Force local Group Policy instead of getting GP from domain for remote computers

I've got about a dozen remote computers (Win 10) that just do not want to connect to the domain over a VPN.  I've got a question open about there here
https://www.experts-exchange.com/questions/29007526/Updating-Group-Policy-over-a-PPTP-VPN.html

I don't appear to have a solution in site for this issue, so I am opening a separate question to see about another way to work around it.

I've got about a dozen or so remote computers that will never come back into the office with the domain controller.  I need to implement BitLocker without a TPM and to do that, I've made an edit to the local Group Policy.  When I go to BitLocker, it's as I never made the GP change and it gives me an error regarding requiring a TPM.  When I go to a command prompt and do an RSOP.msc, I get an error message (attached) saying

Unable to generate RSoP data.  In logging mode.  Likely causes are Group Policy has never successfully process for the computer or users.  RSoP logging was never enabled, or data is corrupt.  In planning mode.  Verify that the selected domain controller suports RSoP.

I've given up on getting these computers to try and communicate with the domain controller.  What I'm asking is there any way I can get it to look at the local GP instead of trying to get GP from the DC?  

Thanks very much
rsopresults.JPG
SupermanTBAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Hi again.

My win10 machines will not need a domain connection to apply local policies. Please confirm that you have the latest win10 build installed: 14393.693
0
SupermanTBAuthor Commented:
I have the latest build.  Also 14393.693
0
Sean Plemons Kelly, CISSPSecurity/Information Assurance EngineerCommented:
SupermanTB,

Consider moving these systems to a separate OU, block inheritance on that OU, then configure local policies.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

McKnifeCommented:
0
SupermanTBAuthor Commented:
Do you mean to check to see if the Group Policy service is running?  If so I have verified that the Group Policy Client service is running.  

I also put the computer in a different OU, with inheritence blocked.  That did not help.
0
McKnifeCommented:
and the 2nd question?
0
SupermanTBAuthor Commented:
I made an additional local GP change and it did not apply.  it seems to not be processing the local GP at all
0
McKnifeCommented:
Since you switched over to your older thread and I answered there, I will paste it here:
--
So if you are perfectly sure that you set something, did run gpupdate and the change did not show, AND this happens on multiple machines as well, then you should take a clean win10 system, verify that it works there (of course it will) and then step by step add the software that your other machines run and check if changing the local GPO still works. If it breaks at one point, you have found the culprit.

I like to add that this is very very odd and never in my admin life have I seen a machine that had such a defect.
0
SupermanTBAuthor Commented:
Thank you McKnife.  Sorry about accidentally posting to that older thread.  

I'm sure that I updated something and it did not get applied.  However, the problem is when I run the gpupdate, it fails not being able to contact the domain controller.  I don't know if that failure is causing some sort of problem that doesn't allow it to process the local GP.

I've got about 12 machines (out of ~35) experiencing this issue.  I'm sure if i had a clean Windows 10 system in the office with the DC, it would definitely work.  If i took it out of the office and tried again, maybe it would work, maybe it wouldn't.  I don't know that is a relevant test here because all these laptops will likely have been inside the office with the DC for a year or two.  In case, I don't have a clean Windows 10 machine available to do this and the office is quite far away.
0
McKnifeCommented:
Install a test VM. It does not need to be connected to the domain.
0
SupermanTBAuthor Commented:
Ok, so when i do that, I fully expect the GP to work.  Then what?
0
McKnifeCommented:
As I wrote: to find the culprit, install your software one by one until the new gpupdates don't apply anymore.
0
SupermanTBAuthor Commented:
There is no unusual software on these computers.  Just office, Microsoft Security Essentials, Java, standard stuff.  These laptops all have the same footprint, same software, etc.  I appreciate the suggestion, but that is a tremendous amount of effort to go through for something i do not anticipate resulting in useful information.
0
McKnifeCommented:
The mentioned softwares will not interfere with GPO processing, I agree. But if it happens on multiple machines, hat could it be but software that you add?
0
SupermanTBAuthor Commented:
i honestly have no clue what is causing this.  Very unusual.  I have 35 computers all with the same software (within reason).  12 are experiencing this issue.
0
McKnifeCommented:
Quite a lot for an odd error. I have seen that once on a machine here and the first step investigating it was a reboot...and it vanished.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SupermanTBAuthor Commented:
I was able to solve this problem myself and will award points for effort.  I really do appreciate the assistance.

I solved this problem by making sure the security was set correctly on the client VPN.  Specifically, I right-clicked on the VPN virtual adapter and selected Properties, clicked on the Security tab and made sure it was set to "Require encryption (disconnect if server declines)" under the Data encryption section.  It was previously set to "Optional encryption (connect even if no encryption)".  I don't know why some worked with this selection selected and others did not.  I've spent too much time on this issue to try and figure that one out.
https://www.experts-exchange.com/questions/29008812/Force-local-Group-Policy-instead-of-getting-GP-from-domain-for-remote-computers.html#
I hope this helps someone that runs into this issue!  Thanks again for the assistance.
0
McKnifeCommented:
You have to be aware that having a network (any network) does not influence the local GPO processing - so your VPN setting cannot be the reason, although it might seem so. Even computers that don't have a network card will process the local GPOs - normally.
0
SupermanTBAuthor Commented:
I hear you, but that was definitely the fix.  As soon as I changed it on all those computers that didn't work, i was able to process everything without any problems.  Thanks again for your assistance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.