<div>
With lockouts its generally more common that users might have a Smartphone configured for email using an old password. You could consider deploying <a href="http://www.netwrix.com/account_lockout_examiner.html" rel="ugc">netwrix account lockout examiner free</a>, or an equivalent tool to analyze why accounts are being locked out. It should provide a bit more in depth information surrounding these issues. If deploying the Netwrix version do read the deployment manual which shows you how to set your auditing policy on the domain.<br />
<br />
You can use the Microsoft tools, but that's a reasonably manual process to go through.<br />
<br />
As for question 2, do they not apply any policy what so ever? Have you ran a &quot;gpresult /r&quot; from a command line to check what it is or is not applying?
</div>


<div>
For tracing why accounts are locking out will require you to have ad auditing enabled. Check my how to below.<br />
<br />
Also &nbsp;would recommend a 3rd party product called Lepide active directory auditor.<br />
<br />
<a href="http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/" rel="ugc">http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/</a><br />
<br />
Lepide AD audit<br />
<a href="http://www.lepide.com/lepideauditor/active-directory-auditing.html" rel="ugc">http://www.lepide.com/lepideauditor/active-directory-auditing.html</a><br />
<br />
Will.
</div>


<div>
Thank you both for your responses.<br />
<br />
Maclean, running 'gpresult /r' shows that several policies have been applied, but they actually aren't. A prime example is the home page for Internet Explorer. Group policy is supposed to be setting the home page to our local intranet website. Gpresult shows that the appropriate group policy object has been applied, but when I open Internet Explorer it opens the msn.com website.
</div>


<div>
The home page not setting example could be a multitude of factors.<br />
If you are using the old internet explorer maintenance policy from 2003, it will from memory not apply to Internet Explorer 8 and upwards. For IE8 &amp;&nbsp;upwards to function you would need to create a user policy using the &quot;Newer&quot; IE GPO settings under Control Panel Settings &gt;&gt;&nbsp;Internet Settings <br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/01_w04/1073422/Capture.PNG" target="_blank" title="Capture.PNG (56 KB)"><img alt="Capture.PNG" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2016/01_w04/800_1073422/Capture.PNG" /></a><br />
Also note that you need to enable/disable sections that you wish to enforce with the F5, F6, F7 &amp;&nbsp;F8 buttons. I use F6 to individually enable the bits I want to enforce.<br />
<br />
This could potentially be why the current GPO is not applying.<br />
You could test the GPO's are applying by perhaps enabling something innocent for on the users OU such as a new GPO named for example RUN, in which you enable the user policy RUN command to show for all authenticated users.<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/01_w04/1073442/Capture2.PNG" target="_blank" title="Capture2.PNG (53 KB)"><img alt="Capture2.PNG" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2016/01_w04/800_1073442/Capture2.PNG" /></a><br />
Once you replicate between the DC's, and log on as a user, the Run menu should show in start if using Windows XP, Vista, 7, 8, 8.1 (Windows 10 will not apply this rule, also note most users utilize Edge on Windows 10, even though IE11 is available under the start menu)<br />
<br />
If the run shows on windows 8 machines, then that should give a clear identifier regarding whether the policies are working as intended.<br />
This does not cover whichever other policies you might already have in place of course.<br />
<br />
<b>P.S. </b>Do note to be careful applying Start Menu modifications to Windows 10.<br />
I have heard and seen a few occasions where applying Start Menu modifications to Windows 10 machines results in the dreaded &quot;<i>Start Menu Critical Error - System will now log you off</i>&quot; issue.
</div>


Capture.PNG

Capture2.PNG

<div>
We started using Active Directory about 3-4 years ago with the initial domain level at 2008R2. It is not an upgrade from 2003. All group policies were built at the 2008R2 level.<br />
<br />
We apply the policy to set the default web page is set through User Configuration&gt;Policies&gt;Win<wbr />dows Settings&gt;Internet Explorer Maintenance&gt;URLs&gt;Important<wbr /> URLs. It works fine on XP and Windows 7 computers, but, as stated above, it doesn't seem to apply to the Windows 8 computers.<br />
<br />
I hesitate to implement any policy that could possibly break a Windows 10 installation. Our CEO is using Windows 10 on his tablet and I don't want to be the one responsible for breaking it.<br />
<br />
Thanks!
</div>


<div>
I would indeed not recommend changing a live policy, but test one, and if proven to work fine, put in a change request to a select amount of test users.<br />
Once everyone is happy, backup the original, and push out the new policy.<br />
<br />
Internet Explorer Maintenance has been <a href="https://technet.microsoft.com/en-us/library/dn338129.aspx" rel="ugc">done away with</a> really for Windows 8 and upward. Hence you will likely not see those apply on Windows 8 and higher if running IE10 or higher <br />
<br />
I would setup a Test OU for a test computer, and a test OU for a Test user.<br />
Have them not inherit policies, and only enable the policies which do not include the original internet explorer settings.<br />
Once done, create the test IE GPO from the Control Panel Settings &gt;&gt;&nbsp;Internet Explorer, and test that this works as expected.
</div>


<div>
Maclean, thank you very much for all your help.<br />
<br />
I am currently doing as you suggested and recreating a new GPO. Could you explain what you mean by &quot;you need to enable/disable sections that you wish to enforce with the F5, F6, F7 &amp;&nbsp;F8 buttons[?]&quot; I am not familiar with that at all.
</div>


SecF5-2.PNG

F6.PNG

SecF5.PNG

F5.PNG

F8.PNG

F7.PNG

<div>
One additional thing I have found, especially with IE preferences. Try installing the RSAT tools on a Windows 10 workstation and then use Group Policy Management from there to work with it. We had the issue with Windows 8.1 where we had to run the GPMC from an Windows 8.1 workstation to enable IE11 preferences.
</div>


<div>
I'm currently working on adding a Windows 2012R2 domain controller to our domain. Can I modify Windows 10 Group Policy with that controller? If not, what would I need to do to get it working?
</div>


<div>
I did as you suggested and loaded the RSAT on a Windows 10 computer. I then created a new IE GPO under User Configuration&gt;Preferences&gt;<wbr />Control Panel Settings&gt;Internet Explorer&gt;Internet Explorer 10. This GPO includes our Intranet page as the home page. On my test computer with my test user, I have restarted the computer and run gpupdate /force several times, but the website remains the default msn.com website.<br />
<br />
I have double checked that both the computer and user are in my test OU where the test GPO is applied. I have run gpresult /v to review the policy settings and I can see that my test GPO is being applied.
</div>


<div>
Sorry, the homepage wasn't activated in green, still getting used to the F button thing. After I activated it and refreshed the policy on the computer the Intranet home page showed up as the default home page.<br />
<br />
Maclean and Ivjeff, thank you both for your assistance and your patience.
</div>


<div>
<div class="content wysiwyg-content">
Lately, we have been having several issues with Active Directory.<br />
<br />
1. User are constantly locking themselves out - I believe I know the answer to this, but I wanted to ask incase someone has experienced something different. Users will log themselves into multiple computers and then forget to log out. At some point they will change their password which means they are now logged into a computer with a bad password. Since Windows attempts to revalidate the logged in account, the system will pass a bad password and eventually lock out the account. So, could it be something else? Am I missing something?<br />
<br />
2. Windows 8 and Windows 10 computers will not apply group policy - We have a bunch of Windows 8 and Windows 10 tablets in our environment. For some reason, they will not apply policy from the domain. I honestly have no idea why this is. Our domain level is 2008R2 so I suppose it could be a schema issue?<br />
<br />
Thank you!
</div>
</div>


Lately, we have been having several issues with Active Directory.

1. User are constantly locking themselves out - I believe I know the answer to this, but I wanted to ask incase someone has experienced something different. Users will log themselves into multiple computers and then forget to log out. At some point they will change their password which means they are now logged into a computer with a bad password. Since Windows attempts to revalidate the logged in account, the system will pass a bad password and eventually lock out the account. So, could it be something else? Am I missing something?

2. Windows 8 and Windows 10 computers will not apply group policy - We have a bunch of Windows 8 and Windows 10 tablets in our environment. For some reason, they will not apply policy from the domain. I honestly have no idea why this is. Our domain level is 2008R2 so I suppose it could be a schema issue?

Thank you!

Issues in Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Windows 10 is a personal computer operating system featuring the "universal application architecture" (UAP); apps can be designed to run across multiple devices with nearly identical code, including PCs, tablets, smartphones, embedded systems, Xbox One, Surface Hub and HoloLens. Windows 10 also includes a virtual desktop system, a window and desktop management feature called Task View, the Microsoft Edge web browser, support for fingerprint and face recognition login, voice-based search (Cortana), new security features for enterprise environments, and DirectX 12 and WDDM 2.0 to improve the operating system's graphics capabilities for games.