Solved

Windows 10 Machine not applied beeing applied by the WHOLE GPO , 2012 R2 Domain

Posted on 2016-10-09
8
123 Views
Last Modified: 2016-10-20
Hi,
I have very weird issue.
I have 2012R2 Domain Controller(I have imported Windows 10 ADMX into the 2012DC, via this manual http://www.windowstricks.in/2016/07/group-policy-setting-not-applying-windows-10-computers.html)

along windows 7 machines, i recently started to add windows 10 machines
windows 7 machines receive the GPO fine.



All the windows 10 machines receive only partial of the GPO
For instance: a machine and a user on Windows 7 computer will get more GPO then identical Windows 10 Machine

This is how the GPO look on server side:
gpo-problem.png
As you can see there are more GPO`s exists at the server then the onces applied at the machine below:

gpresult /r on windows 10 machine:
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        LockWorkStationAllButSarin
        DLO
        NOD32

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        LockDC
            Filtering:  Denied (WMI Filter)
            WMI Filter: ApplyToDCS

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Authentication authority asserted identity
        High Mandatory Level

Open in new window


for instance, test3test GPO should be applied on the machine, It has no WMI filter, Its anabled and its marked as "Everyone"

So why i dont even see test3test GPO even beeing rejected under  "   The following GPOs were not applied because they were filtered out"

Help anyone?
Anyway to debug this?

It seem like the Client does not event get the GPO at all from the server.

i have also tried to do this:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
“\\*\SYSVOL”
“RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
“RequireMutualAuthentication=0”
0
Comment
Question by:yairge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 41836154
There is no technical explanation, at least not, if you do it right.
Do a gpupdate on an elevated command prompt on win10 and retest.
0
 
LVL 1

Author Comment

by:yairge
ID: 41836684
Well,
Ofcourse i did gpupdate before the gpresult.


the output is the same.
how do i start to debug this
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41836692
Do a group policy modeling at the DC for that win10 machine. That modeling will tell you if those policies should have gotten applied or not.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:yairge
ID: 41837039
I have...
the Dc says should be applied
hence its only client side problem? this weird.. many clients have this issue
i havedisabled the FW
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 41837057
How about if you also add

RequireIntegrity=0,RequirePrivacy=0

to both those registry locations ??
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41837103
Take a clean test vm with win10, join it to the domain, add it to that OU and test.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41837386
Are the missing policies user policies, computer policies, or both?

If they're user policies, an update back in June changed the context under which those policies are applied. Have a look here for more information.
0
 
LVL 1

Author Comment

by:yairge
ID: 41851770
The issue is because
MS16-072 Update

I managed to solve it by doing this
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question