run gpresult /v to review the policy settings and I can see that my test GPO is being applied.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of soatone

ASKER

Sorry, the homepage wasn't activated in green, still getting used to the F button thing. After I activated it and refreshed the policy on the computer the Intranet home page showed up as the default home page.

Maclean and Ivjeff, thank you both for your assistance and your patience.