Issues in Active Directory

soatone
soatone used Ask the Experts™
on
Lately, we have been having several issues with Active Directory.

1. User are constantly locking themselves out - I believe I know the answer to this, but I wanted to ask incase someone has experienced something different. Users will log themselves into multiple computers and then forget to log out. At some point they will change their password which means they are now logged into a computer with a bad password. Since Windows attempts to revalidate the logged in account, the system will pass a bad password and eventually lock out the account. So, could it be something else? Am I missing something?

2. Windows 8 and Windows 10 computers will not apply group policy - We have a bunch of Windows 8 and Windows 10 tablets in our environment. For some reason, they will not apply policy from the domain. I honestly have no idea why this is. Our domain level is 2008R2 so I suppose it could be a schema issue?

Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MacleanSystem Engineer

Commented:
With lockouts its generally more common that users might have a Smartphone configured for email using an old password. You could consider deploying netwrix account lockout examiner free, or an equivalent tool to analyze why accounts are being locked out. It should provide a bit more in depth information surrounding these issues. If deploying the Netwrix version do read the deployment manual which shows you how to set your auditing policy on the domain.

You can use the Microsoft tools, but that's a reasonably manual process to go through.

As for question 2, do they not apply any policy what so ever? Have you ran a "gpresult /r" from a command line to check what it is or is not applying?
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
For tracing why accounts are locking out will require you to have ad auditing enabled. Check my how to below.

Also  would recommend a 3rd party product called Lepide active directory auditor.

http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/

Lepide AD audit
http://www.lepide.com/lepideauditor/active-directory-auditing.html

Will.

Author

Commented:
Thank you both for your responses.

Maclean, running 'gpresult /r' shows that several policies have been applied, but they actually aren't. A prime example is the home page for Internet Explorer. Group policy is supposed to be setting the home page to our local intranet website. Gpresult shows that the appropriate group policy object has been applied, but when I open Internet Explorer it opens the msn.com website.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MacleanSystem Engineer

Commented:
The home page not setting example could be a multitude of factors.
If you are using the old internet explorer maintenance policy from 2003, it will from memory not apply to Internet Explorer 8 and upwards. For IE8 & upwards to function you would need to create a user policy using the "Newer" IE GPO settings under Control Panel Settings >> Internet Settings

Capture.PNG
Also note that you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons. I use F6 to individually enable the bits I want to enforce.

This could potentially be why the current GPO is not applying.
You could test the GPO's are applying by perhaps enabling something innocent for on the users OU such as a new GPO named for example RUN, in which you enable the user policy RUN command to show for all authenticated users.

Capture2.PNG
Once you replicate between the DC's, and log on as a user, the Run menu should show in start if using Windows XP, Vista, 7, 8, 8.1 (Windows 10 will not apply this rule, also note most users utilize Edge on Windows 10, even though IE11 is available under the start menu)

If the run shows on windows 8 machines, then that should give a clear identifier regarding whether the policies are working as intended.
This does not cover whichever other policies you might already have in place of course.

P.S. Do note to be careful applying Start Menu modifications to Windows 10.
I have heard and seen a few occasions where applying Start Menu modifications to Windows 10 machines results in the dreaded "Start Menu Critical Error - System will now log you off" issue.

Author

Commented:
We started using Active Directory about 3-4 years ago with the initial domain level at 2008R2. It is not an upgrade from 2003. All group policies were built at the 2008R2 level.

We apply the policy to set the default web page is set through User Configuration>Policies>Windows Settings>Internet Explorer Maintenance>URLs>Important URLs. It works fine on XP and Windows 7 computers, but, as stated above, it doesn't seem to apply to the Windows 8 computers.

I hesitate to implement any policy that could possibly break a Windows 10 installation. Our CEO is using Windows 10 on his tablet and I don't want to be the one responsible for breaking it.

Thanks!
MacleanSystem Engineer

Commented:
I would indeed not recommend changing a live policy, but test one, and if proven to work fine, put in a change request to a select amount of test users.
Once everyone is happy, backup the original, and push out the new policy.

Internet Explorer Maintenance has been done away with really for Windows 8 and upward. Hence you will likely not see those apply on Windows 8 and higher if running IE10 or higher

I would setup a Test OU for a test computer, and a test OU for a Test user.
Have them not inherit policies, and only enable the policies which do not include the original internet explorer settings.
Once done, create the test IE GPO from the Control Panel Settings >> Internet Explorer, and test that this works as expected.

Author

Commented:
Maclean, thank you very much for all your help.

I am currently doing as you suggested and recreating a new GPO. Could you explain what you mean by "you need to enable/disable sections that you wish to enforce with the F5, F6, F7 & F8 buttons[?]" I am not familiar with that at all.
MacleanSystem Engineer
Commented:
I will try, might not be easy to explain.

F5 = Enable all options to enforce
F6 = Enable selective options to enforce
F7 = Disable selective options from being enforced
F8 = Disable all options from being enforced

So the F5 button will underline and activate all policies on a tab that you might wish to enforce when working on the IE settings as per below example where I enforce all Advanced options tab for IE 8

F5.PNG
Next I will show F6, where I only enable what I want to enforce.

F6.PNG
Now for F7. Lets say I want to enable all but 2 options. I will F5 to enforce all, then select the 2 options I do not want to enforce and select F7

F7.PNG
F8 in turn will underline and disable your enforcement over all options if you do not wish to push those down.

F8.PNG
Thing to keep in mind is that if you are on lets say the general tab and hit F5 to enable all, you would still need to go into the sub menu's for Browsing History, Tabs & Accessibility to also enable/disable what you desire there.
Below 2 screenshots show what by default the F5 does to the main security page, and then showing that the settings under browsing history is still not fully enabled.

SecF5.PNGSecF5-2.PNG
I hope this explains it.

I did find an article in MSITPROS which tries to explain this as well in different wording in case that helps.
Jeff GloverSr. Systems Administrator

Commented:
One additional thing I have found, especially with IE preferences. Try installing the RSAT tools on a Windows 10 workstation and then use Group Policy Management from there to work with it. We had the issue with Windows 8.1 where we had to run the GPMC from an Windows 8.1 workstation to enable IE11 preferences.

Author

Commented:
I'm currently working on adding a Windows 2012R2 domain controller to our domain. Can I modify Windows 10 Group Policy with that controller? If not, what would I need to do to get it working?
Sr. Systems Administrator
Commented:
Add a Windows 20 machine (or use one you already have). Install the remote server Administration tools on it. That should get you the Group Policy Management Console. When you open it, it should have any settings specific to Windows 10 in it. Although we do not use this for Windows 10 (haven't deployed yet), we had to do it for Windows 8.1.
  Just remember, any Group Policy you create on the Windows 10 machine should be administered from there since you may not see all the changes when viewing the GPO from downlevel machines.

Windows 10 basically crosses to Server vNext (2016). 2012R2 is on the same release version as Windows 8.1

Author

Commented:
I did as you suggested and loaded the RSAT on a Windows 10 computer. I then created a new IE GPO under User Configuration>Preferences>Control Panel Settings>Internet Explorer>Internet Explorer 10. This GPO includes our Intranet page as the home page. On my test computer with my test user, I have restarted the computer and run gpupdate /force several times, but the website remains the default msn.com website.

I have double checked that both the computer and user are in my test OU where the test GPO is applied. I have run gpresult /v to review the policy settings and I can see that my test GPO is being applied.
MacleanSystem Engineer
Commented:
Just making sure, the GPO has been applied to the User container, and the homepage is activated in green right? (F6) Just wanting to be 100% sure.

Author

Commented:
Sorry, the homepage wasn't activated in green, still getting used to the F button thing. After I activated it and refreshed the policy on the computer the Intranet home page showed up as the default home page.

Maclean and Ivjeff, thank you both for your assistance and your patience.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial